You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Domenico Francesco Bruscino (Jira)" <ji...@apache.org> on 2021/08/03 17:27:00 UTC
[jira] [Commented] (ARTEMIS-3185) Various TLS tests fail on newer
JDKs/environments
[ https://issues.apache.org/jira/browse/ARTEMIS-3185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17392438#comment-17392438 ]
Domenico Francesco Bruscino commented on ARTEMIS-3185:
------------------------------------------------------
The [#3667|https://github.com/apache/activemq-artemis/pull/3667] PR for ARTEMIS-3367 should fix this issue too,
> Various TLS tests fail on newer JDKs/environments
> -------------------------------------------------
>
> Key: ARTEMIS-3185
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3185
> Project: ActiveMQ Artemis
> Issue Type: Test
> Components: Tests
> Affects Versions: 2.17.0
> Reporter: Robbie Gemmell
> Priority: Major
>
> Various broker integration tests fail after I updated to Fedora 33, seemingly on all JDK versions but certainly with 8u275 and above, with the failing tests all being TLS related. For example, AMQPConnectSaslTest, JMSSaslExternalTest, JMSSaslExternalLDAPTest failed, though there are others.
> Specifically, the related keystore for those tests looks to be keystore1.jks under tests/integration-tests/src/test/resources (though possibly other files in there and related tests could be affected or need updated also). The key contained uses SHA1withRSA for the signature, which keytool notes is disabled and so that is presumably the problem:
> {noformat}
> $ keytool -keystore keystore1.jks -storepass changeit -list -v
> ...snipped...
> Signature algorithm name: SHA1withRSA (disabled)
> ...snipped...
> <keystore1> uses the SHA1withRSA signature algorithm which is considered a security risk and is disabled.
> {noformat}
> I'm not clear how the file was generated and dont see the CA key used to sign it and which matches up to the truststore.jks file (it uses SHA256withRSA sig and so should be fine if the key were updated in isolation). If someone who knows the process used could update the key that would be great.
> A suggestion I would make is to create a script that creates the files, both so it can be seen later what was done, and more easily repeated and/or updated when needed. E.g for example we do this with the [Qpid JMS tests resources|https://github.com/apache/qpid-jms/blob/main/qpid-jms-client/src/test/resources/README.txt], which I adapted for creating the ['broker-connections' TLS example|https://github.com/apache/activemq-artemis/blob/master/examples/features/broker-connection/amqp-sending-overssl/store-generation.txt] resources when I was updating that.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)