action #116263
closed[security][fips] test fails in openjdk_fips
0%
Description
# Test died: script failed with :
[ 218.567711] systemd[1]: snapperd.service: Deactivated successfully.
We have to make sure that the expected results of Supported Cipher Suites and Supported Security Providers are still the same as for 15-SP4. It seems that in 15-SP5 there are some new additions, so it seems more like a test issue, rather than a product bug.
For example there are these 3 cipher suites:
> 1. TLS_AES_256_GCM_SHA384
> 2. TLS_AES_128_GCM_SHA256
> 3. TLS_CHACHA20_POLY1305_SHA256
Acceptance criteria¶
- Find the supported cipher suites and supported security providers for 15-SP5
- Modify the expected outcome of the test accordingly (https://gitlab.suse.de/QA-APAC-I/testing/-/raw/master/data/openjdk/Tcheck.txt)
- Run verification runs, both for maintenance and product
Observation¶
openQA test in scenario sle-15-SP5-Online-x86_64-fips_env_mode_jdk@64bit fails in
openjdk_fips
Test suite description¶
The base test suite is used for job templates defined in YAML documents. It has no settings of its own.
Reproducible¶
Fails since (at least) Build 15.2
Expected result¶
Last good: (unknown) (or more recent)
Further details¶
Always latest result in this scenario: latest
Files
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/9517914#step/openjdk_fips/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by bchou over 1 year ago
Hi Viktor,
Would you please check with this issue too? Probably it's mozilla-nss lib problem. Thank you.
Updated by viktors.trubovics over 1 year ago
Update from Marcus Meissner:
- TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
1 and 2 have approved ciphers onlyTLS_CHACHA20_POLY1305_SHA256
is not approved.
So it means:Test need to be updated to contain TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.
Bug need to be raised against TLS_CHACHA20_POLY1305_SHA256
Updated by amanzini over 1 year ago
- File result.txt result.txt added
- File Tcheck.txt Tcheck.txt added
in addition to the Cipher Suites, There's also a change on Supported Security Providers.
from:
1. SunPKCS11-NSS-FIPS using library null
2. SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
3. Sun Elliptic Curve provider (EC, ECDSA, ECDH)
4. Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-NSS-FIPS)
to:
1. SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
2. Sun RSA signature provider
3. Sun Elliptic Curve provider (EC, ECDSA, ECDH)
4. Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)
5. SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC, ChaCha20)
6. Sun (Kerberos v5, SPNEGO)
7. Sun SASL provider(implements client mechanisms for: DIGEST-MD5, EXTERNAL, PLAIN, CRAM-MD5, NTLM; server mechanisms for: DIGEST-MD5, CRAM-MD5, NTLM)
8. XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory; C14N 1.0, C14N 1.1, Exclusive C14N, Base64, Enveloped, XPath, XPath2, XSLT TransformServices)
9. Sun PC/SC provider
10. JdkLDAP Provider (implements LDAP CertStore)
11. JDK SASL provider(implements client and server mechanisms for GSSAPI)
12. Unconfigured and unusable PKCS11 provider
Are we going to handle that too ? Please see attached result.txt (output from JavaCryptoTest) and Tcheck.txt (expected)
Updated by amanzini over 1 year ago
opened bugzilla https://bugzilla.suse.com/show_bug.cgi?id=1204229
Updated by tjyrinki_suse over 1 year ago
Note this has failed already in 15-SP4 GMC https://openqa.suse.de/tests/9064912#step/openjdk_fips/43
Updated by amanzini over 1 year ago
- Status changed from Blocked to In Progress
test passes when run in FIPS KERNEL mode: https://openqa.suse.de/tests/9776262 .
So basically the issue is that SSL and/or jdk does not honor env mode, but rely on kernel setting. We should decide if it is a correct behaviour, and so adapt the test, or ask upstream to implement proper ENV mode.
Updated by amanzini over 1 year ago
- Related to action #119635: [security] test fails in sshd added
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/9881955#step/openjdk_fips/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/10029317#step/openjdk_fips/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review over 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_jdk
https://openqa.suse.de/tests/10186562#step/openjdk_fips/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.
Updated by tjyrinki_suse over 1 year ago
This is waiting for Dennis to discuss with Fridrich directly some details.
Updated by amanzini over 1 year ago
seems failing on kernel mode too, need further investigation https://openqa.suse.de/tests/10307628#
JCE Provider Info: OpenJDK 64-Bit Server VM 17.0.5+0-suse-150400.3.6.1-x8664/17.0.5+0-suse-150400.3.6.1-x8664 on Linux 5.14.21-150400.24.38-default
this new failure is related to a newer java-17-openjdk that's coming already installed in the image. The test installs jdk11 but the one in use is always 17 so the output of crypto providers differs.
To fix the test, either we update the baseline to the newest jdk, or if the reference has to be jdk11, we uninstall any jdk present in the system before installing jdk11.
Updated by amanzini over 1 year ago
- Related to action #123013: [security][fips] test openjdk only in fips-kernel mode added
Updated by tjyrinki_suse over 1 year ago
Thank you for the analysis! Your suggestion to to make them pass on jdk11 and asking for update to the reference jdk later sounds good to me!
Updated by amanzini over 1 year ago
- Status changed from In Progress to Feedback
PR: https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/16236
we need to clarify if JDK11 is a strict requirement or we should test against any newer version.
Updated by openqa_review about 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_openjdk
https://openqa.suse.de/tests/10386057#step/openjdk_fips/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by tjyrinki_suse about 1 year ago
- Status changed from Feedback to Resolved
openJDK is now executed only in kernel mode, due to lack of support for enabling FIPS with just an environment variable.