Re: Some test observations for TC 7

Wed, 28 Oct 2020 12:34:59 -0700 

Rainer,
I recently had some weirdness with TLS connections as well. Please see my post titled "SSLException after Java upgrade". 


"Recently", Java moved certain EC curves to the attic and won't 
handshake properly anymore.



Another investigation of my own product running into a network exception 
that hadn't been generated before. It looks like a change to the JRE.


https://bugs.openjdk.java.net/browse/JDK-8215102


This was initially reported as an error with MySQL connections but it 
appears that the driver's involvement was unnecessary. Please see 
Severin Gehwolf's comments from 2019-01-25.



I'm not sure if either of these issues are related to yours, but I 
wanted to make suer you were aware of them.


Hope that helps,
-chris

On 10/28/20 08:09, Rainer Jung wrote:

Hi all,


I tested TC 7.0.106 plus a few patches from git with a variety of JVMs 
on a few Linux distributions. I observed:



- org.apache.tomcat.util.net.TestClientCertTls13 now fails for Java 
1.8.0_272 be it OpenJDK, Adopt or Zulu on all Linux distros I tested. 
TLSv1.3 was backported to Java 8 in the recently released Patchlevel 272 
and is enabled on the server side by default, but not on the client 
side. The test succeeds as soon as I add 
"-Djdk.tls.client.protocols=TLSv1.3". I guess correct TLS1.3 detection 
during test gets moire and more complicated ...



- Only on RHEL 8 (e.g. not RHEL 6 or 7) and only with Red Hat provided 
Java 1.8.0 and 11 (but not for other distributions of Java 1.8.0 or 11), 
lots of TLS tests fail. For example TestSsl test testSimpleSsl show the 
following when started with -Djavax.net.debug=all und Red Hat Java 11:



     [junit] Oct 28, 2020 12:55:26 PM org.apache.coyote.AbstractProtocol 
start
     [junit] INFO: Starting ProtocolHandler 
["http-bio-127.0.0.1-auto-1-43799"]
     [junit] javax.net.ssl|DEBUG|03|Finalizer|2020-10-28 12:55:26.265 
CET|SSLSocketImpl.java:473|duplex close of SSLSocket
     [junit] javax.net.ssl|WARNING|03|Finalizer|2020-10-28 12:55:26.273 
CET|SSLSocketImpl.java:494|SSLSocket duplex close failed (

     [junit] "throwable" : {
     [junit]   java.net.SocketException: Socket is not connected

     [junit]     at 
java.base/java.net.Socket.shutdownOutput(Socket.java:1553)
     [junit]     at 
java.base/sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:232) 

     [junit]     at 
java.base/sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561) 

     [junit]     at 
java.base/sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
     [junit]     at 
java.base/sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:275) 

     [junit]     at 
java.base/java.lang.System$2.invokeFinalize(System.java:2117)
     [junit]     at 
java.base/java.lang.ref.Finalizer.runFinalizer(Finalizer.java:87)
     [junit]     at 
java.base/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:171)}

     [junit]
     [junit] )

     [junit] javax.net.ssl|ERROR|01|main|2020-10-28 12:55:26.304 
CET|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't 
kickstart handshaking (

     [junit] "throwable" : {

     [junit]   javax.net.ssl.SSLHandshakeException: No appropriate 
protocol (protocol is disabled or cipher suites are inappropriate)
     [junit]     at 
java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163) 

     [junit]     at 
java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:95) 

     [junit]     at 
java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:217) 

     [junit]     at 
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) 

     [junit]     at 
java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) 

     [junit]     at 
java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) 

     [junit]     at 
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163) 

     [junit]     at 
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665) 

     [junit]     at 
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:639) 

     [junit]     at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:633)
     [junit]     at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:627)
     [junit]     at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:612)
     [junit]     at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:606)
     [junit]     at 
org.apache.tomcat.util.net.TestSsl.testSimpleSsl(TestSsl.java:60)



Dont know whether the error in the finalizer really is the root cause 
and it might well be a JDK error, but I at least wanted to provide the 
info here.


Best regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to