Project

General

Profile

action #116263

[security][fips] test fails in openjdk_fips

Added by punkioudi 3 months ago. Updated 3 days ago.

Status:
Blocked
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
-
Start date:
2022-09-06
Due date:
% Done:

0%

Estimated time:
Difficulty:
Tags:

Description

# Test died: script failed with :
[ 218.567711] systemd[1]: snapperd.service: Deactivated successfully.

We have to make sure that the expected results of Supported Cipher Suites and Supported Security Providers are still the same as for 15-SP4. It seems that in 15-SP5 there are some new additions, so it seems more like a test issue, rather than a product bug.

For example there are these 3 cipher suites:

>  1. TLS_AES_256_GCM_SHA384
>  2. TLS_AES_128_GCM_SHA256
>  3. TLS_CHACHA20_POLY1305_SHA256

Acceptance criteria

  1. Find the supported cipher suites and supported security providers for 15-SP5
  2. Modify the expected outcome of the test accordingly (https://gitlab.suse.de/QA-APAC-I/testing/-/raw/master/data/openjdk/Tcheck.txt)
  3. Run verification runs, both for maintenance and product

Observation

openQA test in scenario sle-15-SP5-Online-x86_64-fips_env_mode_jdk@64bit fails in
openjdk_fips

Test suite description

The base test suite is used for job templates defined in YAML documents. It has no settings of its own.

Reproducible

Fails since (at least) Build 15.2

Expected result

Last good: (unknown) (or more recent)

Further details

Always latest result in this scenario: latest

result.txt (2.47 KB) result.txt amanzini, 2022-10-11 10:40
Tcheck.txt (1.71 KB) Tcheck.txt amanzini, 2022-10-11 10:40

Related issues

Related to openQA Tests - action #119635: [security] test fails in sshdBlocked2022-10-31

History

#1 Updated by openqa_review 2 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/9517914#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

#2 Updated by bchou about 2 months ago

Hi Viktor,

Would you please check with this issue too? Probably it's mozilla-nss lib problem. Thank you.

#3 Updated by viktors.trubovics about 2 months ago

Update from Marcus Meissner:

  1. TLS_AES_256_GCM_SHA384
  2. TLS_AES_128_GCM_SHA256
    1 and 2 have approved ciphers only

  3. TLS_CHACHA20_POLY1305_SHA256
    is not approved.
    So it means:

  4. Test need to be updated to contain TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.

  5. Bug need to be raised against TLS_CHACHA20_POLY1305_SHA256

#4 Updated by amanzini about 2 months ago

  • Assignee set to amanzini

#5 Updated by amanzini about 2 months ago

in addition to the Cipher Suites, There's also a change on Supported Security Providers.
from:

 1. SunPKCS11-NSS-FIPS using library null
 2. SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
 3. Sun Elliptic Curve provider (EC, ECDSA, ECDH)
 4. Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-NSS-FIPS)

to:

 1. SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
 2. Sun RSA signature provider
 3. Sun Elliptic Curve provider (EC, ECDSA, ECDH)
 4. Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)
 5. SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC, ChaCha20)
 6. Sun (Kerberos v5, SPNEGO)
 7. Sun SASL provider(implements client mechanisms for: DIGEST-MD5, EXTERNAL, PLAIN, CRAM-MD5, NTLM; server mechanisms for: DIGEST-MD5, CRAM-MD5, NTLM)
 8. XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory; C14N 1.0, C14N 1.1, Exclusive C14N, Base64, Enveloped, XPath, XPath2, XSLT TransformServices)
 9. Sun PC/SC provider
 10. JdkLDAP Provider (implements LDAP CertStore)
 11. JDK SASL provider(implements client and server mechanisms for GSSAPI)
 12. Unconfigured and unusable PKCS11 provider

Are we going to handle that too ? Please see attached result.txt (output from JavaCryptoTest) and Tcheck.txt (expected)

#7 Updated by tjyrinki_suse about 2 months ago

Note this has failed already in 15-SP4 GMC https://openqa.suse.de/tests/9064912#step/openjdk_fips/43

#8 Updated by amanzini about 1 month ago

  • Status changed from New to Blocked

#9 Updated by amanzini about 1 month ago

  • Status changed from Blocked to In Progress

#10 Updated by amanzini about 1 month ago

  • Status changed from In Progress to Blocked

#11 Updated by amanzini about 1 month ago

  • Status changed from Blocked to In Progress

test passes when run in FIPS KERNEL mode: https://openqa.suse.de/tests/9776262 .
So basically the issue is that SSL and/or jdk does not honor env mode, but rely on kernel setting. We should decide if it is a correct behaviour, and so adapt the test, or ask upstream to implement proper ENV mode.

#12 Updated by amanzini about 1 month ago

  • Status changed from In Progress to Blocked

#13 Updated by amanzini 24 days ago

#14 Updated by openqa_review 17 days ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/9881955#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

#15 Updated by openqa_review 3 days ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/10029317#step/openjdk_fips/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Also available in: Atom PDF