[
https://issues.apache.org/jira/browse/ARTEMIS-3185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17392438#comment-17392438
]
Domenico Francesco Bruscino edited comment on ARTEMIS-3185 at 8/3/21, 5:26 PM:
-------------------------------------------------------------------------------
The [#3667|https://github.com/apache/activemq-artemis/pull/3667] PR for
ARTEMIS-3367 should fix this issue too.
was (Author: brusdev):
The [#3667|https://github.com/apache/activemq-artemis/pull/3667] PR for
ARTEMIS-3367 should fix this issue too,
> Various TLS tests fail on newer JDKs/environments
> -------------------------------------------------
>
> Key: ARTEMIS-3185
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3185
> Project: ActiveMQ Artemis
> Issue Type: Test
> Components: Tests
> Affects Versions: 2.17.0
> Reporter: Robbie Gemmell
> Priority: Major
>
> Various broker integration tests fail after I updated to Fedora 33, seemingly
> on all JDK versions but certainly with 8u275 and above, with the failing
> tests all being TLS related. For example, AMQPConnectSaslTest,
> JMSSaslExternalTest, JMSSaslExternalLDAPTest failed, though there are others.
> Specifically, the related keystore for those tests looks to be keystore1.jks
> under tests/integration-tests/src/test/resources (though possibly other files
> in there and related tests could be affected or need updated also). The key
> contained uses SHA1withRSA for the signature, which keytool notes is disabled
> and so that is presumably the problem:
> {noformat}
> $ keytool -keystore keystore1.jks -storepass changeit -list -v
> ...snipped...
> Signature algorithm name: SHA1withRSA (disabled)
> ...snipped...
> <keystore1> uses the SHA1withRSA signature algorithm which is considered a
> security risk and is disabled.
> {noformat}
> I'm not clear how the file was generated and dont see the CA key used to sign
> it and which matches up to the truststore.jks file (it uses SHA256withRSA sig
> and so should be fine if the key were updated in isolation). If someone who
> knows the process used could update the key that would be great.
> A suggestion I would make is to create a script that creates the files, both
> so it can be seen later what was done, and more easily repeated and/or
> updated when needed. E.g for example we do this with the [Qpid JMS tests
> resources|https://github.com/apache/qpid-jms/blob/main/qpid-jms-client/src/test/resources/README.txt],
> which I adapted for creating the ['broker-connections' TLS
> example|https://github.com/apache/activemq-artemis/blob/master/examples/features/broker-connection/amqp-sending-overssl/store-generation.txt]
> resources when I was updating that.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
