8 Replies Latest reply on Aug 29, 2006 6:03 PM by Matt Wringe

    SSLUnitTestCase failures with the IBM JVM

    Matt Wringe Master

      Hi,

      I opened a bug about the test failures for the org.jboss.test.web.test.ssl.SSLUnitTestCase failures when an IBM JVM is used(JBAS-3570), but looking into it more, I am wondering that the failures may be more of a configuration issue.

      Initially, all org.jboss.test.web.test.ssl.SSLUnitTestCase test fail, giving a Connection Refused error:


      java.net.ConnectException: Connection refused
      at java.net.PlainSocketImpl.socketConnect(Native Method)
      at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:336)
      at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:201)
      at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:188)


      Looking at the logs, this is failing due to the server trying to use the SunX509 algorithm. The IBM JVM uses the Ibmx509 algorithm instead.

      The algorithm can be changed in the server.xml of the jbossweb-tomcat55.sar, but then the server gives the following errors:

      Testcase: testHttps took 0.017 sec
      Caused an ERROR
      protocol version
      javax.net.ssl.SSLHandshakeException: protocol version
      at com.ibm.jsse.bv.a(Unknown Source)
      at com.ibm.jsse.b.a(Unknown Source)
      at com.ibm.jsse.b.write(Unknown Source)
      at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1360)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:86)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:144)
      at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:790)
      at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2271)
      at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2651)
      at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1087)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:643)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:497)
      at org.jboss.test.web.test.ssl.SSLUnitTestCase.doHttps(SSLUnitTestCase.java:117)
      at org.jboss.test.web.test.ssl.SSLUnitTestCase.testHttps(SSLUnitTestCase.java:77)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)

      Any ideas on how to get these tests to pass with the IBM JVM?

        • 1. Re: SSLUnitTestCase failures with the IBM JVM
          Anil Saldanha Master

          What is the behavior when you specify

          sslProtocol="TLS"
          

          on the connector setting on the server side?

          • 2. Re: SSLUnitTestCase failures with the IBM JVM
            Matt Wringe Master

            The protocol is already set to TLS. Below is what is in the server.xml of the jbossweb-tomcat55.sar. The only thing changed from the default is the addition of "algorithm=IbmX509"

             <Connector port="8443" address="${jboss.bind.address}"
             maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
             scheme="https" secure="true" clientAuth="true"
             truststoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
             truststorePass="unit-tests-server" algorithm="IbmX509"
             keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
             keystorePass="unit-tests-server" sslProtocol = "TLS" />
            


            • 3. Re: SSLUnitTestCase failures with the IBM JVM
              Anil Saldanha Master

              I remember reading that if FIPS is enabled in the JSSE provider of the IBM JDK, then it does not support a lot of the ciphers. I am unsure if this is the case.

              • 4. Re: SSLUnitTestCase failures with the IBM JVM
                Matt Wringe Master

                FIPS is not enabled. The only providers I am using are the default providers.

                From java.security :

                security.provider.1=com.ibm.jsse.IBMJSSEProvider
                security.provider.2=com.ibm.crypto.provider.IBMJCE
                security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
                security.provider.4=com.ibm.security.cert.IBMCertPath
                


                • 5. Re: SSLUnitTestCase failures with the IBM JVM
                  Anil Saldanha Master

                  Clearly the two parties (server and client) are not agreeing on the ssl version. Do you get any useful info from "javax.net.debug" system property?


                  Also, the following property on the connector has worked in the past for customers:

                  sslProtocol = "SSL_TLS"
                  



                  There has been a user post in this area long ago:
                  http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3904527

                  • 6. Re: SSLUnitTestCase failures with the IBM JVM
                    Matt Wringe Master

                    Setting the protocol to SSL_TLS doesn't fix the problem, there are now "Unknown Certificate" errors along with the protocol version errors.

                    From the server side, javax.net.debug only displays information when the server starts, nothing gets displayed when the tests run.

                    From the client side, I am seeing nothing from javax.net.debug (although this might be an issue with how junit is handling it)

                    • 7. Re: SSLUnitTestCase failures with the IBM JVM
                      Anil Saldanha Master

                       

                      <Connector port="8443" address="${jboss.bind.address}"
                      maxThreads="100" strategy="ms" maxHttpHeaderSize="9192"
                      emptySessionPath="true"
                      scheme="https" secure="true" clientAuth="false"
                      keystoreFile="<keystore.pfx>"
                      keystorePass="<some_password>"
                      keystoreType="pkcs12"
                      algorithm="IbmX509"
                      sslProtocol = "SSL_TLS" />
                      


                      This is the connector setting that has worked on IBM JDK5. Check the keystore type (that indicated pkcs12)

                      • 8. Re: SSLUnitTestCase failures with the IBM JVM
                        Matt Wringe Master

                        The keystore type is not pksc12 (its JKS). This is the SSLUnitTestCase from the testsuite, no other changes have been made it. This test passes when the Sun JDK is used, but always fails when the IBM jdk is used.

                        The only change I have done is adding algorithm=IbmX509 to the server.xml of the jbossweb-tomcat55.sar (none of the other suggestions have worked). This at least allows the server to start without error.

                        But I am still geting the protocol version error when the tests are run

                        Testcase: testHttps took 0.017 sec
                        Caused an ERROR
                        protocol version
                        javax.net.ssl.SSLHandshakeException: protocol version
                        at com.ibm.jsse.bv.a(Unknown Source)
                        at com.ibm.jsse.b.a(Unknown Source)
                        at com.ibm.jsse.b.write(Unknown Source)
                        at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1360)
                        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:86)
                        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:144)
                        at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:790)
                        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2271)
                        at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2651)
                        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1087)
                        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:643)
                        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:497)
                        at org.jboss.test.web.test.ssl.SSLUnitTestCase.doHttps(SSLUnitTestCase.java:117)
                        at org.jboss.test.web.test.ssl.SSLUnitTestCase.testHttps(SSLUnitTestCase.java:77)
                        at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
                        at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
                        at junit.extensions.TestSetup.run(TestSetup.java:23)
                        


                        Any more help on this would be greatly appreciated

                        PS: java.net.debug does not give nearly as much information when the IBM jvm is used