You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/11/20 20:39:29 UTC
[Bug 60394] New: Unreliable
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
Bug ID: 60394
Summary: Unreliable
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: 1983-01-06@gmx.net
Target Milestone: ----
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60394] Unreliable 'ant test' on Oracle JDK 7 due to certificate
error
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
--- Comment #1 from Michael Osipov <19...@gmx.net> ---
Running 'ant test' on 8.5.x trunk with
> java version "1.7.0_80"
> Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
> Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)
fails sometimes due to:
> downloadzip:
> [get] Getting: http://downloads.sourceforge.net/easymock/easymock-3.2.zip
> [get] To: C:\Users\mosipov\tomcat-build-libs\download-1532555207.zip
> [get] http://downloads.sourceforge.net/easymock/easymock-3.2.zip permanently moved to http://downloads.sourceforge.net/project/easymock/EasyMock/3.2/easymock-3.2.zip
> [get] http://downloads.sourceforge.net/project/easymock/EasyMock/3.2/easymock-3.2.zip moved to https://freefr.dl.sourceforge.net/project/easymock/EasyMock/3.2/easymock-3.2.zip
> [get] Error getting http://downloads.sourceforge.net/easymock/easymock-3.2.zip to C:\Users\mosipov\tomcat-build-libs\download-1532555207.zip
>
> BUILD FAILED
> D:\Entwicklung\Projekte\tomcat-8.5.x\build.xml:2630: The following error occurred while executing this line:
> D:\Entwicklung\Projekte\tomcat-8.5.x\build.xml:2746: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
> at org.apache.tools.ant.taskdefs.Get$GetThread.openConnection(Get.java:728)
> at org.apache.tools.ant.taskdefs.Get$GetThread.openConnection(Get.java:748)
> at org.apache.tools.ant.taskdefs.Get$GetThread.openConnection(Get.java:748)
> at org.apache.tools.ant.taskdefs.Get$GetThread.get(Get.java:641)
> at org.apache.tools.ant.taskdefs.Get$GetThread.run(Get.java:631)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
> ... 15 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 21 more
>
This happens for all artifacts downloaded from the assigned SF.net mirror. The
issue is:
> $ curl -I --verbose https://freefr.dl.sourceforge.net/project/cglib/cglib2/2.2.3/cglib-nodep-2.2.3.jar
>
> * Connected to freefr.dl.sourceforge.net (88.191.250.136) port 443 (#0)
> ...
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> { [16 bytes data]
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server accepted to use http/1.1
> * Server certificate:
> * subject: CN=freefr.dl.sourceforge.net
> * start date: Oct 31 19:27:00 2016 GMT
> * expire date: Jan 29 19:27:00 2017 GMT
> * subjectAltName: host "freefr.dl.sourceforge.net" matched cert's "freefr.dl.sourceforge.net"
> * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
> * SSL certificate verify ok.
> } [5 bytes data]
>
This CA is not available in the last public Java 7 release by Oracle. Only paid
releases where updated: https://bugs.openjdk.java.net/browse/JDK-8154757
The alternative is to solely rely on Maven Central which works with Java 7 too.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60394] Unreliable 'ant test' on Oracle JDK 7 due to certificate
error
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
This is going to become increasingly problematic given the long lifetime of a
Tomcat release compared to the lifetime of public Java releases. The pace of
change of what is considered a minimal acceptable TLS configuration is also
likely to cause problems.
Users building locally can use a newer JDK. If they want to build using an
older JDK because that is the version they are using in production then the
expectation is that they use a supported JDK which should include any necessary
updates.
Release managers can work-around this by downloading manually or specifying a
specific mirror.
If we start to see issues with the CI system then we can use the same options
as the release managers.
At this point, I don't think we should start switching mirrors because people
want to build with unsupported software. If the problem becomes more
significant, we can re-evaluate.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60394] Unreliable 'ant test' on Oracle JDK 7 due to certificate
error
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
--- Comment #3 from Emmanuel Bourg <eb...@apache.org> ---
It should be possible to work around this issue by running once the build with
the latest version of Java 8 containing the Let's Encrypt root certificate to
download the build dependencies, and then build with Java 7.
Alternatively, the Tomcat build could probably use the Maven Ant tasks to fetch
the dependencies from Maven Central instead of the SourceForge mirrors.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60394] Unreliable 'ant test' on Oracle JDK 7 due to certificate
error
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
--- Comment #5 from Michael Osipov <19...@gmx.net> ---
(In reply to Mark Thomas from comment #2)
> This is going to become increasingly problematic given the long lifetime of
> a Tomcat release compared to the lifetime of public Java releases. The pace
> of change of what is considered a minimal acceptable TLS configuration is
> also likely to cause problems.
>
> Users building locally can use a newer JDK. If they want to build using an
> older JDK because that is the version they are using in production then the
> expectation is that they use a supported JDK which should include any
> necessary updates.
>
> Release managers can work-around this by downloading manually or specifying
> a specific mirror.
>
> If we start to see issues with the CI system then we can use the same
> options as the release managers.
>
> At this point, I don't think we should start switching mirrors because
> people want to build with unsupported software. If the problem becomes more
> significant, we can re-evaluate.
I don't expect a bullet-proof fix.
I do use Java 8, but wanted simply to indicate that this may be an issue to
others. It should be at least documented on BUILDING.txt.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60394] Unreliable 'ant test' on Oracle JDK 7 due to certificate
error
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
--- Comment #4 from Michael Osipov <19...@gmx.net> ---
(In reply to Emmanuel Bourg from comment #3)
> It should be possible to work around this issue by running once the build
> with the latest version of Java 8 containing the Let's Encrypt root
> certificate to download the build dependencies, and then build with Java 7.
>
> Alternatively, the Tomcat build could probably use the Maven Ant tasks to
> fetch the dependencies from Maven Central instead of the SourceForge mirrors.
I expect an ASF project to download artifact from our source only: Maven
Central. This is proved to work and we have good contact to Sonatype for this.
The Maven Ant Tasks have been deprectated long time ago by us (the Maven team).
They are dead. I strongly recommend using Aether Ant Tasks which will be soon
at at the ASF as Maven Resolver Ant Tasks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60394] Unreliable 'ant test' on Oracle JDK 7 due to certificate
error
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60394
Michael Osipov <19...@gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Unreliable |Unreliable 'ant test' on
| |Oracle JDK 7 due to
| |certificate error
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org