Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.4.0.CD21
Affects Version/s: 7.4.0.CD20-CR1
Component/s: Security, Undertow
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:
Workaround Description:
Hide

There exists workaround to manually tell the server path to the `libwfssl` library, e.g.:

$ find . -name *ssl* ./modules/system/layers/base/org/wildfly/openssl ./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so ./modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar $ pwd /tmp/jboss-eap-7.4 $ ./bin/standalone.sh -Dorg.wildfly.openssl.libwfssl.path=/tmp/jboss-eap-7.4/modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so

Now the server starts with no issues and HTTPS connection seems just fine too.
Show
There exists workaround to manually tell the server path to the `libwfssl` library, e.g.: $ find . -name *ssl* ./modules/system/layers/base/org/wildfly/openssl ./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so ./modules/system/layers/base/org/wildfly/security/elytron- private /main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar $ pwd /tmp/jboss-eap-7.4 $ ./bin/standalone.sh -Dorg.wildfly.openssl.libwfssl.path=/tmp/jboss-eap-7.4/modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so Now the server starts with no issues and HTTPS connection seems just fine too.
Git Pull Request:
https://github.com/wildfly-security/wildfly-openssl/pull/82, https://github.com/jboss-modules/jboss-modules/pull/260, https://github.com/wildfly-security/wildfly-openssl/pull/80, https://github.com/jbossas/wildfly-core-eap/pull/899
Steps to Reproduce:
Hide

Unzip server

Start server ./bin/standalone.sh &

Configure OpenSSL provider:

/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload

see errors in the log
Show
Unzip server Start server ./bin/standalone.sh & Configure OpenSSL provider: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload see errors in the log

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Looks like detection of `libwfssl` is broken in current build. When I try to configure OpenSSL security provider in legacy security, I can see following errors in standalone.log:

15:39:44,704 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service15:39:44,704 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748)Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLSv1.2, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi) at java.security.Provider$Service.newInstance(Provider.java:1617) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105) ... 8 moreCaused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException at org.wildfly.openssl.SSL.init(SSL.java:87) at org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:129) at org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi.<init>(OpenSSLContextSPI.java:484) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.security.Provider$Service.newInstance(Provider.java:1595) ... 12 moreCaused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.wildfly.openssl.SSL.init(SSL.java:82) ... 19 moreCaused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1860) at java.lang.Runtime.loadLibrary0(Runtime.java:870) at java.lang.System.loadLibrary(System.java:1124) at org.wildfly.openssl.SSL$LibraryLoader.load(SSL.java:288) ... 24 more
15:39:44,818 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([    ("core-service" => "management"),    ("security-realm" => "ApplicationRealm")]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service    Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLSv1.2, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi)    Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException    Caused by: java.lang.reflect.InvocationTargetException    Caused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path"}}

This is a regression against previous release - EAP7.3.1. Expected behaviour is no error in the log, libwfssl is loaded successfully and OpenSSL is correctly used for TLS connections.

Note - there has been a change in the location of the particular libwfssl native binaries in the distribution, see https://github.com/wildfly-security/wildfly-openssl/commit/c5c07d3dc0d6376409a028ffcff9af35dbc1b616

7.3.1

$ find . -name *wfssl*
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-i386/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-x86_64/libwfssl.so

and

7.4.0.CD20-CR1

$ find . -name *ssl*
./modules/system/layers/base/org/wildfly/openssl
./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so
./modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar

is cloned by

WFSSL-34 libwfssl is not detected by EAP automatically -> cannot use OpenSSL security provider

Resolved

relates to

MODULES-400 Automatically set the os.name if the -Djboss.modules.os-name property has not already been specified when running on RHEL platforms

Resolved

WFCORE-5069 libwfssl is not detected by EAP automatically -> cannot use OpenSSL security provider

Closed

WFSSL-35 Release WildFly OpenSSL 1.1.1.Final

Resolved

WFSSL-39 Update the OS-version-specific category that's added to the native search path to match the format used by JBoss Modules

Resolved

WFSSL-40 Update the directory names that are used for the RHEL natives

Resolved

WFSSL-41 Release WildFly OpenSSL 1.1.2.Final

Resolved

WFCORE-5050 Upgrade WildFly OpenSSL to 1.1.1.Final

Closed

WFCORE-5074 Upgrade JBoss Modules to 1.10.2.Final

Closed

WFCORE-5075 Upgrade WildFly OpenSSL to 1.1.2.Final

Closed

(5 relates to)

Assignee:: Farah Juma

Reporter:: Jan Stourac

Tester:: Jan Stourac

QA Contact:: Jan Stourac

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2020/07/10 10:05 AM

Updated:: 2024/08/27 1:54 PM

Resolved:: 2020/08/25 10:27 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates