[IMPALA-8563] BE tests specifying their own SSL cipher sets fail on Ubuntu 18 - ASF JIRA

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: Impala 3.2.0
Fix Version/s: Impala 3.3.0
Component/s: Infrastructure
Labels:
None

Epic Color:
ghx-label-8

Description

Ubuntu 18.04 upgraded OpenSSL to 1.1.0, which raised the bar in what ciphers are considered "strong".

Some of the Impala BE tests specify their own ciphers for various test purposes. These tests use RC4, which is no longer accepted by OpenSSL by default, making these tests fail on Ubuntu 18.04. Affected tests are:

rpc-mgr-test
thrift-server-test
webserver-test

56/104 Test #56: thrift-util-test ................. Passed 3.34 sec
Start 57: thrift-server-test
57/104 Test #57: thrift-server-test ...............***Exception: SegFault 4.25 sec
Turning perftools heap leak checking off
Loading random data
Initializing database 'de52-8af6-6a92-1e99/krb5kdc/principal' for realm 'KRBTEST.COM',
master key name 'K/M@KRBTEST.COM'
Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): set up 2 sockets
Apr 18 22:20:43 ip-172-31-7-143 krb5kdc[25358](info): commencing operation
krb5kdc: starting...
WARNING: no policy specified for impala/localhost@KRBTEST.COM; defaulting to no policy
Authenticating as principal ubuntu/admin@KRBTEST.COM with password.
Principal "impala/localhost@KRBTEST.COM" created.
Authenticating as principal ubuntu/admin@KRBTEST.COM with password.
Entry for principal impala/localhost with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
Entry for principal impala/localhost with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:de52-8af6-6a92-1e99/krb5kdc/impala_localhost.keytab.
[==========] Running 16 tests from 6 test cases.
[----------] Global test environment set-up.
[----------] 1 test from ThriftTestBase
[ RUN ] ThriftTestBase.Connectivity
[ OK ] ThriftTestBase.Connectivity (85 ms)
[----------] 1 test from ThriftTestBase (85 ms total)

[----------] 8 tests from SslTest
[ RUN ] SslTest.BadCertificate
[ OK ] SslTest.BadCertificate (17 ms)
[ RUN ] SslTest.ClientBeforeServer
[ OK ] SslTest.ClientBeforeServer (4 ms)
[ RUN ] SslTest.BadCiphers
[ OK ] SslTest.BadCiphers (1 ms)
[ RUN ] SslTest.MismatchedCiphers
/home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:314: Failure
Value of: status_.ok()
Actual: false
Expected: true
Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match

/home/ubuntu/Impala/be/src/rpc/thrift-server-test.cc:322: Failure
Value of: status_.ok()
Actual: false
Expected: true
Error: SSL socket creation failed: SSL_CTX_set_cipher_list: no cipher match

Wrote minidump to /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp
Wrote minidump to /home/ubuntu/Impala/logs/be_tests/minidumps/thrift-server-test/3c9581c6-3007-4582-2f9967bb-c5fc4825.dmp

        Start  59: rpc-mgr-test
 59/104 Test  #59: rpc-mgr-test .....................***Failed    5.13 sec
Turning perftools heap leak checking off
[==========] Running 11 tests from 1 test case.
[----------] Global test environment set-up.
[----------] 11 tests from RpcMgrTest
[ RUN      ] RpcMgrTest.MultipleServicesTls
19/04/18 22:20:51 INFO util.JvmPauseMonitor: Starting JVM pause monitor
[       OK ] RpcMgrTest.MultipleServicesTls (923 ms)
[ RUN      ] RpcMgrTest.MultipleServices
[       OK ] RpcMgrTest.MultipleServices (61 ms)
[ RUN      ] RpcMgrTest.BadCertificateTls
[       OK ] RpcMgrTest.BadCertificateTls (35 ms)
[ RUN      ] RpcMgrTest.BadPasswordTls
[       OK ] RpcMgrTest.BadPasswordTls (58 ms)
[ RUN      ] RpcMgrTest.CorrectPasswordTls
[       OK ] RpcMgrTest.CorrectPasswordTls (61 ms)
[ RUN      ] RpcMgrTest.BadCiphersTls
[       OK ] RpcMgrTest.BadCiphersTls (34 ms)
[ RUN      ] RpcMgrTest.ValidCiphersTls
/home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:142: Failure
Value of: status_.ok()
  Actual: false
Expected: true
Error: Could not build messenger: Runtime error: failed to set TLS ciphers: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129

[  FAILED  ] RpcMgrTest.ValidCiphersTls (32 ms)
[ RUN      ] RpcMgrTest.ValidMultiCiphersTls
/home/ubuntu/Impala/be/src/rpc/rpc-mgr-test.cc:161: Failure
Value of: status_.ok()
  Actual: false
Expected: true
Error: Could not build messenger: Runtime error: failed to set TLS ciphers: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129

[  FAILED  ] RpcMgrTest.ValidMultiCiphersTls (44 ms)
[ RUN      ] RpcMgrTest.SlowCallback
[       OK ] RpcMgrTest.SlowCallback (333 ms)
[ RUN      ] RpcMgrTest.AsyncCall
[       OK ] RpcMgrTest.AsyncCall (36 ms)
[ RUN      ] RpcMgrTest.NegotiationTimeout
[       OK ] RpcMgrTest.NegotiationTimeout (35 ms)
[----------] 11 tests from RpcMgrTest (1652 ms total)

[----------] Global test environment tear-down
[==========] 11 tests from 1 test case ran. (1652 ms total)
[  PASSED  ] 9 tests.
[  FAILED  ] 2 tests, listed below:
[  FAILED  ] RpcMgrTest.ValidCiphersTls
[  FAILED  ] RpcMgrTest.ValidMultiCiphersTls

 2 FAILED TESTS

Start 102: webserver-test
102/104 Test #102: webserver-test ...................***Failed 3.02 sec
Turning perftools heap leak checking off
[==========] Running 18 tests from 1 test case.
[----------] Global test environment set-up.
[----------] 18 tests from Webserver
[ RUN ] Webserver.SmokeTest
[ OK ] Webserver.SmokeTest (18 ms)
[ RUN ] Webserver.ArgsTest
[ OK ] Webserver.ArgsTest (14 ms)
[ RUN ] Webserver.JsonTest
[ OK ] Webserver.JsonTest (11 ms)
[ RUN ] Webserver.EscapingTest
[ OK ] Webserver.EscapingTest (11 ms)
[ RUN ] Webserver.EscapeErrorUriTest
[ OK ] Webserver.EscapeErrorUriTest (11 ms)
[ RUN ] Webserver.SslTest
[ OK ] Webserver.SslTest (10 ms)
[ RUN ] Webserver.SslBadCertTest
[ OK ] Webserver.SslBadCertTest (0 ms)
[ RUN ] Webserver.SslWithPrivateKeyPasswordTest
[ OK ] Webserver.SslWithPrivateKeyPasswordTest (12 ms)
[ RUN ] Webserver.SslBadPrivateKeyPasswordTest
[ OK ] Webserver.SslBadPrivateKeyPasswordTest (2 ms)
[ RUN ] Webserver.SslCipherSuite
/home/ubuntu/Impala/be/src/util/webserver-test.cc:273: Failure
Value of: status_.ok()
Actual: false
Expected: true
Error: Webserver: Could not start on address 0.0.0.0:27890

[ FAILED ] Webserver.SslCipherSuite (3 ms)
[ RUN ] Webserver.SslBadTlsVersion
[ OK ] Webserver.SslBadTlsVersion (1 ms)
[ RUN ] Webserver.SslGoodTlsVersion
[ OK ] Webserver.SslGoodTlsVersion (35 ms)
[ RUN ] Webserver.StartWithPasswordFileTest
[ OK ] Webserver.StartWithPasswordFileTest (11 ms)
[ RUN ] Webserver.StartWithMissingPasswordFileTest
[ OK ] Webserver.StartWithMissingPasswordFileTest (0 ms)
[ RUN ] Webserver.DirectoryListingDisabledTest
[ OK ] Webserver.DirectoryListingDisabledTest (10 ms)
[ RUN ] Webserver.NoFrameEmbeddingTest
[ OK ] Webserver.NoFrameEmbeddingTest (11 ms)
[ RUN ] Webserver.FrameAllowEmbeddingTest
[ OK ] Webserver.FrameAllowEmbeddingTest (11 ms)
[ RUN ] Webserver.NullCharTest
[ OK ] Webserver.NullCharTest (10 ms)
[----------] 18 tests from Webserver (181 ms total)

[----------] Global test environment tear-down
[==========] 18 tests from 1 test case ran. (181 ms total)
[ PASSED ] 17 tests.
[ FAILED ] 1 test, listed below:
[ FAILED ] Webserver.SslCipherSuite

1 FAILED TEST

Since we don't have regular tests on Ubuntu 18 (though arguably we should), I'm not making this a blocker.

Attachments

Issue Links

is related to

IMPALA-6826 Add support for Ubuntu 18.04

Resolved

BE tests specifying their own SSL cipher sets fail on Ubuntu 18

Details

Description

Attachments

Issue Links

Activity

People

Dates