Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Bug
-
2.0.16
-
None
-
None
Description
When we set up a test in which a client connects to the server three times using TLS with a client cert, then on OracleJDK and OpenJDK the org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[], String) method is invoked three times, while on IBM JDK, the same method is invoked only once.
I kindly ask for an explanation why this happens. I am not an expert in TLS and therefore I am not able to tell whether this is a bug in Mina, any of the JDKs, both or none.
Steps to reproduce:
(1) Prepare
git fetch https://github.com/ppalaga/mina.git refs/heads/DIRMINA-1067:DIRMINA-1067
git checkout DIRMINA-1067
mvn clean install -DskipTests
(2) Test with Oracle JDK or OpenJDK which both work as expected.
export JAVA_HOME=/path/to/OracleJDK # change this $JAVA_HOME/bin/java -version java version "1.8.0_121" Java(TM) SE Runtime Environment (build 1.8.0_121-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode) mvn test -Dtest=SslClientCertTest ... Running org.apache.mina.filter.ssl.SslClientCertTest [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - in org.apache.mina.filter.ssl.SslClientCertTest
Note that Adding cert ... appears three times in the log
(3) Test with IBM JDK
export JAVA_HOME=/path/to/IBMJDK $JAVA_HOME/bin/java -version java version "1.8.0" Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12)) IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20160915_318796 (JIT enabled, AOT enabled) J9VM - R28_Java8_SR3_20160915_0912_B318796 JIT - tr.r14.java.green_20160818_122998 GC - R28_Java8_SR3_20160915_0912_B318796_CMPRSS J9CL - 20160915_318796) JCL - 20160914_01 based on Oracle jdk8u101-b13 mvn surefire:test -Dtest=SslClientCertTest ... Running org.apache.mina.filter.ssl.SslClientCertTest [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing certs [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest) Time elapsed: 5.412 sec <<< FAILURE! java.lang.AssertionError: expected:<3> but was:<1>
Expected: testClientCerts should pass
Actual: testClientCerts fails
Background: I took ApacheDS to check that our LDAP client code in WildFly is sending the client certs properly, but the results on Oracle vs IBM were inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 does basically the same thing as the reproducer of the current issue https://github.com/apache/mina/pull/12