You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Igal Sapir <is...@apache.org> on 2018/10/02 05:58:20 UTC
SSL Unit Tests Failing
When trying to run the unit test cases with `ant clean test` on the current
trunk [1] I am getting two (per connector) failures:
org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
FAILED [3]
Server version: Apache Tomcat/9.0.13-dev
Server built: Oct 2 2018 05:24:55 UTC
Server number: 9.0.13.0
OS Name: Linux
OS Version: 4.18.9-200.fc28.x86_64
Architecture: amd64
JVM Version: 1.8.0_181-b13
JVM Vendor: Oracle Corporation
Am I missing something? Other than the obvious "missing ciphers", that is.
Thanks,
Igal
[1] git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1842498
13f79535-47bb-0310-9956-ffa450edef68
[2] Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher
Tests run: 3, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 0.697 sec
Testcase: testNames took 0.168 sec
Testcase: testAllOpenSSLCiphersMapped took 0.361 sec
FAILED
No mapping found in IBM's JSSE implementation for
ECDHE-PSK-3DES-EDE-CBC-SHA+TLSv1 when one was expected
junit.framework.AssertionFailedError: No mapping found in IBM's JSSE
implementation for ECDHE-PSK-3DES-EDE-CBC-SHA+TLSv1 when one was expected
at
org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testAllOpenSSLCiphersMapped(TestCipher.java:66)
Testcase: testOpenSSLCipherAvailability took 0.06 sec
FAILED
ECDHE-ARIA128-GCM-SHA256+TLSv1.2 DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
expected:<0> but was:<16>
junit.framework.AssertionFailedError: ECDHE-ARIA128-GCM-SHA256+TLSv1.2
DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2
ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2
PSK-ARIA256-GCM-SHA384+TLSv1.2 DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2
PSK-ARIA128-GCM-SHA256+TLSv1.2 expected:<0> but was:<16>
at
org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testOpenSSLCipherAvailability(TestCipher.java:100)
[3] Testsuite:
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
Tests run: 86, Failures: 40, Errors: 0, Skipped: 1, Time elapsed: 5.473 sec
------------- Standard Error -----------------
Error in cipher list
140015003477824:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140182557382464:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140372866819904:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
139680405661504:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140699554305856:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
139897177433920:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
139891985295168:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140442752255808:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
139855064180544:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140598129956672:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
139768227612480:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
139839666202432:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140216997062464:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140194450589504:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
Error in cipher list
140636605155136:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:ssl/ssl_lib.c:2193:
<snip/>
Testcase: testARIA128 took 0.535 sec
FAILED
Expected 8 ciphers but got 0 for the specification 'ARIA128'
expected:<[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256,
TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_RSA_WITH_ARIA_128_GCM_SHA256]>
but was:<[]>
junit.framework.AssertionFailedError: Expected 8 ciphers but got 0 for the
specification 'ARIA128' expected:<[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256,
TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_RSA_WITH_ARIA_128_GCM_SHA256]>
but was:<[]>
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testARIA128(TestOpenSSLCipherConfigurationParser.java:541)
Testcase: testARIA256 took 0.063 sec
FAILED
Expected 8 ciphers but got 0 for the specification 'ARIA256'
expected:<[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384,
TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_RSA_WITH_ARIA_256_GCM_SHA384]>
but was:<[]>
junit.framework.AssertionFailedError: Expected 8 ciphers but got 0 for the
specification 'ARIA256' expected:<[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384,
TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_RSA_WITH_ARIA_256_GCM_SHA384]>
but was:<[]>
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testARIA256(TestOpenSSLCipherConfigurationParser.java:547)
Testcase: testkECDHE took 0.068 sec
FAILED
Expected 31 ciphers but got 30 for the specification 'kECDHE'
expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS_ECDH_anon_WITH_NULL_SHA]> but
was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
junit.framework.AssertionFailedError: Expected 31 ciphers but got 30 for
the specification 'kECDHE' expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS_ECDH_anon_WITH_NULL_SHA]> but
was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testkECDHE(TestOpenSSLCipherConfigurationParser.java:202)
Testcase: testkECDHe took 0.072 sec
Testcase: testkECDHr took 0.036 sec
Testcase: testkEECDH took 0.057 sec
FAILED
Expected 31 ciphers but got 30 for the specification 'kEECDH'
expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS_ECDH_anon_WITH_NULL_SHA]> but
was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
junit.framework.AssertionFailedError: Expected 31 ciphers but got 30 for
the specification 'kEECDH' expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS_ECDH_anon_WITH_NULL_SHA]> but
was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testkEECDH(TestOpenSSLCipherConfigurationParser.java:190)
Testcase: testGOST89MAC took 0.06 sec
Testcase: testCHACHA20 took 0.061 sec
Testcase: testADH took 0.033 sec
FAILED
Expected 11 ciphers but got 13 for the specification 'ADH'
expected:<[TLS_DH_anon_WITH_AES_128_CBC_SHA,
TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
but was:<[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,
TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
junit.framework.AssertionFailedError: Expected 11 ciphers but got 13 for
the specification 'ADH' expected:<[TLS_DH_anon_WITH_AES_128_CBC_SHA,
TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
but was:<[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,
TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
at
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testADH(TestOpenSSLCipherConfigurationParser.java:325)
<snip/>
SSL Unit Tests Failing
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Igal,
On 10/2/18 01:58, Igal Sapir wrote:
> When trying to run the unit test cases with `ant clean test` on the
> current trunk [1] I am getting two (per connector) failures:
>
> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurat
ionParser
>
>
FAILED [3]
>
> Server version: Apache Tomcat/9.0.13-dev Server built: Oct 2 2018
> 05:24:55 UTC Server number: 9.0.13.0 OS Name: Linux OS
> Version: 4.18.9-200.fc28.x86_64 Architecture: amd64 JVM
> Version: 1.8.0_181-b13 JVM Vendor: Oracle Corporation
>
> Am I missing something? Other than the obvious "missing ciphers",
> that is.
AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL
versions in order to have this test work, because it tests all cipher
suites that have been configured in the test-case(s).
Some of those are the super-new ones that might not be supported by your
local version of OpenSSL.
Some of them may be cipher-suites that have been compiled-out of OpenSSL
in recent builds. You may want to take a look at the list of cipher
suites that are failing and then ask openssl if they are supported (e.g.
"openssl ciphers 'ALL'".
The same is true for the "IBM cipher suites" which all have different
names for some reason. OpenSSL and JSSE already disagree about the names
of cipher suites, and IBM had to go their own way, too. If you don't
have an IBM JRE then you won't be able to test those suites.
Let's take an example from OpenSSL where your tests are failing:
> Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED
> ECDHE-ARIA128-GCM-SHA256+TLSv1.2
> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
> expected:<0> but was:<16>
Without looking at the code, I suspect that the test was intended to
select certain ciphers with some attribute. The test case expects zero
cipher suites to be available, but your environment provides 16 matching
cipher suites.
If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep ARIA"
I get no output, but when I use OpenSSL 1.1.1, I get this output:
> ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH
> Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384
> TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD
> DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA
> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2
> Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
> ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA
> Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH
> Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256
> TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD
> RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA
> Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2
> Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384
> TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD
> PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK
> Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2
> Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD
> DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK
> Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA
> Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2
> Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD
There are 16 items in that list. Perhaps you are using the latest
OpenSSL but the test isn't prepared for them.
I think it's "okay" that this test is failing for you, but it's probably
worth looking into why it's happening and trying to alter the test to
cope with that situation.
Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not
have caught-up with what's in there, yet.
But this is weird:
> Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but
> got 0 for the specification 'ARIA128' expected:
Above, you have ARIA ciphers available, but in this test, it does not
find them.
I guess it's time to dive into the cipher-suite-matching code in those
tests to see what's going on, Igal :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzg6wACgkQHPApP6U8
pFiOVw//a9v3v6ese0rLy6MzRrmBdte9a0YXSBBwbc+N/TVfxdJCncTVtO/CFodd
shQkJu+6q69QwHmgrb1RIlG4jGdcT54RyZX7jRbwSZQorKVsLYiXGxXjI+gIDL78
b2orAgqlxjXcwh5q6FCm9VcgmAGs0kZmDeiYrK5J8NogwZh2U7DgY8z91kDHSm9v
ToMUnZ323bcxPSUGjGoy4uZlpxLmBNCdHhSpaEvdsSVvC8T9yuh4ozf25qCSm2tI
eJ1LgbPAsqmx3R1NpYvKZtlj2Hbz63Vhphwwgx0C4c4ZHzNXYjnoz5Q0xmVghG7n
PcPKAIpbyzuFjsSsBe2omnDBEiM+koLKYNg5dXCdk/IMuQJk8AmIMnMQ3dE8ioOl
7WCbNubNk8Ook0ytaZ3yhM32JdPq0cVKDm0Cuq7axInFnQEu/cbsAZF05mbpwWD1
pqFyRRw0zuNM0AIpGWsSbe8GeLQMVn9hAp5jViBEEl7mErxo20g+I7OBLUe2M1rB
TuyhStf5Ei8jGFrx12IgNbz4ljX5wdBffkttbVSfBv+0LRFj4fl8jSWqW5xaz6GQ
MMm4oRImSFQ4UeSWHibIdq9MhjDT+tkwQ5ou8OATAhafCWCxuzUjLEsgtdf6P3Wa
e/dildDEMLsONUHpEXCbOvRznek3Nwi36eqLXdrCOGwvZNe0FCc=
=28RZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Igal Sapir <is...@apache.org>.
On 10/4/2018 11:34 PM, Rainer Jung wrote:
> Am 05.10.2018 um 00:03 schrieb Igal Sapir:> And with tcnative I get:
>>
>> 04-Oct-2018 14:52:14.231 INFO [main]
>> org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case
>> [testOpenSSLConfCmdCipher]
>> 04-Oct-2018 14:52:14.434 INFO [main]
>> org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdCipher
>> Found OpenSSL version 0x100020ff
>>
>> Which makes much more sense. Is there a reason that the OpenSSL
>> version is printed in Hex?
>
> I haven't checked what other version data (eg. string based) is
> available for all supported versions, and would make more sense.
> Typically what we call OPENSSL_VERSION is used in the code for version
> dependent code. If that variable is the one we continue to use as info
> output, its hex representation is the closest to the string
> representation of the version:
>
> 0x100020ff
> =
> 1.0.2 + patch-Letter
>
> This is true for all major OpenSSL versions.
Got it, thanks!
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Rainer Jung <ra...@kippdata.de>.
Am 05.10.2018 um 00:03 schrieb Igal Sapir:> And with tcnative I get:
>
> 04-Oct-2018 14:52:14.231 INFO [main]
> org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case
> [testOpenSSLConfCmdCipher]
> 04-Oct-2018 14:52:14.434 INFO [main]
> org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdCipher
> Found OpenSSL version 0x100020ff
>
> Which makes much more sense. Is there a reason that the OpenSSL version
> is printed in Hex?
I haven't checked what other version data (eg. string based) is
available for all supported versions, and would make more sense.
Typically what we call OPENSSL_VERSION is used in the code for version
dependent code. If that variable is the one we continue to use as info
output, its hex representation is the closest to the string
representation of the version:
0x100020ff
=
1.0.2 + patch-Letter
This is true for all major OpenSSL versions.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Igal Sapir <is...@apache.org>.
On 10/4/2018 2:21 PM, Igal Sapir wrote:
> On 10/3/2018 2:29 AM, Mark Thomas wrote:
>> On 02/10/18 20:40, Igal Sapir wrote:
>>>> On 02/10/18 06:58, Igal Sapir wrote:
>>>>> When trying to run the unit test cases with `ant clean test` on the
>>>>> current
>>>>> trunk [1] I am getting two (per connector) failures:
>>>>>
>>>>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>>>>
>>>>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>>>>>
>>>>>
>>>>> FAILED [3]
>>>>>
>>>>> <snip/>
>>>> These tests are all particularly sensitive to the versions of OpenSSL,
>>>> Java and the implementation of Java used.
>>>>
>>>> Generally, those tests are there to ensure that the code that
>>>> translates
>>>> between JSSE cipher definitions and OpenSSL definitions is correct.
>>>>
>>>> If you see a failure it may indicate that:
>>>>
>>>> - the test has a bug
>> <snip/>
>>> On the Linux box I have OpenSSL installed and on the PATH. On
>>> Windows I
>>> used version OpenSSL 1.1.1 11 Sep 2018 and specified it via the
>>> `test.openssl.path` property. I checked the value of
>>> `test.openssl.exists` and it showed the expected `true`. Both Windows
>>> and Fedora generated an output file for
>>> test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java [1]. Both,
>>> however, reported "Found OpenSSL version 0x0" which I find strange?
>> That does seem odd. I suspect either the wrong OpenSSL version or no
>> OpenSSL version was found.
>
> Gump was also showing "version 0x0" [1].
>
> System.load() [2] was throwing an error that an absolute path is
> expected, but that error was ignored at [3] so we didn't see it. I
> added a warning to the log in r1842849 [4].
>
> Igal
OK, so now without tcnative in the bin directory I get:
04-Oct-2018 14:33:24.483 INFO [main]
org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case
[testOpenSSLConfCmdCipher]
04-Oct-2018 14:33:24.823 WARNING [main]
org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdCipher
OpenSSL not found: Can't load library:
e:\Workspace\git\tomcat\bin\tcnative-1.dll, Can't load library:
e:\Workspace\git\tomcat\bin\libtcnative-1.dll, no tcnative-1 in
java.library.path, no libtcnative-1 in java.library.path
And with tcnative I get:
04-Oct-2018 14:52:14.231 INFO [main]
org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case
[testOpenSSLConfCmdCipher]
04-Oct-2018 14:52:14.434 INFO [main]
org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdCipher
Found OpenSSL version 0x100020ff
Which makes much more sense. Is there a reason that the OpenSSL version
is printed in Hex?
Igal
>
> [1]
> http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio/gump_file/TEST-org.apache.tomcat.util.net.openssl.TestOpenSSLConf.NIO.txt.html
>
> [2]
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/Library.java?revision=1834660&view=markup&pathrev=1842849#l42
>
> [3]
> http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?view=markup&pathrev=1842748#l91
>
> [4] http://svn.apache.org/viewvc?rev=1842849&view=rev
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Igal Sapir <is...@apache.org>.
On 10/3/2018 2:29 AM, Mark Thomas wrote:
> On 02/10/18 20:40, Igal Sapir wrote:
>>> On 02/10/18 06:58, Igal Sapir wrote:
>>>> When trying to run the unit test cases with `ant clean test` on the
>>>> current
>>>> trunk [1] I am getting two (per connector) failures:
>>>>
>>>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>>>
>>>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>>>>
>>>> FAILED [3]
>>>>
>>>> <snip/>
>>> These tests are all particularly sensitive to the versions of OpenSSL,
>>> Java and the implementation of Java used.
>>>
>>> Generally, those tests are there to ensure that the code that translates
>>> between JSSE cipher definitions and OpenSSL definitions is correct.
>>>
>>> If you see a failure it may indicate that:
>>>
>>> - the test has a bug
>>>
>>> - you are running with an older version of OpenSSL that behaves
>>> differently from the latest version (we try and keep pace with the
>>> latest)
>>>
>>> - OpenSSL has changed behaviour and we need to update our translation
>>> code to align with it (unusual)
>>>
>>> - OpenSSL has changed behaviour and we need to update our tests to align
>>> with it (most frequent).
>> Thank you both for the detailed explanation. I suspected that I should
>> had added the OpenSSL version to the OP. On that Fedora machine I have
>> OpenSSL 1.1.0i-fips 14 Aug 2018
>>
>> I tried the same tests on a Windows 10 machine. Below are some
>> discrepancies/peculiarities that I've noticed (I'd be happy to improve
>> the test cases if possible):
> I noticed some errors on Gump overnight so this morning I have build
> OpenSSL 1.0.2, 1.1.0, 1.1.1 and master locally and tested them against
> 8.5.x and 9.0.x. I found a couple of bugs:
>
> - The ARIA ciphers were not handled correctly so testing against OpenSSL
> 1.1.0 was always going to fail. This has been fixed.
>
> - 8.5.x was missing some code that ensured the OpenSSL libraries as well
> as the binary was on the path. This meant 8.5.x tests were either
> going to fail or use a locally installed OpenSSL version. This has
> also been fixed.
>
>> On the Linux box I have OpenSSL installed and on the PATH. On Windows I
>> used version OpenSSL 1.1.1 11 Sep 2018 and specified it via the
>> `test.openssl.path` property. I checked the value of
>> `test.openssl.exists` and it showed the expected `true`. Both Windows
>> and Fedora generated an output file for
>> test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java [1]. Both,
>> however, reported "Found OpenSSL version 0x0" which I find strange?
> That does seem odd. I suspect either the wrong OpenSSL version or no
> OpenSSL version was found.
Gump was also showing "version 0x0" [1].
System.load() [2] was throwing an error that an absolute path is
expected, but that error was ignored at [3] so we didn't see it. I
added a warning to the log in r1842849 [4].
Igal
[1]
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio/gump_file/TEST-org.apache.tomcat.util.net.openssl.TestOpenSSLConf.NIO.txt.html
[2]
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/Library.java?revision=1834660&view=markup&pathrev=1842849#l42
[3]
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?view=markup&pathrev=1842748#l91
[4] http://svn.apache.org/viewvc?rev=1842849&view=rev
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Mark Thomas <ma...@apache.org>.
On 02/10/18 20:40, Igal Sapir wrote:
> Mark / Chris,
>
> On 10/2/2018 6:36 AM, Mark Thomas wrote:
>> On 02/10/18 06:58, Igal Sapir wrote:
>>> When trying to run the unit test cases with `ant clean test` on the
>>> current
>>> trunk [1] I am getting two (per connector) failures:
>>>
>>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>>
>>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>>>
>>> FAILED [3]
>>>
>>> Server version: Apache Tomcat/9.0.13-dev
>>> Server built: Oct 2 2018 05:24:55 UTC
>>> Server number: 9.0.13.0
>>> OS Name: Linux
>>> OS Version: 4.18.9-200.fc28.x86_64
>>> Architecture: amd64
>>> JVM Version: 1.8.0_181-b13
>>> JVM Vendor: Oracle Corporation
>>>
>>> Am I missing something? Other than the obvious "missing ciphers",
>>> that is.
>> These tests are all particularly sensitive to the versions of OpenSSL,
>> Java and the implementation of Java used.
>>
>> Generally, those tests are there to ensure that the code that translates
>> between JSSE cipher definitions and OpenSSL definitions is correct.
>>
>> If you see a failure it may indicate that:
>>
>> - the test has a bug
>>
>> - you are running with an older version of OpenSSL that behaves
>> differently from the latest version (we try and keep pace with the
>> latest)
>>
>> - OpenSSL has changed behaviour and we need to update our translation
>> code to align with it (unusual)
>>
>> - OpenSSL has changed behaviour and we need to update our tests to align
>> with it (most frequent).
>
> Thank you both for the detailed explanation. I suspected that I should
> had added the OpenSSL version to the OP. On that Fedora machine I have
> OpenSSL 1.1.0i-fips 14 Aug 2018
>
> I tried the same tests on a Windows 10 machine. Below are some
> discrepancies/peculiarities that I've noticed (I'd be happy to improve
> the test cases if possible):
I noticed some errors on Gump overnight so this morning I have build
OpenSSL 1.0.2, 1.1.0, 1.1.1 and master locally and tested them against
8.5.x and 9.0.x. I found a couple of bugs:
- The ARIA ciphers were not handled correctly so testing against OpenSSL
1.1.0 was always going to fail. This has been fixed.
- 8.5.x was missing some code that ensured the OpenSSL libraries as well
as the binary was on the path. This meant 8.5.x tests were either
going to fail or use a locally installed OpenSSL version. This has
also been fixed.
> On the Linux box I have OpenSSL installed and on the PATH. On Windows I
> used version OpenSSL 1.1.1 11 Sep 2018 and specified it via the
> `test.openssl.path` property. I checked the value of
> `test.openssl.exists` and it showed the expected `true`. Both Windows
> and Fedora generated an output file for
> test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java [1]. Both,
> however, reported "Found OpenSSL version 0x0" which I find strange?
That does seem odd. I suspect either the wrong OpenSSL version or no
OpenSSL version was found.
> On Windows, only the output [2] for the file mentioned above is in the
> output/build/logs, while on Fedora I also have output from the 3 Test
> files from test/org/apache/tomcat/util/net/openssl/ciphers/. Does that
> mean that these tests were not run on Windows?
That seems to be a reasonable conclusion.
> I wanted to check the Gump output to compare with my local results. I
> found this URL, which I'm not sure if it is the right one or not -
> http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk/index.html - as
> it says "Project build output found here..." but without any links or
> any other information.
That is the build. The full output is linked just below that line but
you probably want the tests which are run as a separate build for each
connector.
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio/index.html
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio2/index.html
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-apr/index.html
If you scroll down for any of those pages, you'll find the individual
test files for the latest run.
> I would like at the very least to add the output of `openssl version` to
> the Ant output, perhaps at the `test.openssl.exists` target. If there
> are no objections I will add that.
+1
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Igal Sapir <is...@apache.org>.
Mark / Chris,
On 10/2/2018 6:36 AM, Mark Thomas wrote:
> On 02/10/18 06:58, Igal Sapir wrote:
>> When trying to run the unit test cases with `ant clean test` on the current
>> trunk [1] I am getting two (per connector) failures:
>>
>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>> FAILED [3]
>>
>> Server version: Apache Tomcat/9.0.13-dev
>> Server built: Oct 2 2018 05:24:55 UTC
>> Server number: 9.0.13.0
>> OS Name: Linux
>> OS Version: 4.18.9-200.fc28.x86_64
>> Architecture: amd64
>> JVM Version: 1.8.0_181-b13
>> JVM Vendor: Oracle Corporation
>>
>> Am I missing something? Other than the obvious "missing ciphers", that is.
> These tests are all particularly sensitive to the versions of OpenSSL,
> Java and the implementation of Java used.
>
> Generally, those tests are there to ensure that the code that translates
> between JSSE cipher definitions and OpenSSL definitions is correct.
>
> If you see a failure it may indicate that:
>
> - the test has a bug
>
> - you are running with an older version of OpenSSL that behaves
> differently from the latest version (we try and keep pace with the
> latest)
>
> - OpenSSL has changed behaviour and we need to update our translation
> code to align with it (unusual)
>
> - OpenSSL has changed behaviour and we need to update our tests to align
> with it (most frequent).
Thank you both for the detailed explanation. I suspected that I should
had added the OpenSSL version to the OP. On that Fedora machine I have
OpenSSL 1.1.0i-fips 14 Aug 2018
I tried the same tests on a Windows 10 machine. Below are some
discrepancies/peculiarities that I've noticed (I'd be happy to improve
the test cases if possible):
On the Linux box I have OpenSSL installed and on the PATH. On Windows I
used version OpenSSL 1.1.1 11 Sep 2018 and specified it via the
`test.openssl.path` property. I checked the value of
`test.openssl.exists` and it showed the expected `true`. Both Windows
and Fedora generated an output file for
test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java [1]. Both,
however, reported "Found OpenSSL version 0x0" which I find strange?
On Windows, only the output [2] for the file mentioned above is in the
output/build/logs, while on Fedora I also have output from the 3 Test
files from test/org/apache/tomcat/util/net/openssl/ciphers/. Does that
mean that these tests were not run on Windows?
I wanted to check the Gump output to compare with my local results. I
found this URL, which I'm not sure if it is the right one or not -
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk/index.html - as
it says "Project build output found here..." but without any links or
any other information.
I would like at the very least to add the output of `openssl version` to
the Ant output, perhaps at the `test.openssl.exists` target. If there
are no objections I will add that.
[1]
https://github.com/apache/tomcat/blob/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java
[2] Windows output of o.a.t.util.net.openssl.TestOpenSSLConf
Testsuite: org.apache.tomcat.util.net.openssl.TestOpenSSLConf
Tests run: 2, Failures: 0, Errors: 0, Skipped: 2, Time elapsed: 1.994 sec
------------- Standard Error -----------------
02-Oct-2018 11:23:28.394 INFO [main] org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case [testOpenSSLConfCmdCipher]
02-Oct-2018 11:23:28.618 INFO [main] org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdCipher Found OpenSSL version 0x0
02-Oct-2018 11:23:28.808 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["https-jsse-nio-127.0.0.1-auto-1"]
02-Oct-2018 11:23:28.895 INFO [main] org.apache.catalina.startup.LoggingBaseTest.setUp Starting test case [testOpenSSLConfCmdProtocol]
02-Oct-2018 11:23:28.924 INFO [main] org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdProtocol Found OpenSSL version 0x0
02-Oct-2018 11:23:28.926 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["https-jsse-nio-127.0.0.1-auto-2"]
------------- ---------------- ---------------
Testcase: testOpenSSLConfCmdCipher took 1.755 sec
SKIPPED: This test is only for OpenSSL based SSL connectors
Testcase: testOpenSSLConfCmdCipher took 1.759 sec
Testcase: testOpenSSLConfCmdProtocol took 0.037 sec
SKIPPED: This test is only for OpenSSL based SSL connectors
Testcase: testOpenSSLConfCmdProtocol took 0.037 sec
>
> There is overlap between some of the above cases.
>
> I see different failures when I run locally. Your question has made me
> curious to find out why.
>
> Gump is usually very good at catching changes. I normally don;t worry
> unless I see a failure in these tests on Gump. Expanding the
> combinations of Tomcat and OpenSSL that we test with there is still on
> the TODO list.
>
> Mark
>
>
>> Thanks,
>>
>> Igal
>>
>> [1] git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1842498
>> 13f79535-47bb-0310-9956-ffa450edef68
>>
>> [2] Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher
>> Tests run: 3, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 0.697 sec
>>
>> Testcase: testNames took 0.168 sec
>> Testcase: testAllOpenSSLCiphersMapped took 0.361 sec
>> FAILED
>> No mapping found in IBM's JSSE implementation for
>> ECDHE-PSK-3DES-EDE-CBC-SHA+TLSv1 when one was expected
>>
>> junit.framework.AssertionFailedError: No mapping found in IBM's JSSE
>> implementation for ECDHE-PSK-3DES-EDE-CBC-SHA+TLSv1 when one was expected
>>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testAllOpenSSLCiphersMapped(TestCipher.java:66)
>>
>> Testcase: testOpenSSLCipherAvailability took 0.06 sec
>> FAILED
>> ECDHE-ARIA128-GCM-SHA256+TLSv1.2 DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
>> ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
>> DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
>> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
>> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
>> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
>> expected:<0> but was:<16>
>> junit.framework.AssertionFailedError: ECDHE-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
>> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2
>> ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
>> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2
>> ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
>> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2
>> PSK-ARIA256-GCM-SHA384+TLSv1.2 DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2
>> PSK-ARIA128-GCM-SHA256+TLSv1.2 expected:<0> but was:<16>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testOpenSSLCipherAvailability(TestCipher.java:100)
>>
>> [3] Testsuite:
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>> Tests run: 86, Failures: 40, Errors: 0, Skipped: 1, Time elapsed: 5.473 sec
>> ------------- Standard Error -----------------
>> Error in cipher list
>> 140015003477824:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140182557382464:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140372866819904:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 139680405661504:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140699554305856:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 139897177433920:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 139891985295168:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140442752255808:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 139855064180544:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140598129956672:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 139768227612480:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 139839666202432:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140216997062464:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140194450589504:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> Error in cipher list
>> 140636605155136:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
>> cipher match:ssl/ssl_lib.c:2193:
>>
>> <snip/>
>>
>> Testcase: testARIA128 took 0.535 sec
>> FAILED
>> Expected 8 ciphers but got 0 for the specification 'ARIA128'
>> expected:<[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
>> TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256,
>> TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_RSA_WITH_ARIA_128_GCM_SHA256]>
>> but was:<[]>
>> junit.framework.AssertionFailedError: Expected 8 ciphers but got 0 for the
>> specification 'ARIA128' expected:<[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
>> TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256,
>> TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_RSA_WITH_ARIA_128_GCM_SHA256]>
>> but was:<[]>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testARIA128(TestOpenSSLCipherConfigurationParser.java:541)
>>
>> Testcase: testARIA256 took 0.063 sec
>> FAILED
>> Expected 8 ciphers but got 0 for the specification 'ARIA256'
>> expected:<[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
>> TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384,
>> TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_RSA_WITH_ARIA_256_GCM_SHA384]>
>> but was:<[]>
>> junit.framework.AssertionFailedError: Expected 8 ciphers but got 0 for the
>> specification 'ARIA256' expected:<[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
>> TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384,
>> TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_RSA_WITH_ARIA_256_GCM_SHA384]>
>> but was:<[]>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testARIA256(TestOpenSSLCipherConfigurationParser.java:547)
>>
>> Testcase: testkECDHE took 0.068 sec
>> FAILED
>> Expected 31 ciphers but got 30 for the specification 'kECDHE'
>> expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
>> TLS_ECDH_anon_WITH_NULL_SHA]> but
>> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
>> junit.framework.AssertionFailedError: Expected 31 ciphers but got 30 for
>> the specification 'kECDHE' expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
>> TLS_ECDH_anon_WITH_NULL_SHA]> but
>> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testkECDHE(TestOpenSSLCipherConfigurationParser.java:202)
>>
>> Testcase: testkECDHe took 0.072 sec
>> Testcase: testkECDHr took 0.036 sec
>> Testcase: testkEECDH took 0.057 sec
>> FAILED
>> Expected 31 ciphers but got 30 for the specification 'kEECDH'
>> expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
>> TLS_ECDH_anon_WITH_NULL_SHA]> but
>> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
>> junit.framework.AssertionFailedError: Expected 31 ciphers but got 30 for
>> the specification 'kEECDH' expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
>> TLS_ECDH_anon_WITH_NULL_SHA]> but
>> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
>> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
>> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testkEECDH(TestOpenSSLCipherConfigurationParser.java:190)
>>
>> Testcase: testGOST89MAC took 0.06 sec
>> Testcase: testCHACHA20 took 0.061 sec
>> Testcase: testADH took 0.033 sec
>> FAILED
>> Expected 11 ciphers but got 13 for the specification 'ADH'
>> expected:<[TLS_DH_anon_WITH_AES_128_CBC_SHA,
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
>> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
>> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
>> but was:<[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
>> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
>> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
>> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
>> junit.framework.AssertionFailedError: Expected 11 ciphers but got 13 for
>> the specification 'ADH' expected:<[TLS_DH_anon_WITH_AES_128_CBC_SHA,
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
>> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
>> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
>> but was:<[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
>> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
>> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
>> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
>> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
>> at
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testADH(TestOpenSSLCipherConfigurationParser.java:325)
>>
>> <snip/>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: SSL Unit Tests Failing
Posted by Mark Thomas <ma...@apache.org>.
On 02/10/18 06:58, Igal Sapir wrote:
> When trying to run the unit test cases with `ant clean test` on the current
> trunk [1] I am getting two (per connector) failures:
>
> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
> FAILED [3]
>
> Server version: Apache Tomcat/9.0.13-dev
> Server built: Oct 2 2018 05:24:55 UTC
> Server number: 9.0.13.0
> OS Name: Linux
> OS Version: 4.18.9-200.fc28.x86_64
> Architecture: amd64
> JVM Version: 1.8.0_181-b13
> JVM Vendor: Oracle Corporation
>
> Am I missing something? Other than the obvious "missing ciphers", that is.
These tests are all particularly sensitive to the versions of OpenSSL,
Java and the implementation of Java used.
Generally, those tests are there to ensure that the code that translates
between JSSE cipher definitions and OpenSSL definitions is correct.
If you see a failure it may indicate that:
- the test has a bug
- you are running with an older version of OpenSSL that behaves
differently from the latest version (we try and keep pace with the
latest)
- OpenSSL has changed behaviour and we need to update our translation
code to align with it (unusual)
- OpenSSL has changed behaviour and we need to update our tests to align
with it (most frequent).
There is overlap between some of the above cases.
I see different failures when I run locally. Your question has made me
curious to find out why.
Gump is usually very good at catching changes. I normally don;t worry
unless I see a failure in these tests on Gump. Expanding the
combinations of Tomcat and OpenSSL that we test with there is still on
the TODO list.
Mark
>
> Thanks,
>
> Igal
>
> [1] git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1842498
> 13f79535-47bb-0310-9956-ffa450edef68
>
> [2] Testsuite: org.apache.tomcat.util.net.openssl.ciphers.TestCipher
> Tests run: 3, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 0.697 sec
>
> Testcase: testNames took 0.168 sec
> Testcase: testAllOpenSSLCiphersMapped took 0.361 sec
> FAILED
> No mapping found in IBM's JSSE implementation for
> ECDHE-PSK-3DES-EDE-CBC-SHA+TLSv1 when one was expected
>
> junit.framework.AssertionFailedError: No mapping found in IBM's JSSE
> implementation for ECDHE-PSK-3DES-EDE-CBC-SHA+TLSv1 when one was expected
>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testAllOpenSSLCiphersMapped(TestCipher.java:66)
>
> Testcase: testOpenSSLCipherAvailability took 0.06 sec
> FAILED
> ECDHE-ARIA128-GCM-SHA256+TLSv1.2 DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
> ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
> DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
> expected:<0> but was:<16>
> junit.framework.AssertionFailedError: ECDHE-ARIA128-GCM-SHA256+TLSv1.2
> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2
> ARIA128-GCM-SHA256+TLSv1.2 DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2
> PSK-ARIA256-GCM-SHA384+TLSv1.2 DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2
> PSK-ARIA128-GCM-SHA256+TLSv1.2 expected:<0> but was:<16>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestCipher.testOpenSSLCipherAvailability(TestCipher.java:100)
>
> [3] Testsuite:
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
> Tests run: 86, Failures: 40, Errors: 0, Skipped: 1, Time elapsed: 5.473 sec
> ------------- Standard Error -----------------
> Error in cipher list
> 140015003477824:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140182557382464:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140372866819904:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 139680405661504:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140699554305856:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 139897177433920:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 139891985295168:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140442752255808:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 139855064180544:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140598129956672:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 139768227612480:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 139839666202432:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140216997062464:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140194450589504:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> Error in cipher list
> 140636605155136:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2193:
>
> <snip/>
>
> Testcase: testARIA128 took 0.535 sec
> FAILED
> Expected 8 ciphers but got 0 for the specification 'ARIA128'
> expected:<[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
> TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256,
> TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_RSA_WITH_ARIA_128_GCM_SHA256]>
> but was:<[]>
> junit.framework.AssertionFailedError: Expected 8 ciphers but got 0 for the
> specification 'ARIA128' expected:<[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
> TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256,
> TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_RSA_WITH_ARIA_128_GCM_SHA256]>
> but was:<[]>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testARIA128(TestOpenSSLCipherConfigurationParser.java:541)
>
> Testcase: testARIA256 took 0.063 sec
> FAILED
> Expected 8 ciphers but got 0 for the specification 'ARIA256'
> expected:<[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
> TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384,
> TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_RSA_WITH_ARIA_256_GCM_SHA384]>
> but was:<[]>
> junit.framework.AssertionFailedError: Expected 8 ciphers but got 0 for the
> specification 'ARIA256' expected:<[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
> TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384,
> TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_RSA_WITH_ARIA_256_GCM_SHA384]>
> but was:<[]>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testARIA256(TestOpenSSLCipherConfigurationParser.java:547)
>
> Testcase: testkECDHE took 0.068 sec
> FAILED
> Expected 31 ciphers but got 30 for the specification 'kECDHE'
> expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
> TLS_ECDH_anon_WITH_NULL_SHA]> but
> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
> junit.framework.AssertionFailedError: Expected 31 ciphers but got 30 for
> the specification 'kECDHE' expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
> TLS_ECDH_anon_WITH_NULL_SHA]> but
> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testkECDHE(TestOpenSSLCipherConfigurationParser.java:202)
>
> Testcase: testkECDHe took 0.072 sec
> Testcase: testkECDHr took 0.036 sec
> Testcase: testkEECDH took 0.057 sec
> FAILED
> Expected 31 ciphers but got 30 for the specification 'kEECDH'
> expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
> TLS_ECDH_anon_WITH_NULL_SHA]> but
> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
> junit.framework.AssertionFailedError: Expected 31 ciphers but got 30 for
> the specification 'kEECDH' expected:<[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
> TLS_ECDH_anon_WITH_NULL_SHA]> but
> was:<[TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA,
> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
> TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA]>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testkEECDH(TestOpenSSLCipherConfigurationParser.java:190)
>
> Testcase: testGOST89MAC took 0.06 sec
> Testcase: testCHACHA20 took 0.061 sec
> Testcase: testADH took 0.033 sec
> FAILED
> Expected 11 ciphers but got 13 for the specification 'ADH'
> expected:<[TLS_DH_anon_WITH_AES_128_CBC_SHA,
> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
> but was:<[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,
> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
> junit.framework.AssertionFailedError: Expected 11 ciphers but got 13 for
> the specification 'ADH' expected:<[TLS_DH_anon_WITH_AES_128_CBC_SHA,
> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
> but was:<[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,
> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_GCM_SHA256,
> TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA256,
> TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_SEED_CBC_SHA]>
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testSpecification(TestOpenSSLCipherConfigurationParser.java:588)
> at
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.testADH(TestOpenSSLCipherConfigurationParser.java:325)
>
> <snip/>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Igal Sapir <is...@apache.org>.
Chris,
On 10/2/2018 7:25 AM, Christopher Schultz wrote:
> On 10/2/18 01:58, Igal Sapir wrote:
>> When trying to run the unit test cases with `ant clean test` on the
>> current trunk [1] I am getting two (per connector) failures:
>>
>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser FAILED [3]
>>
>> Server version: Apache Tomcat/9.0.13-dev Server built: Oct 2 2018
>> 05:24:55 UTC Server number: 9.0.13.0 OS Name: Linux OS
>> Version: 4.18.9-200.fc28.x86_64 Architecture: amd64 JVM
>> Version: 1.8.0_181-b13 JVM Vendor: Oracle Corporation
>>
>> Am I missing something? Other than the obvious "missing ciphers",
>> that is.
> AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL
> versions in order to have this test work, because it tests all cipher
> suites that have been configured in the test-case(s).
>
> Some of those are the super-new ones that might not be supported by
> your local version of OpenSSL.
>
> Some of them may be cipher-suites that have been compiled-out of
> OpenSSL in recent builds. You may want to take a look at the list of
> cipher suites that are failing and then ask openssl if they are
> supported (e.g. "openssl ciphers 'ALL'".
>
> The same is true for the "IBM cipher suites" which all have different
> names for some reason. OpenSSL and JSSE already disagree about the
> names of cipher suites, and IBM had to go their own way, too. If you
> don't have an IBM JRE then you won't be able to test those suites.
>
> Let's take an example from OpenSSL where your tests are failing:
>
>> Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED
>> ECDHE-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
>> ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
>> DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
>> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
>> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
>> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
>> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
>> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
>> expected:<0> but was:<16>
> Without looking at the code, I suspect that the test was intended to
> select certain ciphers with some attribute. The test case expects zero
> cipher suites to be available, but your environment provides 16
> matching cipher suites.
>
> If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep
> ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output:
>
>> ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
>> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH
>> Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384
>> TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD
>> DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA
>> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2
>> Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
>> ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA
>> Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH
>> Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256
>> TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD
>> RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA
>> Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2
>> Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384
>> TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD
>> PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK
>> Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2
>> Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD
>> DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK
>> Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA
>> Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2
>> Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD
> There are 16 items in that list. Perhaps you are using the latest
> OpenSSL but the test isn't prepared for them.
>
> I think it's "okay" that this test is failing for you, but it's
> probably worth looking into why it's happening and trying to alter the
> test to cope with that situation.
>
> Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not
> have caught-up with what's in there, yet.
>
> But this is weird:
>
>> Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but
>> got 0 for the specification 'ARIA128' expected:
> Above, you have ARIA ciphers available, but in this test, they weren't
> found. That could represent a bug in the test. Time to dive into the
> cipher suite cross-match detection code, Igal! ;)
Thank you for the detailed explanation.
I will look into it and will post more information if I find anything
useful.
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: SSL Unit Tests Failing
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Igal,
On 10/2/18 01:58, Igal Sapir wrote:
> When trying to run the unit test cases with `ant clean test` on the
> current trunk [1] I am getting two (per connector) failures:
>
> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurat
ionParser
>
>
FAILED [3]
>
> Server version: Apache Tomcat/9.0.13-dev Server built: Oct 2 2018
> 05:24:55 UTC Server number: 9.0.13.0 OS Name: Linux OS
> Version: 4.18.9-200.fc28.x86_64 Architecture: amd64 JVM
> Version: 1.8.0_181-b13 JVM Vendor: Oracle Corporation
>
> Am I missing something? Other than the obvious "missing ciphers",
> that is.
AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL
versions in order to have this test work, because it tests all cipher
suites that have been configured in the test-case(s).
Some of those are the super-new ones that might not be supported by
your local version of OpenSSL.
Some of them may be cipher-suites that have been compiled-out of
OpenSSL in recent builds. You may want to take a look at the list of
cipher suites that are failing and then ask openssl if they are
supported (e.g. "openssl ciphers 'ALL'".
The same is true for the "IBM cipher suites" which all have different
names for some reason. OpenSSL and JSSE already disagree about the
names of cipher suites, and IBM had to go their own way, too. If you
don't have an IBM JRE then you won't be able to test those suites.
Let's take an example from OpenSSL where your tests are failing:
> Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED
> ECDHE-ARIA128-GCM-SHA256+TLSv1.2
> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
> ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
> DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
> expected:<0> but was:<16>
Without looking at the code, I suspect that the test was intended to
select certain ciphers with some attribute. The test case expects zero
cipher suites to be available, but your environment provides 16
matching cipher suites.
If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep
ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output:
> ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH
> Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384
> TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD
> DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA
> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2
> Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
> ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA
> Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH
> Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256
> TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD
> RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA
> Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2
> Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384
> TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD
> PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK
> Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2
> Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD
> DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK
> Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA
> Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2
> Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD
There are 16 items in that list. Perhaps you are using the latest
OpenSSL but the test isn't prepared for them.
I think it's "okay" that this test is failing for you, but it's
probably worth looking into why it's happening and trying to alter the
test to cope with that situation.
Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not
have caught-up with what's in there, yet.
But this is weird:
> Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but
> got 0 for the specification 'ARIA128' expected:
Above, you have ARIA ciphers available, but in this test, they weren't
found. That could represent a bug in the test. Time to dive into the
cipher suite cross-match detection code, Igal! ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzf8UACgkQHPApP6U8
pFgufBAArz30zwvz5vfyQyY8bmrUCfcWgRKQjJeMeqEWfdVLvgJ4r5cRUNd9Y3rf
Tl/lsggDZ0Y0XdDHX2ZZs8mNtaclVr+jEZ6EAH/JXxB7sSDqDJWLqoOTmezGK/KF
JVnghxNZa+x2ggzesa8VRAIsUW12EUdlbIrJRFA4Q5S2An+GBTF089ZHN1fIV3eV
NmOFasfc/uuCbNVL3rY/3VcML5IBu7lpwmA02FfttelsmvnQKIrt+XugLyTVO4d/
vJDaO3hxuKoQkFkC7tVFkAIjK96Q17K74CLATiAmr/+ywy49jfYNfP7dr6ZzhBvF
0P8W8m/tTKMtoTuOPpslg7QR8lRdKqEExqjUTrhfvAJZVf8z0LriBJ7OledghtBO
5L5u3uelX6mZshWIKg0kFV3zcZ8A4ptMkMhLRc7/US5djKyNWV5lyZ1q96IBrkDQ
bUW0JSkYUmcPc6w0wJuGZ2zjaPLJE8oWnnnhziM5SihsZIXh5PaG48MCxgeVdzYB
yt6nShuWEoWqrgjXnWNdw7dW38m2CqpU7cv0H9Y4mu5HrBBMTvD0Gf/edtg9Lbns
O/HZFuKuZb6MDF+gdEFGeRsn6Z0ogvsRyHRV/qCzvoR9ICX6chnZdIek84GfTXWb
AarQyPITiKEk19PFgNG0VKEGI6UmNhBnjlLEWZvsaHhwImCryA0=
=Rtbb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org