[
https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Palaga resolved DIRMINA-1067.
-----------------------------------
Resolution: Not A Bug
Thanks for looking at this and for the hint that the IBM JVM could cache the
results of the TrustManager queries, [~elecharny]. Although, I have not got a
100% certainty that IBM is really doing that, having tried intercepting the
communication pipe earlier in {{SSLEngine}}, I was able to observe consistent
behavior between IBM and Oracle/OpenJDK JVMs, which effectivelly means that
this neither a bug in Apache Mina nor a bug in any of the JVMs.
So, for others, who might be interested in how to check/test what SSL certs an
LDAP client is sending, this an approach that worked for me: Have a custom
{{LdapsInitializer}} in your test class path that replaces the default
{{LdapsInitializer}} delivered by ApacheDS. In that {{LdapsInitializer}},
create an install an {{SSLFilter}} with a a custom {{SSLContext}}. The custom
{{SSLContext}} produces a custom {{SSLEngine}} where we watch all {{wrap()}}
and {{unwrap()}} methods. As soon as any of the {{wrap()}} and {{unwrap()}}
methods returns {{HandshakeStatus.FINISHED}}, we call
{{getSession().getPeerCertificateChain()}} and check if the cert chain is as
expected. Here is my code: https://github.com/wildfly/wildfly/pull/10209
> checkClientTrusted() invoked just once on IBM JRE
> -------------------------------------------------
>
> Key: DIRMINA-1067
> URL: https://issues.apache.org/jira/browse/DIRMINA-1067
> Project: MINA
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.0.16
> Reporter: Peter Palaga
>
> When we set up a test in which a client connects to the server three times
> using TLS with a client cert, then on OracleJDK and OpenJDK the
> {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
> String)}} method is invoked three times, while on IBM JDK, the same method
> is invoked only once.
> I kindly ask for an explanation why this happens. I am not an expert in TLS
> and therefore I am not able to tell whether this is a bug in Mina, any of the
> JDKs, both or none.
> Steps to reproduce:
> (1) Prepare
> {code}
> git fetch https://github.com/ppalaga/mina.git
> refs/heads/DIRMINA-1067:DIRMINA-1067
> git checkout DIRMINA-1067
> mvn clean install -DskipTests
> {code}
> (2) Test with Oracle JDK or OpenJDK which both work as expected.
> {code}
> export JAVA_HOME=/path/to/OracleJDK # change this
> $JAVA_HOME/bin/java -version
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> mvn test -Dtest=SslClientCertTest
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing
> certs
> [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec -
> in org.apache.mina.filter.ssl.SslClientCertTest
> {code}
> Note that {{Adding cert ...}} appears three times in the log
> (3) Test with IBM JDK
> {code}
> export JAVA_HOME=/path/to/IBMJDK
> $JAVA_HOME/bin/java -version
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References
> 20160915_318796 (JIT enabled, AOT enabled)
> J9VM - R28_Java8_SR3_20160915_0912_B318796
> JIT - tr.r14.java.green_20160818_122998
> GC - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
> J9CL - 20160915_318796)
> JCL - 20160914_01 based on Oracle jdk8u101-b13
> mvn surefire:test -Dtest=SslClientCertTest
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing
> certs
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<<
> FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
> testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest) Time elapsed:
> 5.412 sec <<< FAILURE!
> java.lang.AssertionError: expected:<3> but was:<1>
> {code}
> Expected: {{testClientCerts}} should pass
> Actual: {{testClientCerts}} fails
> Background: I took ApacheDS to check that our LDAP client code in WildFly is
> sending the client certs properly, but the results on Oracle vs IBM were
> inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961
> does basically the same thing as the reproducer of the current issue
> https://github.com/apache/mina/pull/12
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
