[jira] [Comment Edited] (KAFKA-12790) Fix SslTransportLayerTest.testUnsupportedTlsVersion with JDK 16

Uwe Eisele (Jira) Tue, 22 Jun 2021 14:20:04 -0700


    [ 
https://issues.apache.org/jira/browse/KAFKA-12790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17367686#comment-17367686
 ]


Uwe Eisele edited comment on KAFKA-12790 at 6/22/21, 9:19 PM:
--------------------------------------------------------------

It looks like that the test also no longer runs on JDK 11. Basically it is 
stated in https://bugs.openjdk.java.net/browse/JDK-8256490 which says that as 
of JDK 11.0.11 TLSv1.1 is disabled by default.

I executed the test in a Docker container with JDK 11.0.10 and JDK 11.0.11 (see 
https://github.com/ueisele/kafka/tree/fix/ssltransportlayertest/ci).

JDK 11.0.10
{code:java}
./ci/do_in_docker 11.0.10 ./gradlew clients:unitTest --tests 
SslTransportLayerTest.testUnsupportedTLSVersion --rerun-tasks
...
> Task :clients:unitTest
SslTransportLayerTest > [1] tlsProtocol=TLSv1.2, useInlinePem=false PASSED
SslTransportLayerTest > [2] tlsProtocol=TLSv1.2, useInlinePem=true PASSED
SslTransportLayerTest > [3] tlsProtocol=TLSv1.3, useInlinePem=false PASSED
{code}

JDK 11.0.11
{code:java}
./ci/do_in_docker 11.0.11 ./gradlew clients:unitTest --tests 
SslTransportLayerTest.testUnsupportedTLSVersion --rerun-tasks
...
> Task :clients:unitTest
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[1]
 failed, log available in 
/home/appuser/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[1].test.stdout

SslTransportLayerTest > [1] tlsProtocol=TLSv1.2, useInlinePem=false FAILED
    org.opentest4j.AssertionFailedError: Condition not met within timeout 
15000. Metric not updated failed-authentication-total expected:<1.0> but 
was:<0.0> ==> expected: <true> but was: <false>
        at org.junit.jupiter.api.AssertionUtils.fail(AssertionUtils.java:55)
        at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:40)
        at org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:193)
        at 
org.apache.kafka.test.TestUtils.lambda$waitForCondition$3(TestUtils.java:303)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:351)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:319)
        at org.apache.kafka.test.TestUtils.waitForCondition(TestUtils.java:300)
        at 
org.apache.kafka.common.network.NioEchoServer.waitForMetrics(NioEchoServer.java:196)
        at 
org.apache.kafka.common.network.NioEchoServer.verifyAuthenticationMetrics(NioEchoServer.java:155)
        at 
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(SslTransportLayerTest.java:644)
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[2]
 failed, log available in 
/home/appuser/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[2].test.stdout

SslTransportLayerTest > [2] tlsProtocol=TLSv1.2, useInlinePem=true FAILED
    org.opentest4j.AssertionFailedError: Condition not met within timeout 
15000. Metric not updated failed-authentication-total expected:<1.0> but 
was:<0.0> ==> expected: <true> but was: <false>
        at org.junit.jupiter.api.AssertionUtils.fail(AssertionUtils.java:55)
        at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:40)
        at org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:193)
        at 
org.apache.kafka.test.TestUtils.lambda$waitForCondition$3(TestUtils.java:303)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:351)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:319)
        at org.apache.kafka.test.TestUtils.waitForCondition(TestUtils.java:300)
        at 
org.apache.kafka.common.network.NioEchoServer.waitForMetrics(NioEchoServer.java:196)
        at 
org.apache.kafka.common.network.NioEchoServer.verifyAuthenticationMetrics(NioEchoServer.java:155)
        at 
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(SslTransportLayerTest.java:644)
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[3]
 failed, log available in 
/home/appuser/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[3].test.stdout

SslTransportLayerTest > [3] tlsProtocol=TLSv1.3, useInlinePem=false FAILED
    org.opentest4j.AssertionFailedError: Condition not met within timeout 
15000. Metric not updated failed-authentication-total expected:<1.0> but 
was:<0.0> ==> expected: <true> but was: <false>
        at org.junit.jupiter.api.AssertionUtils.fail(AssertionUtils.java:55)
        at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:40)
        at org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:193)
        at 
org.apache.kafka.test.TestUtils.lambda$waitForCondition$3(TestUtils.java:303)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:351)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:319)
        at org.apache.kafka.test.TestUtils.waitForCondition(TestUtils.java:300)
        at 
org.apache.kafka.common.network.NioEchoServer.waitForMetrics(NioEchoServer.java:196)
        at 
org.apache.kafka.common.network.NioEchoServer.verifyAuthenticationMetrics(NioEchoServer.java:155)
        at 
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(SslTransportLayerTest.java:644)

3 tests completed, 3 failed
{code}

To execute tests which require TLSv1.1 support with current JDKs, TLSv1.1 must 
be removed from the `jdk.tls.disabledAlgorithms` security property in the 
`java.security` configuration file.

I also tested this and in this case I could execute the test 
testUnsupportedTlsVersion with the newest version of JDK 11.

I now, this task is about JDK 16, but for me it looks like that also for JDK 16 
the reason is that TLSv1.1 has been disabled by default.


was (Author: ueisele):
It looks like that the test also no longer runs on JDK 11. Basically its stated 
in https://bugs.openjdk.java.net/browse/JDK-8256490 which says that as of JDK 
11.0.11 TLSv1.1 is disabled by default.

I executed the test in a Docker container with JDK 11.0.10 and JDK 11.0.11 (see 
https://github.com/ueisele/kafka/tree/fix/ssltransportlayertest/ci).

JDK 11.0.10
{code:java}
./ci/do_in_docker 11.0.10 ./gradlew clients:unitTest --tests 
SslTransportLayerTest.testUnsupportedTLSVersion --rerun-tasks
...
> Task :clients:unitTest
SslTransportLayerTest > [1] tlsProtocol=TLSv1.2, useInlinePem=false PASSED
SslTransportLayerTest > [2] tlsProtocol=TLSv1.2, useInlinePem=true PASSED
SslTransportLayerTest > [3] tlsProtocol=TLSv1.3, useInlinePem=false PASSED
{code}

JDK 11.0.11
{code:java}
./ci/do_in_docker 11.0.11 ./gradlew clients:unitTest --tests 
SslTransportLayerTest.testUnsupportedTLSVersion --rerun-tasks
...
> Task :clients:unitTest
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[1]
 failed, log available in 
/home/appuser/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[1].test.stdout

SslTransportLayerTest > [1] tlsProtocol=TLSv1.2, useInlinePem=false FAILED
    org.opentest4j.AssertionFailedError: Condition not met within timeout 
15000. Metric not updated failed-authentication-total expected:<1.0> but 
was:<0.0> ==> expected: <true> but was: <false>
        at org.junit.jupiter.api.AssertionUtils.fail(AssertionUtils.java:55)
        at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:40)
        at org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:193)
        at 
org.apache.kafka.test.TestUtils.lambda$waitForCondition$3(TestUtils.java:303)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:351)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:319)
        at org.apache.kafka.test.TestUtils.waitForCondition(TestUtils.java:300)
        at 
org.apache.kafka.common.network.NioEchoServer.waitForMetrics(NioEchoServer.java:196)
        at 
org.apache.kafka.common.network.NioEchoServer.verifyAuthenticationMetrics(NioEchoServer.java:155)
        at 
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(SslTransportLayerTest.java:644)
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[2]
 failed, log available in 
/home/appuser/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[2].test.stdout

SslTransportLayerTest > [2] tlsProtocol=TLSv1.2, useInlinePem=true FAILED
    org.opentest4j.AssertionFailedError: Condition not met within timeout 
15000. Metric not updated failed-authentication-total expected:<1.0> but 
was:<0.0> ==> expected: <true> but was: <false>
        at org.junit.jupiter.api.AssertionUtils.fail(AssertionUtils.java:55)
        at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:40)
        at org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:193)
        at 
org.apache.kafka.test.TestUtils.lambda$waitForCondition$3(TestUtils.java:303)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:351)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:319)
        at org.apache.kafka.test.TestUtils.waitForCondition(TestUtils.java:300)
        at 
org.apache.kafka.common.network.NioEchoServer.waitForMetrics(NioEchoServer.java:196)
        at 
org.apache.kafka.common.network.NioEchoServer.verifyAuthenticationMetrics(NioEchoServer.java:155)
        at 
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(SslTransportLayerTest.java:644)
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[3]
 failed, log available in 
/home/appuser/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(Args)[3].test.stdout

SslTransportLayerTest > [3] tlsProtocol=TLSv1.3, useInlinePem=false FAILED
    org.opentest4j.AssertionFailedError: Condition not met within timeout 
15000. Metric not updated failed-authentication-total expected:<1.0> but 
was:<0.0> ==> expected: <true> but was: <false>
        at org.junit.jupiter.api.AssertionUtils.fail(AssertionUtils.java:55)
        at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:40)
        at org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:193)
        at 
org.apache.kafka.test.TestUtils.lambda$waitForCondition$3(TestUtils.java:303)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:351)
        at 
org.apache.kafka.test.TestUtils.retryOnExceptionWithTimeout(TestUtils.java:319)
        at org.apache.kafka.test.TestUtils.waitForCondition(TestUtils.java:300)
        at 
org.apache.kafka.common.network.NioEchoServer.waitForMetrics(NioEchoServer.java:196)
        at 
org.apache.kafka.common.network.NioEchoServer.verifyAuthenticationMetrics(NioEchoServer.java:155)
        at 
org.apache.kafka.common.network.SslTransportLayerTest.testUnsupportedTLSVersion(SslTransportLayerTest.java:644)

3 tests completed, 3 failed
{code}

To execute tests which require TLSv1.1 support with current JDKs, TLSv1.1 must 
be removed from the `jdk.tls.disabledAlgorithms` security property in the 
`java.security` configuration file.

I also tested this and in this case I could execute the test 
testUnsupportedTlsVersion with the newest version of JDK 11.

I now, this task is about JDK 16, but for me it looks like that also for JDK 16 
the reason is that TLSv1.1 has been disabled by default.

> Fix SslTransportLayerTest.testUnsupportedTlsVersion with JDK 16
> ---------------------------------------------------------------
>
>                 Key: KAFKA-12790
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12790
>             Project: Kafka
>          Issue Type: Sub-task
>            Reporter: Ismael Juma
>            Assignee: Rajini Sivaram
>            Priority: Major
>             Fix For: 3.0.0
>
>
> Details can be found in the PR:
> https://github.com/apache/kafka/pull/10415#issuecomment-808230478



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (KAFKA-12790) Fix SslTransportLayerTest.testUnsupportedTlsVersion with JDK 16

Reply via email to