[jira] [Resolved] (IMPALA-8563) BE tests specifying their own SSL cipher sets fail on Ubuntu 18

Sun, 19 May 2019 18:03:09 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-8563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jim Apple resolved IMPALA-8563.
-------------------------------
       Resolution: Fixed
    Fix Version/s: Impala 3.3.0

Thanks for fixing this, Laszlo!

> BE tests specifying their own SSL cipher sets fail on Ubuntu 18
> ---------------------------------------------------------------
>
>                 Key: IMPALA-8563
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8563
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Infrastructure
>    Affects Versions: Impala 3.2.0
>            Reporter: Laszlo Gaal
>            Assignee: Laszlo Gaal
>            Priority: Critical
>             Fix For: Impala 3.3.0
>
>
> Ubuntu 18.04 upgraded OpenSSL to 1.1.0, which raised the bar in what ciphers 
> are considered "strong".
> Some of the Impala BE tests specify their own ciphers for various test 
> purposes. These tests use RC4, which is no longer accepted by OpenSSL by 
> default, making these tests fail on Ubuntu 18.04. Affected tests are:
>  * rpc-mgr-test
>  * thrift-server-test
>  * webserver-test
> {code:java}
> 56/104 Test #56: thrift-util-test ................. Passed 3.34 sec
> Start 57: thrift-server-test
> 57/104 Test #57: thrift-server-test ...............***Exception: SegFault 
> 4.25 sec
> Turning perftools heap leak checking off
> Loading random data
> Initializing database 'de52-8af6-6a92-1e99/krb5kdc/principal' for realm 
> 'KRBTEST.COM',
> master key name 'K/m...@krbtest.com'
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): setting up network...
> krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): set up 2 sockets
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): commencing operation
> krb5kdc: starting...
> WARNING: no policy specified for impala/localh...@krbtest.com; defaulting to 
> no policy
> Authenticating as principal ubuntu/ad...@krbtest.com with password.
> Principal "impala/localh...@krbtest.com" created.
> Authenticating as principal ubuntu/ad...@krbtest.com with password.
> Entry for principal impala/localhost with kvno 2, encryption type 
> aes256-cts-hmac-sha1-96 added to keytab 
> WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
> Entry for principal impala/localhost with kvno 2, encryption type 
> aes128-cts-hmac-sha1-96 added to keytab 
> WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
> [==========] Running 16 tests from 6 test cases.
> [----------] Global test environment set-up.
> [----------] 1 test from ThriftTestBase
> [ RUN ] ThriftTestBase.Connectivity
> [ OK ] ThriftTestBase.Connectivity (85 ms)
> [----------] 1 test from ThriftTestBase (85 ms total)
> [----------] 8 tests from SslTest
> [ RUN ] SslTest.BadCertificate
> [ OK ] SslTest.BadCertificate (17 ms)
> [ RUN ] SslTest.ClientBeforeServer
> [ OK ] SslTest.ClientBeforeServer (4 ms)
> [ RUN ] SslTest.BadCiphers
> [ OK ] SslTest.BadCiphers (1 ms)
> [ RUN ] SslTest.MismatchedCiphers
> /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:314: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
> /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:322: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
> Wrote minidump to 
> /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
> Wrote minidump to 
> /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
> {code}
> {code:java}
>         Start  59: rpc-mgr-test
>  59/104 Test  #59: rpc-mgr-test .....................***Failed    5.13 sec
> Turning perftools heap leak checking off
> [==========] Running 11 tests from 1 test case.
> [----------] Global test environment set-up.
> [----------] 11 tests from RpcMgrTest
> [ RUN      ] RpcMgrTest.MultipleServicesTls
> 19/04/18 22:20:51 INFO util.JvmPauseMonitor: Starting JVM pause monitor
> [       OK ] RpcMgrTest.MultipleServicesTls (923 ms)
> [ RUN      ] RpcMgrTest.MultipleServices
> [       OK ] RpcMgrTest.MultipleServices (61 ms)
> [ RUN      ] RpcMgrTest.BadCertificateTls
> [       OK ] RpcMgrTest.BadCertificateTls (35 ms)
> [ RUN      ] RpcMgrTest.BadPasswordTls
> [       OK ] RpcMgrTest.BadPasswordTls (58 ms)
> [ RUN      ] RpcMgrTest.CorrectPasswordTls
> [       OK ] RpcMgrTest.CorrectPasswordTls (61 ms)
> [ RUN      ] RpcMgrTest.BadCiphersTls
> [       OK ] RpcMgrTest.BadCiphersTls (34 ms)
> [ RUN      ] RpcMgrTest.ValidCiphersTls
> /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:142: Failure
> Value of: status_.ok()
>   Actual: false
> Expected: true
> Error: Could not build messenger: Runtime error: failed to set TLS ciphers: 
> error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
> match:../ssl/ssl_lib.c:2129
> [  FAILED  ] RpcMgrTest.ValidCiphersTls (32 ms)
> [ RUN      ] RpcMgrTest.ValidMultiCiphersTls
> /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:161: Failure
> Value of: status_.ok()
>   Actual: false
> Expected: true
> Error: Could not build messenger: Runtime error: failed to set TLS ciphers: 
> error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
> match:../ssl/ssl_lib.c:2129
> [  FAILED  ] RpcMgrTest.ValidMultiCiphersTls (44 ms)
> [ RUN      ] RpcMgrTest.SlowCallback
> [       OK ] RpcMgrTest.SlowCallback (333 ms)
> [ RUN      ] RpcMgrTest.AsyncCall
> [       OK ] RpcMgrTest.AsyncCall (36 ms)
> [ RUN      ] RpcMgrTest.NegotiationTimeout
> [       OK ] RpcMgrTest.NegotiationTimeout (35 ms)
> [----------] 11 tests from RpcMgrTest (1652 ms total)
> [----------] Global test environment tear-down
> [==========] 11 tests from 1 test case ran. (1652 ms total)
> [  PASSED  ] 9 tests.
> [  FAILED  ] 2 tests, listed below:
> [  FAILED  ] RpcMgrTest.ValidCiphersTls
> [  FAILED  ] RpcMgrTest.ValidMultiCiphersTls
>  2 FAILED TESTS
> {code}
> {code:java}
> Start 102: webserver-test
> 102/104 Test #102: webserver-test ...................***Failed 3.02 sec
> Turning perftools heap leak checking off
> [==========] Running 18 tests from 1 test case.
> [----------] Global test environment set-up.
> [----------] 18 tests from Webserver
> [ RUN ] Webserver.SmokeTest
> [ OK ] Webserver.SmokeTest (18 ms)
> [ RUN ] Webserver.ArgsTest
> [ OK ] Webserver.ArgsTest (14 ms)
> [ RUN ] Webserver.JsonTest
> [ OK ] Webserver.JsonTest (11 ms)
> [ RUN ] Webserver.EscapingTest
> [ OK ] Webserver.EscapingTest (11 ms)
> [ RUN ] Webserver.EscapeErrorUriTest
> [ OK ] Webserver.EscapeErrorUriTest (11 ms)
> [ RUN ] Webserver.SslTest
> [ OK ] Webserver.SslTest (10 ms)
> [ RUN ] Webserver.SslBadCertTest
> [ OK ] Webserver.SslBadCertTest (0 ms)
> [ RUN ] Webserver.SslWithPrivateKeyPasswordTest
> [ OK ] Webserver.SslWithPrivateKeyPasswordTest (12 ms)
> [ RUN ] Webserver.SslBadPrivateKeyPasswordTest
> [ OK ] Webserver.SslBadPrivateKeyPasswordTest (2 ms)
> [ RUN ] Webserver.SslCipherSuite
> /home/ubuntu/Impala/be/src/util/webserver-test.cc:273: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Webserver: Could not start on address 0.0.0.0:27890
> [ FAILED ] Webserver.SslCipherSuite (3 ms)
> [ RUN ] Webserver.SslBadTlsVersion
> [ OK ] Webserver.SslBadTlsVersion (1 ms)
> [ RUN ] Webserver.SslGoodTlsVersion
> [ OK ] Webserver.SslGoodTlsVersion (35 ms)
> [ RUN ] Webserver.StartWithPasswordFileTest
> [ OK ] Webserver.StartWithPasswordFileTest (11 ms)
> [ RUN ] Webserver.StartWithMissingPasswordFileTest
> [ OK ] Webserver.StartWithMissingPasswordFileTest (0 ms)
> [ RUN ] Webserver.DirectoryListingDisabledTest
> [ OK ] Webserver.DirectoryListingDisabledTest (10 ms)
> [ RUN ] Webserver.NoFrameEmbeddingTest
> [ OK ] Webserver.NoFrameEmbeddingTest (11 ms)
> [ RUN ] Webserver.FrameAllowEmbeddingTest
> [ OK ] Webserver.FrameAllowEmbeddingTest (11 ms)
> [ RUN ] Webserver.NullCharTest
> [ OK ] Webserver.NullCharTest (10 ms)
> [----------] 18 tests from Webserver (181 ms total)
> [----------] Global test environment tear-down
> [==========] 18 tests from 1 test case ran. (181 ms total)
> [ PASSED ] 17 tests.
> [ FAILED ] 1 test, listed below:
> [ FAILED ] Webserver.SslCipherSuite
> 1 FAILED TEST
> {code}
> Since we don't have regular tests on Ubuntu 18 (though arguably we should), 
> I'm not making this a blocker.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to