You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by sebb <se...@gmail.com> on 2021/07/26 12:42:27 UTC
[NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
As the subject says: FTPSClientTest fails with
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol
is disabled or cipher suites are inappropriate)
when run with AdoptOpenJDK 8 & 11
However it works fine with the Oracle version of Java 8 & 11
@Gary Gregory : I think you wrote the code -- any idea how to fix it
for AdoptOpenJDK?
Sebb
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Posted by Gary Gregory <ga...@gmail.com>.
The test still fails on Java 16. See my latest commit which does not fix it
but at least creates current keystores for Java 8 and 16 using the current
keystore format instead of the old deprecated JKS format .
Gary
On Mon, Jul 26, 2021, 19:18 sebb <se...@gmail.com> wrote:
> On Mon, 26 Jul 2021 at 17:43, Bernd <ec...@zusammenkunft.net> wrote:
> >
> > Hello,
> >
> >
> > > The test code appears to select TLSV1.2.
> >
> >
> >
> https://github.com/apache/commons-net/blob/fd06a81fd4ea3ace33d397935c76a4e014088fa2/src/test/java/org/apache/commons/net/ftp/FTPSClientTest.java#L103
> >
> >
> > the test code seems to limit the client to TLS1 only. Not sure why it
> does
> > that, if we remove it, it should probably run with most sane JDKs.
> >
>
> Well spotted. That appears to have been the problem.
>
> >
> > Gruss
> >
> > Bernd
> >
> > --
> >
> > https://bernd.eckenfels.net
> >
> >
> >
> > *Von: *sebb <se...@gmail.com>
> > *Gesendet: *Montag, 26. Juli 2021 16:41
> > *An: *Bernd Eckenfels <ec...@zusammenkunft.net>
> > *Cc: *Commons Developers List <de...@commons.apache.org>
> > *Betreff: *Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
> >
> >
> >
> > On Mon, 26 Jul 2021 at 15:18, Bernd Eckenfels <ec...@zusammenkunft.net>
> > wrote:
> >
> > >
> >
> > > You can enable the protocols (see link below) in the Java.security
> policy
> > file, but in the long run it’s best to mainly test supported algorithms,
> > maybe by conditionally checking it only if available, then a manual
> > modified test environment can use the compatibility tests,
> >
> >
> >
> > I have comparde the java.security files between Oracle 8 and
> AdoptOpenJDK 8.
> >
> > The latter includes the following:
> >
> >
> >
> > jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, ...
> >
> >
> >
> > However Oracle does not list TLSv1 and TLSv1.1.
> >
> > I tried dropping these two from the AdoptOpenJDK version, and that
> >
> > allowed the test to complete OK.
> >
> > However that is not a feasible approach in general.
> >
> >
> >
> > I have no idea why one of the disabled algorithms is being used.
> >
> > The test code appears to select TLSV1.2.
> >
> > How does one choose a supported algo?
> >
> >
> >
> > > (Btw I don’t think that Oracle behaves better, it is just not tested
> with
> > the commercially supported latest Oracle versions I suspect). The Crypto
> > roadmap states tls1 for example is disabled since April in Oracle 8u291.
> >
> > >
> >
> > > https://java.com/en/jre-jdk-cryptoroadmap.html
> >
> > >
> >
> > > Gruss
> >
> > > Bernd
> >
> > >
> >
> > >
> >
> > > --
> >
> > > http://bernd.eckenfels.net
> >
> > > ________________________________
> >
> > > Von: Gary Gregory <ga...@gmail.com>
> >
> > > Gesendet: Monday, July 26, 2021 2:57:35 PM
> >
> > > An: sebb <se...@gmail.com>
> >
> > > Cc: CommonsDev <de...@commons.apache.org>
> >
> > > Betreff: Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
> >
> > >
> >
> > > Hm, there might be some system property to set that says "use this old
> and
> >
> > > now deprecated algorithm" or we might have to recreate any certificates
> >
> > > used in tests with a current JDK 8.
> >
> > >
> >
> > > Gary
> >
> > >
> >
> > >
> >
> > > On Mon, Jul 26, 2021, 08:42 sebb <se...@gmail.com> wrote:
> >
> > >
> >
> > > > As the subject says: FTPSClientTest fails with
> >
> > > >
> >
> > > > javax.net.ssl.SSLHandshakeException: No appropriate protocol
> (protocol
> >
> > > > is disabled or cipher suites are inappropriate)
> >
> > > >
> >
> > > > when run with AdoptOpenJDK 8 & 11
> >
> > > > However it works fine with the Oracle version of Java 8 & 11
> >
> > > >
> >
> > > > @Gary Gregory : I think you wrote the code -- any idea how to fix it
> >
> > > > for AdoptOpenJDK?
> >
> > > >
> >
> > > > Sebb
> >
> > > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Posted by sebb <se...@gmail.com>.
On Mon, 26 Jul 2021 at 17:43, Bernd <ec...@zusammenkunft.net> wrote:
>
> Hello,
>
>
> > The test code appears to select TLSV1.2.
>
>
> https://github.com/apache/commons-net/blob/fd06a81fd4ea3ace33d397935c76a4e014088fa2/src/test/java/org/apache/commons/net/ftp/FTPSClientTest.java#L103
>
>
> the test code seems to limit the client to TLS1 only. Not sure why it does
> that, if we remove it, it should probably run with most sane JDKs.
>
Well spotted. That appears to have been the problem.
>
> Gruss
>
> Bernd
>
> --
>
> https://bernd.eckenfels.net
>
>
>
> *Von: *sebb <se...@gmail.com>
> *Gesendet: *Montag, 26. Juli 2021 16:41
> *An: *Bernd Eckenfels <ec...@zusammenkunft.net>
> *Cc: *Commons Developers List <de...@commons.apache.org>
> *Betreff: *Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
>
>
>
> On Mon, 26 Jul 2021 at 15:18, Bernd Eckenfels <ec...@zusammenkunft.net>
> wrote:
>
> >
>
> > You can enable the protocols (see link below) in the Java.security policy
> file, but in the long run it’s best to mainly test supported algorithms,
> maybe by conditionally checking it only if available, then a manual
> modified test environment can use the compatibility tests,
>
>
>
> I have comparde the java.security files between Oracle 8 and AdoptOpenJDK 8.
>
> The latter includes the following:
>
>
>
> jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, ...
>
>
>
> However Oracle does not list TLSv1 and TLSv1.1.
>
> I tried dropping these two from the AdoptOpenJDK version, and that
>
> allowed the test to complete OK.
>
> However that is not a feasible approach in general.
>
>
>
> I have no idea why one of the disabled algorithms is being used.
>
> The test code appears to select TLSV1.2.
>
> How does one choose a supported algo?
>
>
>
> > (Btw I don’t think that Oracle behaves better, it is just not tested with
> the commercially supported latest Oracle versions I suspect). The Crypto
> roadmap states tls1 for example is disabled since April in Oracle 8u291.
>
> >
>
> > https://java.com/en/jre-jdk-cryptoroadmap.html
>
> >
>
> > Gruss
>
> > Bernd
>
> >
>
> >
>
> > --
>
> > http://bernd.eckenfels.net
>
> > ________________________________
>
> > Von: Gary Gregory <ga...@gmail.com>
>
> > Gesendet: Monday, July 26, 2021 2:57:35 PM
>
> > An: sebb <se...@gmail.com>
>
> > Cc: CommonsDev <de...@commons.apache.org>
>
> > Betreff: Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
>
> >
>
> > Hm, there might be some system property to set that says "use this old and
>
> > now deprecated algorithm" or we might have to recreate any certificates
>
> > used in tests with a current JDK 8.
>
> >
>
> > Gary
>
> >
>
> >
>
> > On Mon, Jul 26, 2021, 08:42 sebb <se...@gmail.com> wrote:
>
> >
>
> > > As the subject says: FTPSClientTest fails with
>
> > >
>
> > > javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol
>
> > > is disabled or cipher suites are inappropriate)
>
> > >
>
> > > when run with AdoptOpenJDK 8 & 11
>
> > > However it works fine with the Oracle version of Java 8 & 11
>
> > >
>
> > > @Gary Gregory : I think you wrote the code -- any idea how to fix it
>
> > > for AdoptOpenJDK?
>
> > >
>
> > > Sebb
>
> > >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Posted by Bernd <ec...@zusammenkunft.net>.
Hello,
> The test code appears to select TLSV1.2.
https://github.com/apache/commons-net/blob/fd06a81fd4ea3ace33d397935c76a4e014088fa2/src/test/java/org/apache/commons/net/ftp/FTPSClientTest.java#L103
the test code seems to limit the client to TLS1 only. Not sure why it does
that, if we remove it, it should probably run with most sane JDKs.
Gruss
Bernd
--
https://bernd.eckenfels.net
*Von: *sebb <se...@gmail.com>
*Gesendet: *Montag, 26. Juli 2021 16:41
*An: *Bernd Eckenfels <ec...@zusammenkunft.net>
*Cc: *Commons Developers List <de...@commons.apache.org>
*Betreff: *Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
On Mon, 26 Jul 2021 at 15:18, Bernd Eckenfels <ec...@zusammenkunft.net>
wrote:
>
> You can enable the protocols (see link below) in the Java.security policy
file, but in the long run it’s best to mainly test supported algorithms,
maybe by conditionally checking it only if available, then a manual
modified test environment can use the compatibility tests,
I have comparde the java.security files between Oracle 8 and AdoptOpenJDK 8.
The latter includes the following:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, ...
However Oracle does not list TLSv1 and TLSv1.1.
I tried dropping these two from the AdoptOpenJDK version, and that
allowed the test to complete OK.
However that is not a feasible approach in general.
I have no idea why one of the disabled algorithms is being used.
The test code appears to select TLSV1.2.
How does one choose a supported algo?
> (Btw I don’t think that Oracle behaves better, it is just not tested with
the commercially supported latest Oracle versions I suspect). The Crypto
roadmap states tls1 for example is disabled since April in Oracle 8u291.
>
> https://java.com/en/jre-jdk-cryptoroadmap.html
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> ________________________________
> Von: Gary Gregory <ga...@gmail.com>
> Gesendet: Monday, July 26, 2021 2:57:35 PM
> An: sebb <se...@gmail.com>
> Cc: CommonsDev <de...@commons.apache.org>
> Betreff: Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
>
> Hm, there might be some system property to set that says "use this old and
> now deprecated algorithm" or we might have to recreate any certificates
> used in tests with a current JDK 8.
>
> Gary
>
>
> On Mon, Jul 26, 2021, 08:42 sebb <se...@gmail.com> wrote:
>
> > As the subject says: FTPSClientTest fails with
> >
> > javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol
> > is disabled or cipher suites are inappropriate)
> >
> > when run with AdoptOpenJDK 8 & 11
> > However it works fine with the Oracle version of Java 8 & 11
> >
> > @Gary Gregory : I think you wrote the code -- any idea how to fix it
> > for AdoptOpenJDK?
> >
> > Sebb
> >
Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Posted by sebb <se...@gmail.com>.
On Mon, 26 Jul 2021 at 15:18, Bernd Eckenfels <ec...@zusammenkunft.net> wrote:
>
> You can enable the protocols (see link below) in the Java.security policy file, but in the long run it’s best to mainly test supported algorithms, maybe by conditionally checking it only if available, then a manual modified test environment can use the compatibility tests,
I have comparde the java.security files between Oracle 8 and AdoptOpenJDK 8.
The latter includes the following:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, ...
However Oracle does not list TLSv1 and TLSv1.1.
I tried dropping these two from the AdoptOpenJDK version, and that
allowed the test to complete OK.
However that is not a feasible approach in general.
I have no idea why one of the disabled algorithms is being used.
The test code appears to select TLSV1.2.
How does one choose a supported algo?
> (Btw I don’t think that Oracle behaves better, it is just not tested with the commercially supported latest Oracle versions I suspect). The Crypto roadmap states tls1 for example is disabled since April in Oracle 8u291.
>
> https://java.com/en/jre-jdk-cryptoroadmap.html
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> ________________________________
> Von: Gary Gregory <ga...@gmail.com>
> Gesendet: Monday, July 26, 2021 2:57:35 PM
> An: sebb <se...@gmail.com>
> Cc: CommonsDev <de...@commons.apache.org>
> Betreff: Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
>
> Hm, there might be some system property to set that says "use this old and
> now deprecated algorithm" or we might have to recreate any certificates
> used in tests with a current JDK 8.
>
> Gary
>
>
> On Mon, Jul 26, 2021, 08:42 sebb <se...@gmail.com> wrote:
>
> > As the subject says: FTPSClientTest fails with
> >
> > javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol
> > is disabled or cipher suites are inappropriate)
> >
> > when run with AdoptOpenJDK 8 & 11
> > However it works fine with the Oracle version of Java 8 & 11
> >
> > @Gary Gregory : I think you wrote the code -- any idea how to fix it
> > for AdoptOpenJDK?
> >
> > Sebb
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.
You can enable the protocols (see link below) in the Java.security policy file, but in the long run it’s best to mainly test supported algorithms, maybe by conditionally checking it only if available, then a manual modified test environment can use the compatibility tests,
(Btw I don’t think that Oracle behaves better, it is just not tested with the commercially supported latest Oracle versions I suspect). The Crypto roadmap states tls1 for example is disabled since April in Oracle 8u291.
https://java.com/en/jre-jdk-cryptoroadmap.html
Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: Gary Gregory <ga...@gmail.com>
Gesendet: Monday, July 26, 2021 2:57:35 PM
An: sebb <se...@gmail.com>
Cc: CommonsDev <de...@commons.apache.org>
Betreff: Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Hm, there might be some system property to set that says "use this old and
now deprecated algorithm" or we might have to recreate any certificates
used in tests with a current JDK 8.
Gary
On Mon, Jul 26, 2021, 08:42 sebb <se...@gmail.com> wrote:
> As the subject says: FTPSClientTest fails with
>
> javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol
> is disabled or cipher suites are inappropriate)
>
> when run with AdoptOpenJDK 8 & 11
> However it works fine with the Oracle version of Java 8 & 11
>
> @Gary Gregory : I think you wrote the code -- any idea how to fix it
> for AdoptOpenJDK?
>
> Sebb
>
Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11
Posted by Gary Gregory <ga...@gmail.com>.
Hm, there might be some system property to set that says "use this old and
now deprecated algorithm" or we might have to recreate any certificates
used in tests with a current JDK 8.
Gary
On Mon, Jul 26, 2021, 08:42 sebb <se...@gmail.com> wrote:
> As the subject says: FTPSClientTest fails with
>
> javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol
> is disabled or cipher suites are inappropriate)
>
> when run with AdoptOpenJDK 8 & 11
> However it works fine with the Oracle version of Java 8 & 11
>
> @Gary Gregory : I think you wrote the code -- any idea how to fix it
> for AdoptOpenJDK?
>
> Sebb
>