action #125654
closed[security][FIPS] clarify openJDK version testing
100%
Description
Context¶
our current test https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/fips/openjdk/openjdk_fips.pm is specifically installing jdk11, but with the progress of the updates it can happen that we find on the machines a newer one. The newer one could support new Cipher Suites and Security Providers.
At the moment as a workaround, we uninstall any JDK before testing; the question is:
Question¶
- should we test any present and greater version of OpenJDK, or only some specific ones?
Action¶
- provide for each JDK version the accepted list of FIPS crypto providers, which for OpenJDK 11 is currently stored in https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt
- change the test to map the correct JDK version with the reference list of Supported Cipher Suites and Security Providers
Updated by amanzini about 1 year ago
- Tags set to need-clarification
- Subject changed from [security to [security][FIPS] clarify openJDK version testing
- Description updated (diff)
Updated by pstivanin about 1 year ago
- Status changed from New to In Progress
- Assignee set to pstivanin
Updated by pstivanin about 1 year ago
- % Done changed from 0 to 50
- ciphers reported here (https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) are correct for all openjdk versions tested under fips.
- according to https://confluence.suse.com/pages/viewpage.action?pageId=675512957, only openjdk-11 should be tested, but Marcus wrote that it'd be nice to have java-17-openjdk tested too
slack conversation: https://suse.slack.com/archives/C04QYGFKQ1G/p1679470228936649
Updated by pstivanin about 1 year ago
- % Done changed from 50 to 80
Updated by pstivanin about 1 year ago
- Status changed from In Progress to Blocked
about openjdk17, the test is currently failing (https://openqa.suse.de/tests/10752801) because the returned ciphers are different.
Currently, we have this(https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) for openjdk11, but openjdk17 outputs that(https://gitlab.suse.de/qe-security/testing/-/raw/2ff4bcc7545e7d0ea97c1645a1a25dd2cfab2bce/data/openjdk/Tcheck17.txt).
I've asked Dennis and Viktor how to proceed. Waiting for feedback.
Updated by pstivanin 11 months ago
- Status changed from Blocked to In Progress
Fridrich found the bug and already opened an SR:
I think that it will be working with this change. The reason for this from the part of RedHat was that right now there is no way to disable OpenJDK FIPS for all java applications running on a FIPS enabled host. I.e. let everything else - non-Java - be in FIPS mode, but disable it for OpenJDK applications.
Now, their reasoning for this change was that one could never disable fips globally for all java applications. Now, they implemented the possibility that if system config files are disabled, fips is disabled automatically too for openjdk. Which is a useful feature. But they also flipped the default, which changed our default behaviour and you thankfully found it out. Now, I flipped that default back. If some customer wants disable FIPS for all java applications, she just needs to flip that one property in the file. So I think that this solution is more or less the best.
Updated by pstivanin 11 months ago
I've now scheduled both openjdk 11 and 17 on my devel prj: https://openqa.suse.de/group_overview/431
I'll let them both run there until we get an approval for the 17's baseline.
Updated by pstivanin 11 months ago
- % Done changed from 80 to 70
we now have the update in the testing queue (https://smelt.suse.de/request/299043/) and the fips test is now passing (https://openqa.suse.de/tests/11186952#step/openjdk17_fips/1)
the ssh one is failing though https://openqa.suse.de/tests/11186952#step/openjdk17_ssh/21 , so I'm looking into it.
Updated by pstivanin 11 months ago
- % Done changed from 70 to 80
with the latest update now both jdk11 and jdk17 are green.
will let them run here https://openqa.suse.de/tests/overview?distri=sle&version=15-SP4&build=20230607-1&groupid=431 for a few days before merging it into master
Updated by dzedro 10 months ago
This Desktop test is now broken https://openqa.suse.de/tests/11347884
Updated by dzedro 10 months ago
I updated the yaml schedule https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/17303