[jira] [Work started] (ARTEMIS-3185) Various TLS tests fail on newer JDKs/environments

[Domenico Francesco Bruscino (Jira)]

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on ARTEMIS-3185 started by Domenico Francesco Bruscino.
------------------------------------------------------------
> Various TLS tests fail on newer JDKs/environments
> -------------------------------------------------
>
>                 Key: ARTEMIS-3185
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3185
>             Project: ActiveMQ Artemis
>          Issue Type: Test
>          Components: Tests
>    Affects Versions: 2.17.0
>            Reporter: Robbie Gemmell
>            Assignee: Domenico Francesco Bruscino
>            Priority: Major
>
> Various broker integration tests fail after I updated to Fedora 33, seemingly 
> on all JDK versions but certainly with 8u275 and above, with the failing 
> tests all being TLS related. For example, AMQPConnectSaslTest, 
> JMSSaslExternalTest, JMSSaslExternalLDAPTest failed, though there are others.
> Specifically, the related keystore for those tests looks to be keystore1.jks 
> under tests/integration-tests/src/test/resources (though possibly other files 
> in there and related tests could be affected or need updated also). The key 
> contained uses SHA1withRSA for the signature, which keytool notes is disabled 
> and so that is presumably the problem:
> {noformat}
> $ keytool -keystore keystore1.jks -storepass changeit -list -v
> ...snipped...
> Signature algorithm name: SHA1withRSA (disabled)
> ...snipped...
> <keystore1> uses the SHA1withRSA signature algorithm which is considered a 
> security risk and is disabled.
> {noformat}
> I'm not clear how the file was generated and dont see the CA key used to sign 
> it and which matches up to the truststore.jks file (it uses SHA256withRSA sig 
> and so should be fine if the key were updated in isolation). If someone who 
> knows the process used could update the key that would be great.
> A suggestion I would make is to create a script that creates the files, both 
> so it can be seen later what was done, and more easily repeated and/or 
> updated when needed. E.g for example we do this with the [Qpid JMS tests 
> resources|https://github.com/apache/qpid-jms/blob/main/qpid-jms-client/src/test/resources/README.txt],
>  which I adapted for creating the ['broker-connections' TLS 
> example|https://github.com/apache/activemq-artemis/blob/master/examples/features/broker-connection/amqp-sending-overssl/store-generation.txt]
>  resources when I was updating that.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)