Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-19895

libwfssl is not detected by EAP automatically -> cannot use OpenSSL security provider

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.4.0.CD21
    • 7.4.0.CD20-CR1
    • Security, Undertow
    • None
    • Hide

      There exists workaround to manually tell the server path to the `libwfssl` library, e.g.:

      $ find . -name *ssl*
./modules/system/layers/base/org/wildfly/openssl
./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so
./modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar
$ pwd
/tmp/jboss-eap-7.4
$ ./bin/standalone.sh -Dorg.wildfly.openssl.libwfssl.path=/tmp/jboss-eap-7.4/modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so

      Now the server starts with no issues and HTTPS connection seems just fine too.

      Show
      There exists workaround to manually tell the server path to the `libwfssl` library, e.g.: $ find . -name *ssl* ./modules/system/layers/base/org/wildfly/openssl ./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so ./modules/system/layers/base/org/wildfly/security/elytron- private /main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar $ pwd /tmp/jboss-eap-7.4 $ ./bin/standalone.sh -Dorg.wildfly.openssl.libwfssl.path=/tmp/jboss-eap-7.4/modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so Now the server starts with no issues and HTTPS connection seems just fine too.
    • Hide
      1. Unzip server
      2. Start server ./bin/standalone.sh &
      3. Configure OpenSSL provider: 
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
reload
      4. see errors in the log
      Show
      Unzip server Start server ./bin/standalone.sh & Configure OpenSSL provider: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload see errors in the log

    Description

      Looks like detection of `libwfssl` is broken in current build. When I try to configure OpenSSL security provider in legacy security, I can see following errors in standalone.log:

      15:39:44,704 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service15:39:44,704 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748)Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLSv1.2, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi) at java.security.Provider$Service.newInstance(Provider.java:1617) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105) ... 8 moreCaused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException at org.wildfly.openssl.SSL.init(SSL.java:87) at org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:129) at org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi.<init>(OpenSSLContextSPI.java:484) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.security.Provider$Service.newInstance(Provider.java:1595) ... 12 moreCaused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.wildfly.openssl.SSL.init(SSL.java:82) ... 19 moreCaused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1860) at java.lang.Runtime.loadLibrary0(Runtime.java:870) at java.lang.System.loadLibrary(System.java:1124) at org.wildfly.openssl.SSL$LibraryLoader.load(SSL.java:288) ... 24 more
15:39:44,818 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([    ("core-service" => "management"),    ("security-realm" => "ApplicationRealm")]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service    Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLSv1.2, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi)    Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException    Caused by: java.lang.reflect.InvocationTargetException    Caused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path"}}

       

      This is a regression against previous release - EAP7.3.1. Expected behaviour is no error in the log, libwfssl is loaded successfully and OpenSSL is correctly used for TLS connections.

      Note - there has been a change in the location of the particular libwfssl native binaries in the distribution, see https://github.com/wildfly-security/wildfly-openssl/commit/c5c07d3dc0d6376409a028ffcff9af35dbc1b616

      7.3.1
      $ find . -name *wfssl*
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-i386/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-x86_64/libwfssl.so

      and

      7.4.0.CD20-CR1
      $ find . -name *ssl*
./modules/system/layers/base/org/wildfly/openssl
./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so
./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so
./modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar

       

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFSSL-34 libwfssl is not detected by EAP automatically -> cannot use OpenSSL security provider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          relates to

          Bug - A problem that impairs or prevents the functions of the product. MODULES-400 Automatically set the os.name if the -Djboss.modules.os-name property has not already been specified when running on RHEL platforms

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-5069 libwfssl is not detected by EAP automatically -> cannot use OpenSSL security provider

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. WFSSL-35 Release WildFly OpenSSL 1.1.1.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Task - Represents a small unit of work that is not end-user facing. WFSSL-39 Update the OS-version-specific category that's added to the native search path to match the format used by JBoss Modules

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Task - Represents a small unit of work that is not end-user facing. WFSSL-40 Update the directory names that are used for the RHEL natives

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Task - Represents a small unit of work that is not end-user facing. WFSSL-41 Release WildFly OpenSSL 1.1.2.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-5050 Upgrade WildFly OpenSSL to 1.1.1.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-5074 Upgrade JBoss Modules to 1.10.2.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-5075 Upgrade WildFly OpenSSL to 1.1.2.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              fjuma1@redhat.com Farah Juma
              jstourac@redhat.com Jan Stourac
              Jan Stourac Jan Stourac
              Jan Stourac Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: