Hello all, I just joined the list this very morning.
I am working on a project to update a system to use GraalVM native
images. The system consists of many Docker containers (on the order of
50). For this endeavor, Qpid is one of the applications we use in one of
the containers. It has now been decided to update everything from Java 8
and Java 11 to java 17. So, before I continued further with the native
image, I decided to update to Java 17 and make sure Qpid works as a
standard JVM image.
I have so far built a Qpid native image that mostly worked (more testing
needed) from a Java 11 base.
When updating to Java 17 I ran into two unit test failures: SNITest and
ConfigReadertest. ConfigReaderTest was fixed by enabling the GraalVM
script engine and running it in Nashorn compatibility mode. The SNItest
is where my current problem lies.
SNITest.testBypassInvalidHostname() initially failed under Java 17. I
was able to get it to pass by changing the sniHostName parameter in the
call to performtest() from "_foo" to "invalid". Looking at the test
logs, it appears that it was failing because of the "_" (underscore)
character in the host name which through an invalid argument exception
from the Security manager. Compiling and running the tests with
different versions of Java shows that (from what I could see) the
exceptions have changed from Java 8 to Java 17. This made me wonder if
the test had actually been passing with a false positive previously.
All that being said, what is the intent of this test? Is it to verify
that using an invalid character in an IDN, and asking the system to
ignore it, will allow the invalid name, or is it to verify that using
any name that does not match the hostname in the cert will be ignored
what the ignoreInvalidSni flag is set?
A secondary question is regarding the testInvalidHostname test and the
question is similar - what is the intent of the test?
Since these tests are regarding security, and security is of the MOST
EXTREME importance for the system I am working with, I need to make sure
these tests pass or fail properly during this upgrade.
FWIW, this project (Qpid, not the rest of the system) is up on my GitHub
sicne I am working with the publicly released 8.0.6 Qpid Borker-J source.
Thanks in advance,
PGA
---
Paul G Allen, MSSE
Random Logic Consulting Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
