You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2019/07/01 17:53:00 UTC
[jira] [Resolved] (SOLR-12988) Known OpenJDK >= 11 SSL (TLSv1.3)
bugs can cause problems with Solr
[ https://issues.apache.org/jira/browse/SOLR-12988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hoss Man resolved SOLR-12988.
-----------------------------
Resolution: Workaround
With the jenkins servers upgraded, and the new SSLTestConfig assumptions in place i haven't seen any (obvious) signs of any other openJDK related SSL bugs in the solr tests ... if more are identified we can update the issue description to list them here.
I've also created SOLR-13594 to track the (eventual) need to enable SSL testing on java-13-ea once the known bugs are addressed (but fortunately, the way the supression logic is implemented, it explicitly checks for "ea" bbuilds ... so even if we never get a chance to proactively test on future java-13-ea builds, once java-13 final comes out, the tests _will_ try SSL on them automatically)
> Known OpenJDK >= 11 SSL (TLSv1.3) bugs can cause problems with Solr
> -------------------------------------------------------------------
>
> Key: SOLR-12988
> URL: https://issues.apache.org/jira/browse/SOLR-12988
> Project: Solr
> Issue Type: Test
> Reporter: Hoss Man
> Assignee: Cao Manh Dat
> Priority: Major
> Labels: Java11, Java12, Java13
> Attachments: SOLR-12988.patch, SOLR-12988.patch, SOLR-12988.patch, SOLR-13413.patch
>
>
> There are several known OpenJDK JVM bugs (begining with Java11, when TLS v1.3 support was first added) that are known to affect Solr's SSL support, and have caused numerous test failures -- notably early "testing" builds of OpenJDK 11, 12, & 13, as well as the officially released OpenJDK 11, 11.0.1, and 11.0.2.
> From the standpoint of the Solr project, there is very little we can do to mitigate these bugs, and have taken steps to ensure any code using our {{SSLTestConfig}} / {{RandomizeSSL}} test-framework classes will be "SKIPed" with an {{AssumptionViolatedException}} when used on JVMs that are known to be problematic.
> Users who encounter any of the types of failures described below, or developers who encounter test runs that "SKIP" with a message refering to this issue ID, are encouraged to Upgrade their JVM. (or as a last resort: try disabling "TLSv1.3" in your JVM security properties)
> ----
> Examples of known bugs as they have manifested in Solr tests...
> * https://bugs.openjdk.java.net/browse/JDK-8212885
> ** "TLS 1.3 resumed session does not retain peer certificate chain"
> ** affects users with {{checkPeerNames=true}} in your SSL configuration
> ** causes 100% failure rate in Solr's {{TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName}}
> ** can result in exceptions for SolrJ users, or in solr cloud server logs when making intra-node requests, with a root cause of "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
> ** {noformat}
> [junit4] 2> Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> [junit4] 2> at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
> [junit4] 2> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
> [junit4] 2> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
> [junit4] 2> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> [junit4] 2> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> [junit4] 2> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
> [junit4] 2> at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
> [junit4] 2> at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> [junit4] 2> at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> [junit4] 2> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> [junit4] 2> at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
> [junit4] 2> at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> [junit4] 2> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> [junit4] 2> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> [junit4] 2> at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:542)
> {noformat}
> * https://bugs.openjdk.java.net/browse/JDK-8213202
> ** "Possible race condition in TLS 1.3 session resumption"
> ** May affect any and all Solr SSL users, although noted only in tests when "clientAuth" was configured to be false
> ** Causes non-reproducing test failures, and sporadic end user exceptions with a root cause of "javax.net.ssl.SSLException: Received fatal alert: internal_error "
> ** SSL Debugging may indicate "Fatal (INTERNAL_ERROR): Session has no PSK"
> ** {noformat}
> [junit4] 2> Caused by: javax.net.ssl.SSLException: Received fatal alert: internal_error
> [junit4] 2> at sun.security.ssl.Alert.createSSLException(Alert.java:129) ~[?:?]
> [junit4] 2> at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
> [junit4] 2> at sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[?:?]
> [junit4] 2> at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279) ~[?:?]
> [junit4] 2> at sun.security.ssl.TransportContext.dispatch(TransportContext.java:181) ~[?:?]
> [junit4] 2> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[?:?]
> [junit4] 2> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) ~[?:?]
> [junit4] 2> at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) ~[?:?]
> [junit4] 2> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) ~[?:?]
> [junit4] 2> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.6.jar:4.5.6]
> [junit4] 2> at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:555) ~[java/:?]
> [junit4] 2> ... 13 more
> {noformat}
> * https://bugs.openjdk.java.net/browse/JDK-8224829
> ** "AsyncSSLSocketClose.java has timing issue"
> ** May affect any and all Solr SSL users running early testing versions of java 13 or 14.
> ** Causes non-reproducing test failures, and sporadic end user exceptions with a root cause of "javax.net.ssl.SSLException: Software caused connection abort: recv failed"
> ** {noformat}
> javax.net.ssl.SSLException: Software caused connection abort: recv failed
> at __randomizedtesting.SeedInfo.seed([AA73C7E858ABD2EE:88D2A395FDC7B4AB]:0)
> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:127)
> at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
> at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
> at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
> at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1501)
> at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:935)
> at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137)
> at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153)
> at org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:282)
> at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138)
> at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56)
> at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259)
> at org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)
> at org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:165)
> at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273)
> at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
> at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272)
> at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> {noformat}
> * https://bugs.openjdk.java.net/browse/JDK-8226338
> ** "Updates to Stateless Resumption"
> ** May affect any and all Solr SSL servers running early testing or EA builds of java 13 or 14
> ** Causes reliably reproducing test failures, and Solr server exceptions with a root cause of "java.lang.NullPointerException" in "java.base/sun.security.ssl.SSLSessionImpl.getValue" (or other "Value" related methods in SSLSessionImpl)
> ** {noformat}
> java.lang.NullPointerException
> at java.base/sun.security.ssl.SSLSessionImpl.getValue(SSLSessionImpl.java:1253)
> at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:230)
> at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:170)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:363)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:144)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917)
> at java.base/java.lang.Thread.run(Thread.java:830)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org