[
https://issues.apache.org/jira/browse/IMPALA-8563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16843500#comment-16843500
]
ASF subversion and git services commented on IMPALA-8563:
---------------------------------------------------------
Commit 358e92ffa25270adb0cec90710409a7a6f2151da in impala's branch
refs/heads/master from Laszlo Gaal
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=358e92f ]
IMPALA-8563: Update SSL ciphers used in BE tests
Impala BE tests used RC4-based ciphers in a few BE tests, where
OpenSSL contexts were set up manually.
Since OpenSSL v1.1.0 these ciphers are not considered strong enough
any more, so they are rejected, which made these tests fail on platforms
using OpenSSL 1.1.0 (or higher), e.g. on Ubuntu 18.04.
This patch changes the affected tests to use AES128 and AES256.
The updated tests were verified on the following platforms:
- Ubuntu 14.04, 16.04, 18.04
- CentOS 6.4, 7.4
Change-Id: I12b014361fb90afe63aed4b4608f6d6031e49cca
Reviewed-on: http://gerrit.cloudera.org:8080/13364
Reviewed-by: Tim Armstrong <[email protected]>
Reviewed-by: Michael Ho <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> BE tests specifying their own SSL cipher sets fail on Ubuntu 18
> ---------------------------------------------------------------
>
> Key: IMPALA-8563
> URL: https://issues.apache.org/jira/browse/IMPALA-8563
> Project: IMPALA
> Issue Type: Bug
> Components: Infrastructure
> Affects Versions: Impala 3.2.0
> Reporter: Laszlo Gaal
> Assignee: Laszlo Gaal
> Priority: Critical
>
> Ubuntu 18.04 upgraded OpenSSL to 1.1.0, which raised the bar in what ciphers
> are considered "strong".
> Some of the Impala BE tests specify their own ciphers for various test
> purposes. These tests use RC4, which is no longer accepted by OpenSSL by
> default, making these tests fail on Ubuntu 18.04. Affected tests are:
> * rpc-mgr-test
> * thrift-server-test
> * webserver-test
> {code:java}
> 56/104 Test #56: thrift-util-test ................. Passed 3.34 sec
> Start 57: thrift-server-test
> 57/104 Test #57: thrift-server-test ...............***Exception: SegFault
> 4.25 sec
> Turning perftools heap leak checking off
> Loading random data
> Initializing database 'de52-8af6-6a92-1e99/krb5kdc/principal' for realm
> 'KRBTEST.COM',
> master key name 'K/[email protected]'
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): setting up network...
> krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): set up 2 sockets
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): commencing operation
> krb5kdc: starting...
> WARNING: no policy specified for impala/[email protected]; defaulting to
> no policy
> Authenticating as principal ubuntu/[email protected] with password.
> Principal "impala/[email protected]" created.
> Authenticating as principal ubuntu/[email protected] with password.
> Entry for principal impala/localhost with kvno 2, encryption type
> aes256-cts-hmac-sha1-96 added to keytab
> WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
> Entry for principal impala/localhost with kvno 2, encryption type
> aes128-cts-hmac-sha1-96 added to keytab
> WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
> [==========] Running 16 tests from 6 test cases.
> [----------] Global test environment set-up.
> [----------] 1 test from ThriftTestBase
> [ RUN ] ThriftTestBase.Connectivity
> [ OK ] ThriftTestBase.Connectivity (85 ms)
> [----------] 1 test from ThriftTestBase (85 ms total)
> [----------] 8 tests from SslTest
> [ RUN ] SslTest.BadCertificate
> [ OK ] SslTest.BadCertificate (17 ms)
> [ RUN ] SslTest.ClientBeforeServer
> [ OK ] SslTest.ClientBeforeServer (4 ms)
> [ RUN ] SslTest.BadCiphers
> [ OK ] SslTest.BadCiphers (1 ms)
> [ RUN ] SslTest.MismatchedCiphers
> /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:314: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
> /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:322: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
> Wrote minidump to
> /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
> Wrote minidump to
> /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
> {code}
> {code:java}
> Start 59: rpc-mgr-test
> 59/104 Test #59: rpc-mgr-test .....................***Failed 5.13 sec
> Turning perftools heap leak checking off
> [==========] Running 11 tests from 1 test case.
> [----------] Global test environment set-up.
> [----------] 11 tests from RpcMgrTest
> [ RUN ] RpcMgrTest.MultipleServicesTls
> 19/04/18 22:20:51 INFO util.JvmPauseMonitor: Starting JVM pause monitor
> [ OK ] RpcMgrTest.MultipleServicesTls (923 ms)
> [ RUN ] RpcMgrTest.MultipleServices
> [ OK ] RpcMgrTest.MultipleServices (61 ms)
> [ RUN ] RpcMgrTest.BadCertificateTls
> [ OK ] RpcMgrTest.BadCertificateTls (35 ms)
> [ RUN ] RpcMgrTest.BadPasswordTls
> [ OK ] RpcMgrTest.BadPasswordTls (58 ms)
> [ RUN ] RpcMgrTest.CorrectPasswordTls
> [ OK ] RpcMgrTest.CorrectPasswordTls (61 ms)
> [ RUN ] RpcMgrTest.BadCiphersTls
> [ OK ] RpcMgrTest.BadCiphersTls (34 ms)
> [ RUN ] RpcMgrTest.ValidCiphersTls
> /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:142: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Could not build messenger: Runtime error: failed to set TLS ciphers:
> error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
> match:../ssl/ssl_lib.c:2129
> [ FAILED ] RpcMgrTest.ValidCiphersTls (32 ms)
> [ RUN ] RpcMgrTest.ValidMultiCiphersTls
> /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:161: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Could not build messenger: Runtime error: failed to set TLS ciphers:
> error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
> match:../ssl/ssl_lib.c:2129
> [ FAILED ] RpcMgrTest.ValidMultiCiphersTls (44 ms)
> [ RUN ] RpcMgrTest.SlowCallback
> [ OK ] RpcMgrTest.SlowCallback (333 ms)
> [ RUN ] RpcMgrTest.AsyncCall
> [ OK ] RpcMgrTest.AsyncCall (36 ms)
> [ RUN ] RpcMgrTest.NegotiationTimeout
> [ OK ] RpcMgrTest.NegotiationTimeout (35 ms)
> [----------] 11 tests from RpcMgrTest (1652 ms total)
> [----------] Global test environment tear-down
> [==========] 11 tests from 1 test case ran. (1652 ms total)
> [ PASSED ] 9 tests.
> [ FAILED ] 2 tests, listed below:
> [ FAILED ] RpcMgrTest.ValidCiphersTls
> [ FAILED ] RpcMgrTest.ValidMultiCiphersTls
> 2 FAILED TESTS
> {code}
> {code:java}
> Start 102: webserver-test
> 102/104 Test #102: webserver-test ...................***Failed 3.02 sec
> Turning perftools heap leak checking off
> [==========] Running 18 tests from 1 test case.
> [----------] Global test environment set-up.
> [----------] 18 tests from Webserver
> [ RUN ] Webserver.SmokeTest
> [ OK ] Webserver.SmokeTest (18 ms)
> [ RUN ] Webserver.ArgsTest
> [ OK ] Webserver.ArgsTest (14 ms)
> [ RUN ] Webserver.JsonTest
> [ OK ] Webserver.JsonTest (11 ms)
> [ RUN ] Webserver.EscapingTest
> [ OK ] Webserver.EscapingTest (11 ms)
> [ RUN ] Webserver.EscapeErrorUriTest
> [ OK ] Webserver.EscapeErrorUriTest (11 ms)
> [ RUN ] Webserver.SslTest
> [ OK ] Webserver.SslTest (10 ms)
> [ RUN ] Webserver.SslBadCertTest
> [ OK ] Webserver.SslBadCertTest (0 ms)
> [ RUN ] Webserver.SslWithPrivateKeyPasswordTest
> [ OK ] Webserver.SslWithPrivateKeyPasswordTest (12 ms)
> [ RUN ] Webserver.SslBadPrivateKeyPasswordTest
> [ OK ] Webserver.SslBadPrivateKeyPasswordTest (2 ms)
> [ RUN ] Webserver.SslCipherSuite
> /home/ubuntu/Impala/be/src/util/webserver-test.cc:273: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Webserver: Could not start on address 0.0.0.0:27890
> [ FAILED ] Webserver.SslCipherSuite (3 ms)
> [ RUN ] Webserver.SslBadTlsVersion
> [ OK ] Webserver.SslBadTlsVersion (1 ms)
> [ RUN ] Webserver.SslGoodTlsVersion
> [ OK ] Webserver.SslGoodTlsVersion (35 ms)
> [ RUN ] Webserver.StartWithPasswordFileTest
> [ OK ] Webserver.StartWithPasswordFileTest (11 ms)
> [ RUN ] Webserver.StartWithMissingPasswordFileTest
> [ OK ] Webserver.StartWithMissingPasswordFileTest (0 ms)
> [ RUN ] Webserver.DirectoryListingDisabledTest
> [ OK ] Webserver.DirectoryListingDisabledTest (10 ms)
> [ RUN ] Webserver.NoFrameEmbeddingTest
> [ OK ] Webserver.NoFrameEmbeddingTest (11 ms)
> [ RUN ] Webserver.FrameAllowEmbeddingTest
> [ OK ] Webserver.FrameAllowEmbeddingTest (11 ms)
> [ RUN ] Webserver.NullCharTest
> [ OK ] Webserver.NullCharTest (10 ms)
> [----------] 18 tests from Webserver (181 ms total)
> [----------] Global test environment tear-down
> [==========] 18 tests from 1 test case ran. (181 ms total)
> [ PASSED ] 17 tests.
> [ FAILED ] 1 test, listed below:
> [ FAILED ] Webserver.SslCipherSuite
> 1 FAILED TEST
> {code}
> Since we don't have regular tests on Ubuntu 18 (though arguably we should),
> I'm not making this a blocker.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
