[
https://issues.apache.org/jira/browse/CASSANDRA-21441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087713#comment-18087713
]
Dmitry Konstantinov commented on CASSANDRA-21441:
-------------------------------------------------
Changes in keystores:
h2. SSL Test Certificate Regeneration — Before/After Comparison
Certificates in {{test/conf/}} were regenerated to fix TLS handshake failures
on JDK builds where
{{TLS_RSA_*}} cipher suites are disabled by default in
{{jdk.tls.disabledAlgorithms}}.
Changed in all files:
* Validity extended from an expired 90-day window (2016) to 100 years
* SANs added: {{DNS:localhost}}, {{IP:127.0.0.1}}, {{IP:127.0.0.2}},
{{IP:127.0.0.3}}
* Serial numbers regenerated (new key pair)
Unchanged in all files: Subject DN, Issuer DN, Signature algorithm
(SHA256withRSA), Public key (RSA 2048-bit), PEM key encryption
(pbeWithSHA1And3-KeyTripleDES-CBC).
----
h3. cassandra_ssl_test.keystore (JKS, alias: cassandra_ssl_test)
||Parameter||Old||New||Changed||
|Entry type|PrivateKeyEntry|PrivateKeyEntry| |
|Subject DN|{{CN=Apache Cassandra, OU=ssl_testing, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown}}|same| |
|Issuer DN|same as subject (self-signed)|same| |
|*Serial
number*|{{0x4f11f924}}|{{0x1507228f95520fe696523ae9ad3a6bf446ade688}}|*YES*|
|*Not Before*|Mar 18 21:28:02 2016|Jun 09 12:14:53 2026|*YES*|
|*Not After*|Jun 16 21:28:02 2016 _(expired)_|May 16 12:14:53 2126 _(+100
years)_|*YES*|
|Signature algorithm|SHA256withRSA|SHA256withRSA| |
|Public key|RSA 2048-bit|RSA 2048-bit| |
|*SANs*|_(none)_|{{DNS:localhost, IP:127.0.0.1, IP:127.0.0.2,
IP:127.0.0.3}}|*YES*|
|*Private key*|original|regenerated (same algorithm/size)|*YES*|
----
h3. cassandra_ssl_test_nopassword.keystore (PKCS12, alias: 1)
||Parameter||Old||New||Changed||
|Entry type|PrivateKeyEntry|PrivateKeyEntry| |
|Subject DN|{{CN=Apache Cassandra, OU=ssl_testing, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown}}|same| |
|Issuer DN|same as subject (self-signed)|same| |
|*Serial
number*|{{0x4f11f924}}|{{0x1507228f95520fe696523ae9ad3a6bf446ade688}}|*YES*|
|*Not Before*|Mar 18 21:28:02 2016|Jun 09 12:14:53 2026|*YES*|
|*Not After*|Jun 16 21:28:02 2016 _(expired)_|May 16 12:14:53 2126 _(+100
years)_|*YES*|
|Signature algorithm|SHA256withRSA|SHA256withRSA| |
|Public key|RSA 2048-bit|RSA 2048-bit| |
|*SANs*|_(none)_|{{DNS:localhost, IP:127.0.0.1, IP:127.0.0.2,
IP:127.0.0.3}}|*YES*|
|Store password|_(empty)_|_(empty)_| |
|*Private key*|original|regenerated (same algorithm/size)|*YES*|
----
h3. cassandra_ssl_test.keystore.pem (PEM — encrypted private key + certificate)
||Parameter||Old||New||Changed||
|Key header|{{BEGIN ENCRYPTED PRIVATE KEY}}|{{BEGIN ENCRYPTED PRIVATE KEY}}| |
|Key
encryption|{{pbeWithSHA1And3-KeyTripleDES-CBC}}|{{pbeWithSHA1And3-KeyTripleDES-CBC}}|
|
|Key password|{{cassandra}}|{{cassandra}}| |
|Key algorithm|RSA|RSA| |
|Key size|2048-bit|2048-bit| |
|Subject DN|{{CN=Apache Cassandra, OU=ssl_testing, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown}}|same| |
|Issuer DN|same as subject (self-signed)|same| |
|*Serial number*|{{0x4f11f924}}|_(omitted by generator)_|*YES*|
|*Not Before*|Mar 18 21:28:02 2016|Jun 09 12:14:53 2026|*YES*|
|*Not After*|Jun 16 21:28:02 2016 _(expired)_|May 16 12:14:53 2126 _(+100
years)_|*YES*|
|Signature algorithm|SHA256withRSA|SHA256withRSA| |
|*SANs*|_(none)_|{{DNS:localhost, IP:127.0.0.1, IP:127.0.0.2,
IP:127.0.0.3}}|*YES*|
----
h3. cassandra_ssl_test.unencrypted_keystore.pem (PEM — unencrypted private key
+ certificate)
||Parameter||Old||New||Changed||
|Key header|{{BEGIN PRIVATE KEY}} (PKCS#8 unencrypted)|{{BEGIN PRIVATE KEY}}
(PKCS#8 unencrypted)| |
|Key algorithm|RSA|RSA| |
|Key size|2048-bit|2048-bit| |
|Subject DN|{{CN=Apache Cassandra, OU=ssl_testing, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown}}|same| |
|Issuer DN|same as subject (self-signed)|same| |
|*Serial number*|{{0x4f11f924}}|_(omitted by generator)_|*YES*|
|*Not Before*|Mar 18 21:28:02 2016|Jun 09 12:14:53 2026|*YES*|
|*Not After*|Jun 16 21:28:02 2016 _(expired)_|May 16 12:14:53 2126 _(+100
years)_|*YES*|
|Signature algorithm|SHA256withRSA|SHA256withRSA| |
|*SANs*|_(none)_|{{DNS:localhost, IP:127.0.0.1, IP:127.0.0.2,
IP:127.0.0.3}}|*YES*|
----
h3. cassandra_ssl_test.truststore (JKS) — cassandra_ssl_test entry only
Other entries ({{mykey}}, {{outbound_key}}, {{spiffecert}},
{{spiffe_certificate}}) are unchanged.
||Parameter||Old||New||Changed||
|Entry type|trustedCertEntry|trustedCertEntry| |
|Subject DN|{{CN=Apache Cassandra, OU=ssl_testing, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown}}|same| |
|Issuer DN|same as subject (self-signed)|same| |
|*Serial
number*|{{0x4f11f924}}|{{0x1507228f95520fe696523ae9ad3a6bf446ade688}}|*YES*|
|*Not Before*|Mar 18 21:28:02 2016|Jun 09 12:14:53 2026|*YES*|
|*Not After*|Jun 16 21:28:02 2016 _(expired)_|May 16 12:14:53 2126 _(+100
years)_|*YES*|
|Signature algorithm|SHA256withRSA|SHA256withRSA| |
|Public key|RSA 2048-bit|RSA 2048-bit| |
|*SANs*|_(none)_|{{DNS:localhost, IP:127.0.0.1, IP:127.0.0.2,
IP:127.0.0.3}}|*YES*|
----
h3. cassandra_ssl_test.truststore.pem (PEM — certificate only)
||Parameter||Old||New||Changed||
|Subject DN|{{CN=Apache Cassandra, OU=ssl_testing, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown}}|same| |
|Issuer DN|same as subject (self-signed)|same| |
|*Serial number*|{{0x4f11f924}}|_(omitted by generator)_|*YES*|
|*Not Before*|Mar 18 21:28:02 2016|Jun 09 12:14:53 2026|*YES*|
|*Not After*|Jun 16 21:28:02 2016 _(expired)_|May 16 12:14:53 2126 _(+100
years)_|*YES*|
|Signature algorithm|SHA256withRSA|SHA256withRSA| |
|Public key|RSA 2048-bit|RSA 2048-bit| |
|*SANs*|_(none)_|{{DNS:localhost, IP:127.0.0.1, IP:127.0.0.2,
IP:127.0.0.3}}|*YES*|
> TLS/SSL related tests are failing
> ---------------------------------
>
> Key: CASSANDRA-21441
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21441
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Test/unit
> Reporter: Dmitry Konstantinov
> Assignee: Dmitry Konstantinov
> Priority: Normal
> Time Spent: 20m
> Remaining Estimate: 0h
>
> A set of TLS-related tests has started to fail in trunk on ci and pre-ci:
> Tests / dtest-latest jdk17 16/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-latest jdk21 16/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-latest jdk11 16/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-latest jdk21 17/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-latest jdk17 17/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-latest jdk11 17/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-novnode jdk11 22/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-novnode jdk21 22/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-novnode jdk17 22/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-novnode jdk21 23/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-novnode jdk17 23/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-novnode jdk11 23/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest jdk11 16/64 / dtest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest jdk17 16/64 / dtest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest jdk21 16/64 / dtest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest jdk17 17/64 / dtest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest jdk11 17/64 / dtest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest jdk21 17/64 / dtest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / jvm-dtest jdk11 7/16 /
> org.apache.cassandra.distributed.test.SSTableLoaderEncryptionOptionsTest.bulkLoaderSuccessfullyStreamsOverSsl-_jdk11_x86_64
> Tests / jvm-dtest jdk17 7/16 /
> org.apache.cassandra.distributed.test.SSTableLoaderEncryptionOptionsTest.bulkLoaderSuccessfullyStreamsOverSsl-_jdk17_x86_64
> Tests / jvm-dtest jdk21 7/16 /
> org.apache.cassandra.distributed.test.SSTableLoaderEncryptionOptionsTest.bulkLoaderSuccessfullyStreamsOverSsl-_jdk21_x86_64
> Tests / jvm-dtest jdk17 13/16 /
> org.apache.cassandra.distributed.test.auth.AuthAuditLoggingTest.testMutualTlsAuthenticationFailedWithUntrustedCertificate-_jdk17_x86_64
> Tests / jvm-dtest jdk21 13/16 /
> org.apache.cassandra.distributed.test.auth.AuthAuditLoggingTest.testMutualTlsAuthenticationFailedWithUntrustedCertificate-_jdk21_x86_64
> Tests / jvm-dtest jdk11 2/16 /
> org.apache.cassandra.distributed.test.jmx.JMXSslConfigDistributedTest.testSystemSettings-_jdk11_x86_64
> Tests / jvm-dtest jdk17 2/16 /
> org.apache.cassandra.distributed.test.jmx.JMXSslConfigDistributedTest.testSystemSettings-_jdk17_x86_64
> Tests / jvm-dtest jdk21 2/16 /
> org.apache.cassandra.distributed.test.jmx.JMXSslConfigDistributedTest.testSystemSettings-_jdk21_x86_64
> Example: https://ci-cassandra.apache.org/job/Cassandra-trunk/2506/testReport/j
> Test errors include:
> {code}
> Caused by: java.security.cert.CertificateException: No name matching
> localhost found
> at
> java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:234)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:467)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:433)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
> at
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1278)
> ... 36 more
> {code}
> {code}
> Caused by: java.security.cert.CertificateException: No subject alternative
> names present
> at
> java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:461)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:435)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
> at
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1350)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
