Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8563

BE tests specifying their own SSL cipher sets fail on Ubuntu 18

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • Impala 3.2.0
    • Impala 3.3.0
    • Infrastructure
    • None
    • ghx-label-8

    Description

      Ubuntu 18.04 upgraded OpenSSL to 1.1.0, which raised the bar in what ciphers are considered "strong".

      Some of the Impala BE tests specify their own ciphers for various test purposes. These tests use RC4, which is no longer accepted by OpenSSL by default, making these tests fail on Ubuntu 18.04. Affected tests are:

      • rpc-mgr-test
      • thrift-server-test
      • webserver-test
      56/104 Test #56: thrift-util-test ................. Passed 3.34 sec
      Start 57: thrift-server-test
      57/104 Test #57: thrift-server-test ...............***Exception: SegFault 4.25 sec
      Turning perftools heap leak checking off
      Loading random data
      Initializing database 'de52-8af6-6a92-1e99/krb5kdc/principal' for realm 'KRBTEST.COM',
      master key name 'K/M@KRBTEST.COM'
      Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): setting up network...
      krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
      Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): set up 2 sockets
      Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): commencing operation
      krb5kdc: starting...
      WARNING: no policy specified for impala/localhost@KRBTEST.COM; defaulting to no policy
      Authenticating as principal ubuntu/admin@KRBTEST.COM with password.
      Principal "impala/localhost@KRBTEST.COM" created.
      Authenticating as principal ubuntu/admin@KRBTEST.COM with password.
      Entry for principal impala/localhost with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
      Entry for principal impala/localhost with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
      [==========] Running 16 tests from 6 test cases.
      [----------] Global test environment set-up.
      [----------] 1 test from ThriftTestBase
      [ RUN ] ThriftTestBase.Connectivity
      [ OK ] ThriftTestBase.Connectivity (85 ms)
      [----------] 1 test from ThriftTestBase (85 ms total)
      
      [----------] 8 tests from SslTest
      [ RUN ] SslTest.BadCertificate
      [ OK ] SslTest.BadCertificate (17 ms)
      [ RUN ] SslTest.ClientBeforeServer
      [ OK ] SslTest.ClientBeforeServer (4 ms)
      [ RUN ] SslTest.BadCiphers
      [ OK ] SslTest.BadCiphers (1 ms)
      [ RUN ] SslTest.MismatchedCiphers
      /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:314: Failure
      Value of: status_.ok()
      Actual: false
      Expected: true
      Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
      
      /home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:322: Failure
      Value of: status_.ok()
      Actual: false
      Expected: true
      Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match
      
      Wrote minidump to /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
      Wrote minidump to /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
      
              Start  59: rpc-mgr-test
       59/104 Test  #59: rpc-mgr-test .....................***Failed    5.13 sec
      Turning perftools heap leak checking off
      [==========] Running 11 tests from 1 test case.
      [----------] Global test environment set-up.
      [----------] 11 tests from RpcMgrTest
      [ RUN      ] RpcMgrTest.MultipleServicesTls
      19/04/18 22:20:51 INFO util.JvmPauseMonitor: Starting JVM pause monitor
      [       OK ] RpcMgrTest.MultipleServicesTls (923 ms)
      [ RUN      ] RpcMgrTest.MultipleServices
      [       OK ] RpcMgrTest.MultipleServices (61 ms)
      [ RUN      ] RpcMgrTest.BadCertificateTls
      [       OK ] RpcMgrTest.BadCertificateTls (35 ms)
      [ RUN      ] RpcMgrTest.BadPasswordTls
      [       OK ] RpcMgrTest.BadPasswordTls (58 ms)
      [ RUN      ] RpcMgrTest.CorrectPasswordTls
      [       OK ] RpcMgrTest.CorrectPasswordTls (61 ms)
      [ RUN      ] RpcMgrTest.BadCiphersTls
      [       OK ] RpcMgrTest.BadCiphersTls (34 ms)
      [ RUN      ] RpcMgrTest.ValidCiphersTls
      /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:142: Failure
      Value of: status_.ok()
        Actual: false
      Expected: true
      Error: Could not build messenger: Runtime error: failed to set TLS ciphers: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129
      
      [  FAILED  ] RpcMgrTest.ValidCiphersTls (32 ms)
      [ RUN      ] RpcMgrTest.ValidMultiCiphersTls
      /home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:161: Failure
      Value of: status_.ok()
        Actual: false
      Expected: true
      Error: Could not build messenger: Runtime error: failed to set TLS ciphers: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129
      
      [  FAILED  ] RpcMgrTest.ValidMultiCiphersTls (44 ms)
      [ RUN      ] RpcMgrTest.SlowCallback
      [       OK ] RpcMgrTest.SlowCallback (333 ms)
      [ RUN      ] RpcMgrTest.AsyncCall
      [       OK ] RpcMgrTest.AsyncCall (36 ms)
      [ RUN      ] RpcMgrTest.NegotiationTimeout
      [       OK ] RpcMgrTest.NegotiationTimeout (35 ms)
      [----------] 11 tests from RpcMgrTest (1652 ms total)
      
      [----------] Global test environment tear-down
      [==========] 11 tests from 1 test case ran. (1652 ms total)
      [  PASSED  ] 9 tests.
      [  FAILED  ] 2 tests, listed below:
      [  FAILED  ] RpcMgrTest.ValidCiphersTls
      [  FAILED  ] RpcMgrTest.ValidMultiCiphersTls
      
       2 FAILED TESTS
      
      Start 102: webserver-test
      102/104 Test #102: webserver-test ...................***Failed 3.02 sec
      Turning perftools heap leak checking off
      [==========] Running 18 tests from 1 test case.
      [----------] Global test environment set-up.
      [----------] 18 tests from Webserver
      [ RUN ] Webserver.SmokeTest
      [ OK ] Webserver.SmokeTest (18 ms)
      [ RUN ] Webserver.ArgsTest
      [ OK ] Webserver.ArgsTest (14 ms)
      [ RUN ] Webserver.JsonTest
      [ OK ] Webserver.JsonTest (11 ms)
      [ RUN ] Webserver.EscapingTest
      [ OK ] Webserver.EscapingTest (11 ms)
      [ RUN ] Webserver.EscapeErrorUriTest
      [ OK ] Webserver.EscapeErrorUriTest (11 ms)
      [ RUN ] Webserver.SslTest
      [ OK ] Webserver.SslTest (10 ms)
      [ RUN ] Webserver.SslBadCertTest
      [ OK ] Webserver.SslBadCertTest (0 ms)
      [ RUN ] Webserver.SslWithPrivateKeyPasswordTest
      [ OK ] Webserver.SslWithPrivateKeyPasswordTest (12 ms)
      [ RUN ] Webserver.SslBadPrivateKeyPasswordTest
      [ OK ] Webserver.SslBadPrivateKeyPasswordTest (2 ms)
      [ RUN ] Webserver.SslCipherSuite
      /home/ubuntu/Impala/be/src/util/webserver-test.cc:273: Failure
      Value of: status_.ok()
      Actual: false
      Expected: true
      Error: Webserver: Could not start on address 0.0.0.0:27890
      
      [ FAILED ] Webserver.SslCipherSuite (3 ms)
      [ RUN ] Webserver.SslBadTlsVersion
      [ OK ] Webserver.SslBadTlsVersion (1 ms)
      [ RUN ] Webserver.SslGoodTlsVersion
      [ OK ] Webserver.SslGoodTlsVersion (35 ms)
      [ RUN ] Webserver.StartWithPasswordFileTest
      [ OK ] Webserver.StartWithPasswordFileTest (11 ms)
      [ RUN ] Webserver.StartWithMissingPasswordFileTest
      [ OK ] Webserver.StartWithMissingPasswordFileTest (0 ms)
      [ RUN ] Webserver.DirectoryListingDisabledTest
      [ OK ] Webserver.DirectoryListingDisabledTest (10 ms)
      [ RUN ] Webserver.NoFrameEmbeddingTest
      [ OK ] Webserver.NoFrameEmbeddingTest (11 ms)
      [ RUN ] Webserver.FrameAllowEmbeddingTest
      [ OK ] Webserver.FrameAllowEmbeddingTest (11 ms)
      [ RUN ] Webserver.NullCharTest
      [ OK ] Webserver.NullCharTest (10 ms)
      [----------] 18 tests from Webserver (181 ms total)
      
      [----------] Global test environment tear-down
      [==========] 18 tests from 1 test case ran. (181 ms total)
      [ PASSED ] 17 tests.
      [ FAILED ] 1 test, listed below:
      [ FAILED ] Webserver.SslCipherSuite
      
      1 FAILED TEST
      

      Since we don't have regular tests on Ubuntu 18 (though arguably we should), I'm not making this a blocker.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            laszlog Laszlo Gaal
            laszlog Laszlo Gaal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment