Derby
  1. Derby
  2. DERBY-5141

SSLTest fails with java.net.SocketException: Default SSL context init failed: null

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 10.7.1.1
    • Fix Version/s: None
    • Component/s: Test
    • Labels:
      None
    • Environment:
      Suse Linux, IBM Classic jvm 1.4.2, build cxia32142ifx-20110215 (SR13 FP8+PM31983) (JIT enabled: jitc))

      Description

      With the latest upgrade to the ibm 1.4.2 jvm (SR13FP8) I see this failure with the SSLTest:

      START-SPAWNED:SpawnedNetworkServer STANDARD OUTPUT: exit code=1
      Thu Mar 17 09:52:31 PDT 2011 : Security manager installed using the Basic server security policy.
      Thu Mar 17 09:52:31 PDT 2011 : Could not listen on port 1527 on host localhost:
      java.net.SocketException: Default SSL context init failed: null
      END-SPAWNED :SpawnedNetworkServer STANDARD OUTPUT:
      FSTART-SPAWNED:SpawnedNetworkServer STANDARD OUTPUT: exit code=1
      Thu Mar 17 09:53:11 PDT 2011 : Security manager installed using the Basic server security policy.
      Thu Mar 17 09:53:12 PDT 2011 : Could not listen on port 1527 on host localhost:
      java.net.SocketException: Default SSL context init failed: null
      END-SPAWNED :SpawnedNetworkServer STANDARD OUTPUT:
      F
      Time: 82.419
      There were 2 failures:
      1) testSSLBasicDSConnect(org.apache.derbyTesting.functionTests.tests.derbynet.SSLTest) junit.framework.AssertionFailedError: Timed out waiting for network server to start:Spawned SpawnedNetworkServer exitCode=1
      STDOUT:
      Thu Mar 17 09:52:31 PDT 2011 : Security manager installed using the Basic server security policy.
      Thu Mar 17 09:52:31 PDT 2011 : Could not listen on port 1527 on host localhost:
      java.net.SocketException: Default SSL context init failed: null

      at org.apache.derbyTesting.junit.NetworkServerTestSetup.setUp(NetworkServerTestSetup.java:204)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:18)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      2) testSSLBasicDSPlainConnect(org.apache.derbyTesting.functionTests.tests.derbynet.SSLTest) junit.framework.AssertionFailedError: Timed out waiting for network server to start:Spawned SpawnedNetworkServer exitCode=1
      STDOUT:
      Thu Mar 17 09:53:11 PDT 2011 : Security manager installed using the Basic server security policy.
      Thu Mar 17 09:53:12 PDT 2011 : Could not listen on port 1527 on host localhost:
      java.net.SocketException: Default SSL context init failed: null

      at org.apache.derbyTesting.junit.NetworkServerTestSetup.setUp(NetworkServerTestSetup.java:204)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:18)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)
      at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
      at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
      at junit.extensions.TestSetup.run(TestSetup.java:23)

      derby.log only has:
      Thu Mar 17 09:53:12 PDT 2011 : Could not listen on port 1527 on host localhost:
      java.net.SocketException: Default SSL context init failed: null

      There are no other files.

      This worked fine with the latest ibm 1.5 version (sr12 fp4), and with ibm 1.4.2. sr13 fp4 (I don't know about fpt5, 6, or 7), so it could be a jvm issue.

      1. reproderby5141.zip
        3.21 MB
        Kathey Marsden

        Activity

        Hide
        Knut Anders Hatlen added a comment -

        [bulk update] Close all resolved issues that haven't been updated for more than one year.

        Show
        Knut Anders Hatlen added a comment - [bulk update] Close all resolved issues that haven't been updated for more than one year.
        Hide
        Kathey Marsden added a comment -

        A bit more information:
        JSSE is the default implementation for 1.4.2 but you can switch to JSSE2.
        To switch to JSSE2 you need to follow the next steps:
        1. Ensure JSSE2 provider is added and listed just above JSSE in java.security file
        2. Ensure that socketfactory in java.security file are set to use the JSSE2 ones:
        ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
        ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

        Show
        Kathey Marsden added a comment - A bit more information: JSSE is the default implementation for 1.4.2 but you can switch to JSSE2. To switch to JSSE2 you need to follow the next steps: 1. Ensure JSSE2 provider is added and listed just above JSSE in java.security file 2. Ensure that socketfactory in java.security file are set to use the JSSE2 ones: ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
        Hide
        Kathey Marsden added a comment -

        Another recommendation on this issue is to consider switching to IBMJSSE2 since the IBMJSSE provider is deprecated and will not be available in Java 5.0 and above. I found this bit of information on the topic, but it is not clear to me where we specify the provider, but I will leave it here as a breadcrumb for future generations. There may also be a tech note published. For nightly testing I think using the work-around in the previous comment is sufficient.

        http://publib.boulder.ibm.com/infocenter/realtime/v1r0/topic/com.ibm.rt.doc.10/security/jsse2/ibmjsse2_differences_ibmjsse.html

        Show
        Kathey Marsden added a comment - Another recommendation on this issue is to consider switching to IBMJSSE2 since the IBMJSSE provider is deprecated and will not be available in Java 5.0 and above. I found this bit of information on the topic, but it is not clear to me where we specify the provider, but I will leave it here as a breadcrumb for future generations. There may also be a tech note published. For nightly testing I think using the work-around in the previous comment is sufficient. http://publib.boulder.ibm.com/infocenter/realtime/v1r0/topic/com.ibm.rt.doc.10/security/jsse2/ibmjsse2_differences_ibmjsse.html
        Hide
        Kathey Marsden added a comment -

        I have another workaround for this issue.
        the problem happens because the certificate "entrustrootcag2", which is signed by SHA256withRSA algorithm, is added to the default keystore "cacerts" in 1.4.2 JVM. As SHA256withRSA is not supported in 1.4.2, the exception will be thrown when the keystore is initialized.

        If you don't require this certificate, please delete it from the default cacerts keystore (the default password for cacerts is "changeit"):

        keytool -delete -alias entrustrootcag2 -keystore ./cacerts

        I confirmed derbynet.SSL test passed with this workaround run on jre/lib/security/cacerts

        Show
        Kathey Marsden added a comment - I have another workaround for this issue. the problem happens because the certificate "entrustrootcag2", which is signed by SHA256withRSA algorithm, is added to the default keystore "cacerts" in 1.4.2 JVM. As SHA256withRSA is not supported in 1.4.2, the exception will be thrown when the keystore is initialized. If you don't require this certificate, please delete it from the default cacerts keystore (the default password for cacerts is "changeit"): keytool -delete -alias entrustrootcag2 -keystore ./cacerts I confirmed derbynet.SSL test passed with this workaround run on jre/lib/security/cacerts
        Hide
        Kathey Marsden added a comment -

        The person working on the issue for the jvm notes the following workaround.
        If we explicitly add the trustStore and its password in the start.sh file, then the error is not present:
        -Djavax.net.ssl.trustStore=extinout/SSLTestServerKey.key -Djavax.net.ssl.trustStorePassword=qwerty

        Show
        Kathey Marsden added a comment - The person working on the issue for the jvm notes the following workaround. If we explicitly add the trustStore and its password in the start.sh file, then the error is not present: -Djavax.net.ssl.trustStore=extinout/SSLTestServerKey.key -Djavax.net.ssl.trustStorePassword=qwerty
        Hide
        Myrna van Lunteren added a comment -

        I thought this only occurred on linux, but it seems on windows it might be also happening, for I noticed a similar failure with 10.4 (the only environment where our nightly tests run SSLTest with ibm 1.4.2 on windows): for instance, http://people.apache.org/~myrnavl/derby_test_results/v10_4/windows/testlog/ibm142/1085632-suites.All_diff.txt.

        Show
        Myrna van Lunteren added a comment - I thought this only occurred on linux, but it seems on windows it might be also happening, for I noticed a similar failure with 10.4 (the only environment where our nightly tests run SSLTest with ibm 1.4.2 on windows): for instance, http://people.apache.org/~myrnavl/derby_test_results/v10_4/windows/testlog/ibm142/1085632-suites.All_diff.txt .
        Hide
        Kathey Marsden added a comment -

        I attached a reproduction outside of the harness, but have not been able to isolate it outside of Derby.
        To run the reproduction on Linux.
        0) Unzip reproderby5141.zip and cd to the test directory
        1) Change env.sh to match your environment for TESTDIR IBM142FP5 IBM142FP6
        2) . ./env.sh
        to set up your environment. (I would suggest first starting with JAVA_HOME set to IBM142FP5 to make sure the test case works as small environment issues can cause the same error.)_
        3) Run start.sh
        With FP5 you will see the expected behavior
        Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2)
        Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20100705 (SR13 FP5) (
        JIT enabled: jitc))
        kmarsden@kmarsden-ln2:~/repro/derby-5141> ./start.sh
        Mon Mar 28 16:19:19 PDT 2011 : Security manager installed using the Basic server
        security policy.
        Mon Mar 28 16:19:20 PDT 2011 : Apache Derby Network Server - 10.8.0.1 alpha - (1
        084778M) started and ready to accept SSL connections on port 1527

        (To stop the server, you can press <ctrl c> or run shutdown.sh from another window after sourcing env.sh

        With FP6 you will see the error:
        kmarsden@kmarsden-ln2:~/repro/derby-5141> ./start.sh
        Mon Mar 28 16:24:08 PDT 2011 : Security manager installed using the Basic server
        security policy.
        Mon Mar 28 16:24:09 PDT 2011 : Could not listen on port 1527 on host localhost:
        java.net.SocketException: Default SSL context init failed: null
        Mon Mar 28 16:24:09 PDT 2011 : DRDA_ListenPort.S:Could not listen on port 1527 o
        n host localhost:
        java.net.SocketException: Default SSL context init failed: null
        java.lang.Exception: DRDA_ListenPort.S:Could not listen on port 1527 on host loc
        alhost:
        java.net.SocketException: Default SSL context init failed: null
        at org.apache.derby.impl.drda.NetworkServerControlImpl.consolePropertyMe
        ssageWork(Unknown Source)
        at org.apache.derby.impl.drda.NetworkServerControlImpl.consolePropertyMe
        ssage(Unknown Source)
        at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unk
        nown Source)
        at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unkno
        wn Source)
        at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

        This problem also occurs with the latest IBM 1.4.2 fixpack SR13 FP8 but may have been introduces with this FP6 APAR which you can view here->http://www-01.ibm.com/support/docview.wss?uid=swg1IZ75870

        Show
        Kathey Marsden added a comment - I attached a reproduction outside of the harness, but have not been able to isolate it outside of Derby. To run the reproduction on Linux. 0) Unzip reproderby5141.zip and cd to the test directory 1) Change env.sh to match your environment for TESTDIR IBM142FP5 IBM142FP6 2) . ./env.sh to set up your environment. (I would suggest first starting with JAVA_HOME set to IBM142FP5 to make sure the test case works as small environment issues can cause the same error.)_ 3) Run start.sh With FP5 you will see the expected behavior Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2) Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20100705 (SR13 FP5) ( JIT enabled: jitc)) kmarsden@kmarsden-ln2:~/repro/derby-5141> ./start.sh Mon Mar 28 16:19:19 PDT 2011 : Security manager installed using the Basic server security policy. Mon Mar 28 16:19:20 PDT 2011 : Apache Derby Network Server - 10.8.0.1 alpha - (1 084778M) started and ready to accept SSL connections on port 1527 (To stop the server, you can press <ctrl c> or run shutdown.sh from another window after sourcing env.sh With FP6 you will see the error: kmarsden@kmarsden-ln2:~/repro/derby-5141> ./start.sh Mon Mar 28 16:24:08 PDT 2011 : Security manager installed using the Basic server security policy. Mon Mar 28 16:24:09 PDT 2011 : Could not listen on port 1527 on host localhost: java.net.SocketException: Default SSL context init failed: null Mon Mar 28 16:24:09 PDT 2011 : DRDA_ListenPort.S:Could not listen on port 1527 o n host localhost: java.net.SocketException: Default SSL context init failed: null java.lang.Exception: DRDA_ListenPort.S:Could not listen on port 1527 on host loc alhost: java.net.SocketException: Default SSL context init failed: null at org.apache.derby.impl.drda.NetworkServerControlImpl.consolePropertyMe ssageWork(Unknown Source) at org.apache.derby.impl.drda.NetworkServerControlImpl.consolePropertyMe ssage(Unknown Source) at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unk nown Source) at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unkno wn Source) at org.apache.derby.drda.NetworkServerControl.main(Unknown Source) This problem also occurs with the latest IBM 1.4.2 fixpack SR13 FP8 but may have been introduces with this FP6 APAR which you can view here-> http://www-01.ibm.com/support/docview.wss?uid=swg1IZ75870
        Hide
        Kathey Marsden added a comment -

        Not a derby issue.

        Show
        Kathey Marsden added a comment - Not a derby issue.
        Hide
        Kathey Marsden added a comment -

        This first appeared in IBM 1.4.2. FP6. The problem does not appear with :
        java version "1.4.2"
        Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2)
        Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20100705 (SR13 FP5) (
        JIT enabled: jitc))

        but does with
        java version "1.4.2"
        Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2)
        Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20100918 (SR13 FP6) (
        JIT enabled: jitc))

        The problem may have been introduced with the fix for this APAR:
        http://www-01.ibm.com/support/docview.wss?uid=swg1IZ75870.

        I will close the issue invalid and file a jvm issue.

        Show
        Kathey Marsden added a comment - This first appeared in IBM 1.4.2. FP6. The problem does not appear with : java version "1.4.2" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2) Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20100705 (SR13 FP5) ( JIT enabled: jitc)) but does with java version "1.4.2" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2) Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20100918 (SR13 FP6) ( JIT enabled: jitc)) The problem may have been introduced with the fix for this APAR: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ75870 . I will close the issue invalid and file a jvm issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Myrna van Lunteren
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development