[jira] [Updated] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE

Peter Palaga (JIRA) Mon, 05 Jun 2017 13:30:17 -0700

     [ 
https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Peter Palaga updated DIRMINA-1067:
----------------------------------
    Description: 
When we set up a test in which a client connects to the server three times 
using TLS with a client cert, then on OracleJDK and OpenJDK the 
{{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
 String)}} method is invoked three times, while on IBM JDK, the same method is 
invoked only once. 

I kindly ask for an explanation why this happens. I am not an expert in TLS and 
therefore I am not able to tell whether this is a bug in Mina, any of the JDKs, 
both or none.

Steps to reproduce: 

(1) Prepare
{code}
git fetch https://github.com/ppalaga/mina.git  
refs/heads/DIRMINA-1067:DIRMINA-1067
git checkout DIRMINA-1067
mvn clean install -DskipTests
{code}

(2) Test with Oracle JDK or OpenJDK which both work as expected.

{code}
export JAVA_HOME=/path/to/OracleJDK # change this
$JAVA_HOME/bin/java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

mvn test -Dtest=SslClientCertTest
...
Running org.apache.mina.filter.ssl.SslClientCertTest
[22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs
[22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - in 
org.apache.mina.filter.ssl.SslClientCertTest
{code}

Note that {{Adding cert ...}} appears three times in the log

(3) Test with IBM JDK

{code}
export JAVA_HOME=/path/to/IBMJDK

$JAVA_HOME/bin/java -version
java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 
20160915_318796 (JIT enabled, AOT enabled)
J9VM - R28_Java8_SR3_20160915_0912_B318796
JIT  - tr.r14.java.green_20160818_122998
GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
J9CL - 20160915_318796)
JCL - 20160914_01 based on Oracle jdk8u101-b13

mvn surefire:test -Dtest=SslClientCertTest 
...
Running org.apache.mina.filter.ssl.SslClientCertTest
[22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs
[22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< 
FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 
5.412 sec  <<< FAILURE!
java.lang.AssertionError: expected:<3> but was:<1>
{code}

Expected: {{testClientCerts}} should pass
Actual: {{testClientCerts}} fails

Background: I took ApacheDS to check that our LDAP client code in WildFly is 
sending the client certs properly, but the results on Oracle vs IBM were 
inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 does 
basically the same thing as the reproducer of the current issue 
https://github.com/apache/mina/pull/12

  was:
When we set up a test in which a client connects to the server three times 
using TLS with a client cert, then on OracleJDK and OpenJDK the 
{{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
 String)}} method is invoked three times, while on IBM JDK, the same method is 
invoked only once. 

I kindly ask for an explanation why this happens. I am not an expert in TLS and 
therefore I am not able to tell whether this is a bug in Mina, any of the JDKs, 
both or none.

Steps to reproduce: 

(1) Prepare
{code}
git fetch https://github.com/ppalaga/mina.git  
refs/heads/DIRMINA-1067:DIRMINA-1067
git checkout DIRMINA-1067
mvn clean install -DskipTests
{code}

(2) Test with Oracle JDK or OpenJDK which both work as expected.

{code}
export JAVA_HOME=/path/to/OracleJDK # change this
$JAVA_HOME/bin/java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

mvn test -Dtest=SslClientCertTest
...
Running org.apache.mina.filter.ssl.SslClientCertTest
[22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs
[22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - in 
org.apache.mina.filter.ssl.SslClientCertTest
{code}

Note that {{Adding cert ...}} appears three times in the log

(3) Test with IBM JDK

{code}
export JAVA_HOME=/path/to/IBMJDK

$JAVA_HOME/bin/java -version
java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 
20160915_318796 (JIT enabled, AOT enabled)
J9VM - R28_Java8_SR3_20160915_0912_B318796
JIT  - tr.r14.java.green_20160818_122998
GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
J9CL - 20160915_318796)
JCL - 20160914_01 based on Oracle jdk8u101-b13

mvn surefire:test -Dtest=SslClientCertTest 
...
Running org.apache.mina.filter.ssl.SslClientCertTest
[22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs
[22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< 
FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 
5.412 sec  <<< FAILURE!
java.lang.AssertionError: expected:<3> but was:<1>
{code}

Expected: {{testClientCerts}} should pass
Actual: {{testClientCerts}} should fails


> checkClientTrusted() invoked just once on IBM JRE
> -------------------------------------------------
>
>                 Key: DIRMINA-1067
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1067
>             Project: MINA
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.0.16
>            Reporter: Peter Palaga
>
> When we set up a test in which a client connects to the server three times 
> using TLS with a client cert, then on OracleJDK and OpenJDK the 
> {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
>  String)}} method is invoked three times, while on IBM JDK, the same method 
> is invoked only once. 
> I kindly ask for an explanation why this happens. I am not an expert in TLS 
> and therefore I am not able to tell whether this is a bug in Mina, any of the 
> JDKs, both or none.
> Steps to reproduce: 
> (1) Prepare
> {code}
> git fetch https://github.com/ppalaga/mina.git  
> refs/heads/DIRMINA-1067:DIRMINA-1067
> git checkout DIRMINA-1067
> mvn clean install -DskipTests
> {code}
> (2) Test with Oracle JDK or OpenJDK which both work as expected.
> {code}
> export JAVA_HOME=/path/to/OracleJDK # change this
> $JAVA_HOME/bin/java -version
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> mvn test -Dtest=SslClientCertTest
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - 
> in org.apache.mina.filter.ssl.SslClientCertTest
> {code}
> Note that {{Adding cert ...}} appears three times in the log
> (3) Test with IBM JDK
> {code}
> export JAVA_HOME=/path/to/IBMJDK
> $JAVA_HOME/bin/java -version
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 
> 20160915_318796 (JIT enabled, AOT enabled)
> J9VM - R28_Java8_SR3_20160915_0912_B318796
> JIT  - tr.r14.java.green_20160818_122998
> GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
> J9CL - 20160915_318796)
> JCL - 20160914_01 based on Oracle jdk8u101-b13
> mvn surefire:test -Dtest=SslClientCertTest 
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< 
> FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
> testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 
> 5.412 sec  <<< FAILURE!
> java.lang.AssertionError: expected:<3> but was:<1>
> {code}
> Expected: {{testClientCerts}} should pass
> Actual: {{testClientCerts}} fails
> Background: I took ApacheDS to check that our LDAP client code in WildFly is 
> sending the client certs properly, but the results on Oracle vs IBM were 
> inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 
> does basically the same thing as the reproducer of the current issue 
> https://github.com/apache/mina/pull/12



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE

Reply via email to