-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSLTest is not using the OpenSSL Provider #2301
Conversation
@peternied reopened this guy, was able to make it run with BoringSSL but found a number of issues on OpenSearch core side (opensearch-project/OpenSearch#5460) |
Codecov Report
@@ Coverage Diff @@
## main #2301 +/- ##
============================================
- Coverage 61.10% 61.03% -0.08%
+ Complexity 3272 3266 -6
============================================
Files 260 260
Lines 18369 18369
Branches 3251 3251
============================================
- Hits 11225 11212 -13
- Misses 5558 5566 +8
- Partials 1586 1591 +5
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
@@ -80,9 +80,9 @@ public void testHttps() throws Exception { | |||
.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) | |||
.put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") | |||
.putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") | |||
.putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") | |||
.putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updating to GCM
since OpenSSL does not support CBC
for this particular cipher (the list of supported OpenSSL/BoringSSL ciphers is below):
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-PSK-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-PSK-AES128-CBC-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
ECDHE-PSK-AES256-CBC-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA
PSK-AES128-CBC-SHA
AES256-SHA
PSK-AES256-CBC-SHA
DES-CBC3-SHA
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
AEAD-AES128-GCM-SHA256
AEAD-AES256-GCM-SHA384
AEAD-CHACHA20-POLY1305-SHA256
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for fixing this one @reta !
// Only osx-x86_64 and linux-x86_64 are available | ||
if (osdetector.classifier in ["osx-x86_64", "linux-x86_64"]) { | ||
testImplementation "io.netty:netty-tcnative-classes:2.0.54.Final" | ||
testImplementation "io.netty:netty-tcnative-boringssl-static:2.0.54.Final:${osdetector.classifier}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OpenSSL will still be broken for windows for now, am I understanding this right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good one, thanks for catching that, the assumption was for OpenSSL but BoringSSL has more platforms supported, updated the condition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! thanks @reta !
@@ -66,7 +66,6 @@ public static void restoreNettyDefaultAllocator() { | |||
|
|||
@Before | |||
public void setup() { | |||
Assume.assumeFalse(PlatformDependent.isWindows()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. Thanks @reta !
|
@@ -148,13 +150,37 @@ test { | |||
} | |||
} | |||
|
|||
//add new task that runs OpenSSL tests | |||
task opensslTest(type: Test) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cwperks it turned out that manipulation with system properties complicates OpenSSL tests (since OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED is initialized only once within same JVM and order matters a lot, otherwise tests are just ignored). So I have extracted OpenSSL tests into separate task opensslTest
which is run before test
.
Cool, OpenSSL tests are now run and failing, should be fixed by opensearch-project/OpenSearch#5460 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The corresponding PR in core was just merged. I will re-run the CI as soon as a new snapshot build is available. Great work @reta!
Thanks @cwperks ! The distribution build should be fixed by opensearch-project/sql#1148 but it is not merged yet :( |
1f1ff33
to
541db5b
Compare
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
…em properties Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@cwperks @DarshitChanpura I think we are good to go!
🥳 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@reta Awesome! Thank you for all of the hard work on this.
I will approve in a moment, but have one quick question. Will the OpenSSLTest
suite fail if it is not using the OpenSSL provider?
No, but it won't run - all tests will be ignored |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @reta !
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2301-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d14143d315174a23a6ad215b71bd938a16c182ab
# Push it to GitHub
git push --set-upstream origin backport/backport-2301-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x Then, create a pull request where the |
* OpenSSLTest is not using the OpenSSL Provider Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Enable OpenSSLTest on Windows Signed-off-by: Andriy Redko <andriy.redko@aiven.io> * Extracted OpenSSL test into separate task to eliminate mess with system properties Signed-off-by: Andriy Redko <andriy.redko@aiven.io> Signed-off-by: Andriy Redko <andriy.redko@aiven.io> (cherry picked from commit d14143d) Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
* OpenSSLTest is not using the OpenSSL Provider * Enable OpenSSLTest on Windows * Extracted OpenSSL test into separate task to eliminate mess with system properties (cherry picked from commit d14143d) Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
Signed-off-by: Andriy Redko andriy.redko@aiven.io
Description
OpenSSLTest should be using the OpenSSL Provider. There are few issues with
netty-tcnative
and OpenSSL:compat-openssl10
Issues Resolved
Closes #2208
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.