You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Jim Apple (JIRA)" <ji...@apache.org> on 2019/05/20 01:03:00 UTC
[jira] [Resolved] (IMPALA-8563) BE tests specifying their own SSL
cipher sets fail on Ubuntu 18
[ https://issues.apache.org/jira/browse/IMPALA-8563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Apple resolved IMPALA-8563.
-------------------------------
Resolution: Fixed
Fix Version/s: Impala 3.3.0
Thanks for fixing this, Laszlo!
> BE tests specifying their own SSL cipher sets fail on Ubuntu 18
> ---------------------------------------------------------------
>
> Key: IMPALA-8563
> URL: https://issues.apache.org/jira/browse/IMPALA-8563
> Project: IMPALA
> Issue Type: Bug
> Components: Infrastructure
> Affects Versions: Impala 3.2.0
> Reporter: Laszlo Gaal
> Assignee: Laszlo Gaal
> Priority: Critical
> Fix For: Impala 3.3.0
>
>
> Ubuntu 18.04 upgraded OpenSSL to 1.1.0, which raised the bar in what ciphers are considered "strong".
> Some of the Impala BE tests specify their own ciphers for various test purposes. These tests use RC4, which is no longer accepted by OpenSSL by default, making these tests fail on Ubuntu 18.04. Affected tests are:
> * rpc-mgr-test
> * thrift-server-test
> * webserver-test
> {code:java}
> 56/104 Test #56: thrift-util-test ................. Passed 3.34 sec
> Start 57: thrift-server-test
> 57/104 Test #57: thrift-server-test ...............***Exception: SegFault 4.25 sec
> Turning perftools heap leak checking off
> Loading random data
> Initializing database 'de52-8af6-6a92-1e99/krb5kdc/principal' for realm 'KRBTEST.COM',
> master key name 'K/M@KRBTEST.COM'
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): setting up network...
> krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): set up 2 sockets
> Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): commencing operation
> krb5kdc: starting...
> WARNING: no policy specified for impala/localhost@KRBTEST.COM; defaulting to no policy
> Authenticating as principal ubuntu/admin@KRBTEST.COM with password.
> Principal "impala/localhost@KRBTEST.COM" created.
> Authenticating as principal ubuntu/admin@KRBTEST.COM with password.
> Entry for principal impala/localhost with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
> Entry for principal impala/localhost with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
> [==========] Running 16 tests from 6 test cases.
> [----------] Global test environment set-up.
> [----------] 1 test from ThriftTestBase
> [ RUN ] ThriftTestBase.Connectivity
> [ OK ] ThriftTestBase.Connectivity (85 ms)
> [----------] 1 test from ThriftTestBase (85 ms total)
> [----------] 8 tests from SslTest
> [ RUN ] SslTest.BadCertificate
> [ OK ] SslTest.BadCertificate (17 ms)
> [ RUN ] SslTest.ClientBeforeServer
> [ OK ] SslTest.ClientBeforeServer (4 ms)
> [ RUN ] SslTest.BadCiphers
> [ OK ] SslTest.BadCiphers (1 ms)
> [ RUN ] SslTest.MismatchedCiphers
> /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:314: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
> /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:322: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
> Wrote minidump to /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
> Wrote minidump to /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
> {code}
> {code:java}
> Start 59: rpc-mgr-test
> 59/104 Test #59: rpc-mgr-test .....................***Failed 5.13 sec
> Turning perftools heap leak checking off
> [==========] Running 11 tests from 1 test case.
> [----------] Global test environment set-up.
> [----------] 11 tests from RpcMgrTest
> [ RUN ] RpcMgrTest.MultipleServicesTls
> 19/04/18 22:20:51 INFO util.JvmPauseMonitor: Starting JVM pause monitor
> [ OK ] RpcMgrTest.MultipleServicesTls (923 ms)
> [ RUN ] RpcMgrTest.MultipleServices
> [ OK ] RpcMgrTest.MultipleServices (61 ms)
> [ RUN ] RpcMgrTest.BadCertificateTls
> [ OK ] RpcMgrTest.BadCertificateTls (35 ms)
> [ RUN ] RpcMgrTest.BadPasswordTls
> [ OK ] RpcMgrTest.BadPasswordTls (58 ms)
> [ RUN ] RpcMgrTest.CorrectPasswordTls
> [ OK ] RpcMgrTest.CorrectPasswordTls (61 ms)
> [ RUN ] RpcMgrTest.BadCiphersTls
> [ OK ] RpcMgrTest.BadCiphersTls (34 ms)
> [ RUN ] RpcMgrTest.ValidCiphersTls
> /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:142: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Could not build messenger: Runtime error: failed to set TLS ciphers: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129
> [ FAILED ] RpcMgrTest.ValidCiphersTls (32 ms)
> [ RUN ] RpcMgrTest.ValidMultiCiphersTls
> /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:161: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Could not build messenger: Runtime error: failed to set TLS ciphers: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129
> [ FAILED ] RpcMgrTest.ValidMultiCiphersTls (44 ms)
> [ RUN ] RpcMgrTest.SlowCallback
> [ OK ] RpcMgrTest.SlowCallback (333 ms)
> [ RUN ] RpcMgrTest.AsyncCall
> [ OK ] RpcMgrTest.AsyncCall (36 ms)
> [ RUN ] RpcMgrTest.NegotiationTimeout
> [ OK ] RpcMgrTest.NegotiationTimeout (35 ms)
> [----------] 11 tests from RpcMgrTest (1652 ms total)
> [----------] Global test environment tear-down
> [==========] 11 tests from 1 test case ran. (1652 ms total)
> [ PASSED ] 9 tests.
> [ FAILED ] 2 tests, listed below:
> [ FAILED ] RpcMgrTest.ValidCiphersTls
> [ FAILED ] RpcMgrTest.ValidMultiCiphersTls
> 2 FAILED TESTS
> {code}
> {code:java}
> Start 102: webserver-test
> 102/104 Test #102: webserver-test ...................***Failed 3.02 sec
> Turning perftools heap leak checking off
> [==========] Running 18 tests from 1 test case.
> [----------] Global test environment set-up.
> [----------] 18 tests from Webserver
> [ RUN ] Webserver.SmokeTest
> [ OK ] Webserver.SmokeTest (18 ms)
> [ RUN ] Webserver.ArgsTest
> [ OK ] Webserver.ArgsTest (14 ms)
> [ RUN ] Webserver.JsonTest
> [ OK ] Webserver.JsonTest (11 ms)
> [ RUN ] Webserver.EscapingTest
> [ OK ] Webserver.EscapingTest (11 ms)
> [ RUN ] Webserver.EscapeErrorUriTest
> [ OK ] Webserver.EscapeErrorUriTest (11 ms)
> [ RUN ] Webserver.SslTest
> [ OK ] Webserver.SslTest (10 ms)
> [ RUN ] Webserver.SslBadCertTest
> [ OK ] Webserver.SslBadCertTest (0 ms)
> [ RUN ] Webserver.SslWithPrivateKeyPasswordTest
> [ OK ] Webserver.SslWithPrivateKeyPasswordTest (12 ms)
> [ RUN ] Webserver.SslBadPrivateKeyPasswordTest
> [ OK ] Webserver.SslBadPrivateKeyPasswordTest (2 ms)
> [ RUN ] Webserver.SslCipherSuite
> /home/ubuntu/Impala/be/src/util/webserver-test.cc:273: Failure
> Value of: status_.ok()
> Actual: false
> Expected: true
> Error: Webserver: Could not start on address 0.0.0.0:27890
> [ FAILED ] Webserver.SslCipherSuite (3 ms)
> [ RUN ] Webserver.SslBadTlsVersion
> [ OK ] Webserver.SslBadTlsVersion (1 ms)
> [ RUN ] Webserver.SslGoodTlsVersion
> [ OK ] Webserver.SslGoodTlsVersion (35 ms)
> [ RUN ] Webserver.StartWithPasswordFileTest
> [ OK ] Webserver.StartWithPasswordFileTest (11 ms)
> [ RUN ] Webserver.StartWithMissingPasswordFileTest
> [ OK ] Webserver.StartWithMissingPasswordFileTest (0 ms)
> [ RUN ] Webserver.DirectoryListingDisabledTest
> [ OK ] Webserver.DirectoryListingDisabledTest (10 ms)
> [ RUN ] Webserver.NoFrameEmbeddingTest
> [ OK ] Webserver.NoFrameEmbeddingTest (11 ms)
> [ RUN ] Webserver.FrameAllowEmbeddingTest
> [ OK ] Webserver.FrameAllowEmbeddingTest (11 ms)
> [ RUN ] Webserver.NullCharTest
> [ OK ] Webserver.NullCharTest (10 ms)
> [----------] 18 tests from Webserver (181 ms total)
> [----------] Global test environment tear-down
> [==========] 18 tests from 1 test case ran. (181 ms total)
> [ PASSED ] 17 tests.
> [ FAILED ] 1 test, listed below:
> [ FAILED ] Webserver.SslCipherSuite
> 1 FAILED TEST
> {code}
> Since we don't have regular tests on Ubuntu 18 (though arguably we should), I'm not making this a blocker.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)