[
https://issues.apache.org/jira/browse/SOLR-12988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hoss Man resolved SOLR-12988.
-----------------------------
Resolution: Workaround
With the jenkins servers upgraded, and the new SSLTestConfig assumptions in
place i haven't seen any (obvious) signs of any other openJDK related SSL bugs
in the solr tests ... if more are identified we can update the issue
description to list them here.
I've also created SOLR-13594 to track the (eventual) need to enable SSL testing
on java-13-ea once the known bugs are addressed (but fortunately, the way the
supression logic is implemented, it explicitly checks for "ea" bbuilds ... so
even if we never get a chance to proactively test on future java-13-ea builds,
once java-13 final comes out, the tests _will_ try SSL on them automatically)
> Known OpenJDK >= 11 SSL (TLSv1.3) bugs can cause problems with Solr
> -------------------------------------------------------------------
>
> Key: SOLR-12988
> URL: https://issues.apache.org/jira/browse/SOLR-12988
> Project: Solr
> Issue Type: Test
> Reporter: Hoss Man
> Assignee: Cao Manh Dat
> Priority: Major
> Labels: Java11, Java12, Java13
> Attachments: SOLR-12988.patch, SOLR-12988.patch, SOLR-12988.patch,
> SOLR-13413.patch
>
>
> There are several known OpenJDK JVM bugs (begining with Java11, when TLS v1.3
> support was first added) that are known to affect Solr's SSL support, and
> have caused numerous test failures -- notably early "testing" builds of
> OpenJDK 11, 12, & 13, as well as the officially released OpenJDK 11, 11.0.1,
> and 11.0.2.
> From the standpoint of the Solr project, there is very little we can do to
> mitigate these bugs, and have taken steps to ensure any code using our
> {{SSLTestConfig}} / {{RandomizeSSL}} test-framework classes will be "SKIPed"
> with an {{AssumptionViolatedException}} when used on JVMs that are known to
> be problematic.
> Users who encounter any of the types of failures described below, or
> developers who encounter test runs that "SKIP" with a message refering to
> this issue ID, are encouraged to Upgrade their JVM. (or as a last resort: try
> disabling "TLSv1.3" in your JVM security properties)
> ----
> Examples of known bugs as they have manifested in Solr tests...
> * https://bugs.openjdk.java.net/browse/JDK-8212885
> ** "TLS 1.3 resumed session does not retain peer certificate chain"
> ** affects users with {{checkPeerNames=true}} in your SSL configuration
> ** causes 100% failure rate in Solr's
> {{TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName}}
> ** can result in exceptions for SolrJ users, or in solr cloud server logs
> when making intra-node requests, with a root cause of
> "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
> ** {noformat}
> [junit4] 2> Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer
> not authenticated
> [junit4] 2> at
> java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
> [junit4] 2> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
> [junit4] 2> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
> [junit4] 2> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> [junit4] 2> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> [junit4] 2> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
> [junit4] 2> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
> [junit4] 2> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> [junit4] 2> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> [junit4] 2> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> [junit4] 2> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
> [junit4] 2> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> [junit4] 2> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> [junit4] 2> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> [junit4] 2> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:542)
> {noformat}
> * https://bugs.openjdk.java.net/browse/JDK-8213202
> ** "Possible race condition in TLS 1.3 session resumption"
> ** May affect any and all Solr SSL users, although noted only in tests when
> "clientAuth" was configured to be false
> ** Causes non-reproducing test failures, and sporadic end user exceptions
> with a root cause of "javax.net.ssl.SSLException: Received fatal alert:
> internal_error "
> ** SSL Debugging may indicate "Fatal (INTERNAL_ERROR): Session has no PSK"
> ** {noformat}
> [junit4] 2> Caused by: javax.net.ssl.SSLException: Received fatal alert:
> internal_error
> [junit4] 2> at
> sun.security.ssl.Alert.createSSLException(Alert.java:129) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ~[?:?]
> [junit4] 2> at
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
> ~[?:?]
> [junit4] 2> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) ~[?:?]
> [junit4] 2> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:555)
> ~[java/:?]
> [junit4] 2> ... 13 more
> {noformat}
> * https://bugs.openjdk.java.net/browse/JDK-8224829
> ** "AsyncSSLSocketClose.java has timing issue"
> ** May affect any and all Solr SSL users running early testing versions of
> java 13 or 14.
> ** Causes non-reproducing test failures, and sporadic end user exceptions
> with a root cause of "javax.net.ssl.SSLException: Software caused connection
> abort: recv failed"
> ** {noformat}
> javax.net.ssl.SSLException: Software caused connection abort: recv failed
> at
> __randomizedtesting.SeedInfo.seed([AA73C7E858ABD2EE:88D2A395FDC7B4AB]:0)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:127)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
> at
> java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1501)
> at
> java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:935)
> at
> org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137)
> at
> org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153)
> at
> org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:282)
> at
> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138)
> at
> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56)
> at
> org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259)
> at
> org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)
> at
> org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:165)
> at
> org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273)
> at
> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> {noformat}
> * https://bugs.openjdk.java.net/browse/JDK-8226338
> ** "Updates to Stateless Resumption"
> ** May affect any and all Solr SSL servers running early testing or EA builds
> of java 13 or 14
> ** Causes reliably reproducing test failures, and Solr server exceptions with
> a root cause of "java.lang.NullPointerException" in
> "java.base/sun.security.ssl.SSLSessionImpl.getValue" (or other "Value"
> related methods in SSLSessionImpl)
> ** {noformat}
> java.lang.NullPointerException
> at
> java.base/sun.security.ssl.SSLSessionImpl.getValue(SSLSessionImpl.java:1253)
> at
> org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:230)
> at
> org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:170)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:363)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:144)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917)
> at java.base/java.lang.Thread.run(Thread.java:830)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
