Hi Sean and Rajan, thanks for the info . >See also the March 20 issue at https://www.globalsign.com/en/status. It >could be related.
We noticed the errors from 10. March - 19. March (no errors afterwards) in our test infrastructure , so the time windows matches to the time window Described here https://www.globalsign-media.com/en/incident-report/2020-03-18-singapore-dc . Most likely it is the issue described in the incident report . Best regards, Matthias -----Original Message----- From: Sean Mullan <sean.mul...@oracle.com> Sent: Freitag, 20. März 2020 18:15 To: Rajan Halade <rajan.hal...@oracle.com>; Baesken, Matthias <matthias.baes...@sap.com> Cc: security-dev@openjdk.java.net Subject: Re: security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java jtreg test errors See also the March 20 issue at https://www.globalsign.com/en/status. It could be related. I would monitor it going forward and see if you have any more issues, and if so we can report it to GlobalSign. --Sean On 3/20/20 12:45 PM, Rajan Halade wrote: > Hi Matthias, > > I tried several runs of this test but am not able to reproduce the > issue. May be requests from my tests are routed to different OCSP > instance. OCSP responder instance can return internalError for > inconsistent internal state. > > How frequent is the failure for you if you are still seeing it? > > Thanks, > Rajan > >> On Mar 19, 2020, at 4:23 AM, Baesken, Matthias >> <matthias.baes...@sap.com <mailto:matthias.baes...@sap.com>> wrote: >> >> Hello, for a few days we see the test >> security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java >> failing sometimes. The failures are seen not only in jdk/jdk but also >> in jdk11, that's why we suppose it might be >> some issue with the infrastructure and/or certificate authority ? >> The errors are like this one (shows up on different OS platforms) : >> ... >> Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - >> G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", >> OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US >> Subject: CN=VeriSign Class 3 Public Primary Certification Authority >> - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", >> OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US) >> certpath: X509CertSelector.match: subject DNs don't match >> java.lang.RuntimeException: TEST FAILED: couldn't determine EE >> certificate status >> at >> ValidatePathWithParams.validate(ValidatePathWithParams.java:177) >> at GlobalSignR6CA.main(GlobalSignR6CA.java:192) >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at >> java.base/java.lang.reflect.Method.invoke(Method.java:566) >> at >> com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127) >> at java.base/java.lang.Thread.run(Thread.java:834) >> Caused by: java.security.cert.CertPathValidatorException: OCSP >> response error: INTERNAL_ERROR >> at >> java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) >> at >> java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237) >> at >> java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145) >> at >> java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84) >> at >> java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) >> at >> ValidatePathWithParams.doCertPathValidate(ValidatePathWithParams.java:288) >> at >> ValidatePathWithParams.validate(ValidatePathWithParams.java:142) >> ... 7 more >> Caused by: java.security.cert.CertPathValidatorException: OCSP >> response error: INTERNAL_ERROR >> at >> java.base/sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:386) >> at >> java.base/sun.security.provider.certpath.OCSP.check(OCSP.java:195) >> at >> java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:742) >> at >> java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:362) >> at >> java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:336) >> at >> java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) >> ... 13 more >> Do you notice the issue in your jtreg tests as well ? >> Any hints about this ? >> Thanks, Matthias >
