Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22559

(8.0.0) WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 8.0.0.Beta-CR1
    • 7.4.1.GA
    • Security
    • None
    • False
    • False
    • Rejected
    • Hide
      • download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them
      • install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch)
      • in the extracted OpenSSL sources directory execute:
        ./Configure && make && make test
        
      • download latest WildFly build https://download.jboss.org/wildfly/24.0.1.Final/wildfly-24.0.1.Final.zip
      • unzip somewhere and start server pointing it to the OpenSSL built libraries:
        ./wildfly-24.0.1.Final/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0
        
      • in a new terminal connect to the servers CLI via:
        ./wildfly-24.0.1.Final/bin/jboss-cli.sh -c
        
      • and perform following commands to enable use of OpenSSL libraries by the server:
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
        reload
        
      • we expect to see correct reload operation with a following message like this:
        10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0
        
      • but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release
      Show
      download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch ) in the extracted OpenSSL sources directory execute: ./Configure && make && make test download latest WildFly build https://download.jboss.org/wildfly/24.0.1.Final/wildfly-24.0.1.Final.zip unzip somewhere and start server pointing it to the OpenSSL built libraries: ./wildfly-24.0.1.Final/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0 in a new terminal connect to the servers CLI via: ./wildfly-24.0.1.Final/bin/jboss-cli.sh -c and perform following commands to enable use of OpenSSL libraries by the server: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload we expect to see correct reload operation with a following message like this: 10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0 but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release

      Latest release of WildFly 24.0.1 isn't able to use recently released OpenSSL 3.0.0 libraries with its wildfly-openssl project.

      One can see the following error during the server startup/reload operation when OpenSSL 3.0.0 build is used:

      10:54:01,843 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-7) WFLYDS0013: Started FileSystemDeploymentService for directory /tmp/openssl-check/wildfly-24.0.1.Final/standalone/deployments
      10:54:01,852 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
      	at org.jboss.as.domain-management@16.0.1.Final//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116)
      	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
      	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
      	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      	at java.base/java.lang.Thread.run(Thread.java:829)
      Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
      	at java.base/java.security.Provider$Service.newInstance(Provider.java:1901)
      	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
      	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
      	at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
      	at org.jboss.as.domain-management@16.0.1.Final//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105)
      	... 8 more
      Caused by: java.lang.IllegalStateException: Could not load required symbol from libssl: SSL_get_peer_certificate
      	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSLImpl.initialize0(Native Method)
      	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSLImpl.initialize(SSLImpl.java:33)
      	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSL.init(SSL.java:194)
      	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:137)
      	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi.<init>(OpenSSLContextSPI.java:448)
      	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
      	at java.base/java.security.Provider.newInstanceUtil(Provider.java:154)
      	at java.base/java.security.Provider$Service.newInstance(Provider.java:1894)
      	... 12 more
      
      10:54:01,923 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
          ("core-service" => "management"),
          ("security-realm" => "ApplicationRealm")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service
          Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
          Caused by: java.lang.IllegalStateException: Could not load required symbol from libssl: SSL_get_peer_certificate"}}
      10:54:01,929 INFO  [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report
      WFLYCTL0186:   Services which failed to start:      service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
      WFLYCTL0448: 2 additional services are down due to their dependencies being missing or failed
      10:54:01,958 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
      10:54:01,959 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: WildFly Full 24.0.1.Final (WildFly Core 16.0.1.Final) started (with errors) in 2494ms - Started 309 of 556 services (6 services failed or missing dependencies, 344 services are lazy, passive or on-demand)
      

      See Steps to Reproduce for more info.

      I know that WildFly 24.0.1 was released before the OpenSSL 3.0.0 was out so this may be expected. It would be nice to have this fixed in some of the upcoming WildFly releases though.

              fjuma1@redhat.com Farah Juma
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: