Uploaded image for project: 'MINA'
  1. MINA
  2. DIRMINA-1067

checkClientTrusted() invoked just once on IBM JRE

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Bug
    • 2.0.16
    • None
    • Core
    • None

    Description

      When we set up a test in which a client connects to the server three times using TLS with a client cert, then on OracleJDK and OpenJDK the org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[], String) method is invoked three times, while on IBM JDK, the same method is invoked only once.

      I kindly ask for an explanation why this happens. I am not an expert in TLS and therefore I am not able to tell whether this is a bug in Mina, any of the JDKs, both or none.

      Steps to reproduce:

      (1) Prepare

      git fetch https://github.com/ppalaga/mina.git  refs/heads/DIRMINA-1067:DIRMINA-1067
git checkout DIRMINA-1067
mvn clean install -DskipTests

      (2) Test with Oracle JDK or OpenJDK which both work as expected.

      export JAVA_HOME=/path/to/OracleJDK # change this
$JAVA_HOME/bin/java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

mvn test -Dtest=SslClientCertTest
...
Running org.apache.mina.filter.ssl.SslClientCertTest
[22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs
[22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - in org.apache.mina.filter.ssl.SslClientCertTest

      Note that Adding cert ... appears three times in the log

      (3) Test with IBM JDK

      export JAVA_HOME=/path/to/IBMJDK

$JAVA_HOME/bin/java -version
java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20160915_318796 (JIT enabled, AOT enabled)
J9VM - R28_Java8_SR3_20160915_0912_B318796
JIT  - tr.r14.java.green_20160818_122998
GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
J9CL - 20160915_318796)
JCL - 20160914_01 based on Oracle jdk8u101-b13

mvn surefire:test -Dtest=SslClientCertTest 
...
Running org.apache.mina.filter.ssl.SslClientCertTest
[22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs
[22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 5.412 sec  <<< FAILURE!
java.lang.AssertionError: expected:<3> but was:<1>

      Expected: testClientCerts should pass
      Actual: testClientCerts fails

      Background: I took ApacheDS to check that our LDAP client code in WildFly is sending the client certs properly, but the results on Oracle vs IBM were inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 does basically the same thing as the reproducer of the current issue https://github.com/apache/mina/pull/12

      Attachments

        Activity

          People

            Unassigned Unassigned
            ppalaga Peter Palaga
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 10m
                10m