Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22559

(8.0.0) WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 8.0.0.Beta-CR1
    • 7.4.1.GA
    • Security
    • None
    • False
    • False
    • Rejected
    • Hide
      • download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them
      • install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch)
      • in the extracted OpenSSL sources directory execute: 
        ./Configure && make && make test
      • download latest WildFly build https://download.jboss.org/wildfly/24.0.1.Final/wildfly-24.0.1.Final.zip
      • unzip somewhere and start server pointing it to the OpenSSL built libraries: 
        ./wildfly-24.0.1.Final/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0
      • in a new terminal connect to the servers CLI via: 
        ./wildfly-24.0.1.Final/bin/jboss-cli.sh -c
      • and perform following commands to enable use of OpenSSL libraries by the server: 
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
reload
      • we expect to see correct reload operation with a following message like this: 
        10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0
      • but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release
      Show
      download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch ) in the extracted OpenSSL sources directory execute: ./Configure && make && make test download latest WildFly build https://download.jboss.org/wildfly/24.0.1.Final/wildfly-24.0.1.Final.zip unzip somewhere and start server pointing it to the OpenSSL built libraries: ./wildfly-24.0.1.Final/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0 in a new terminal connect to the servers CLI via: ./wildfly-24.0.1.Final/bin/jboss-cli.sh -c and perform following commands to enable use of OpenSSL libraries by the server: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload we expect to see correct reload operation with a following message like this: 10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0 but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release

    Description

      Latest release of WildFly 24.0.1 isn't able to use recently released OpenSSL 3.0.0 libraries with its wildfly-openssl project.

      One can see the following error during the server startup/reload operation when OpenSSL 3.0.0 build is used:

      10:54:01,843 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-7) WFLYDS0013: Started FileSystemDeploymentService for directory /tmp/openssl-check/wildfly-24.0.1.Final/standalone/deployments
10:54:01,852 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
	at org.jboss.as.domain-management@16.0.1.Final//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116)
	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
	at java.base/java.security.Provider$Service.newInstance(Provider.java:1901)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
	at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
	at org.jboss.as.domain-management@16.0.1.Final//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105)
	... 8 more
Caused by: java.lang.IllegalStateException: Could not load required symbol from libssl: SSL_get_peer_certificate
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSLImpl.initialize0(Native Method)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSLImpl.initialize(SSLImpl.java:33)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSL.init(SSL.java:194)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:137)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi.<init>(OpenSSLContextSPI.java:448)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at java.base/java.security.Provider.newInstanceUtil(Provider.java:154)
	at java.base/java.security.Provider$Service.newInstance(Provider.java:1894)
	... 12 more

10:54:01,923 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("security-realm" => "ApplicationRealm")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service
    Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
    Caused by: java.lang.IllegalStateException: Could not load required symbol from libssl: SSL_get_peer_certificate"}}
10:54:01,929 INFO  [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
WFLYCTL0448: 2 additional services are down due to their dependencies being missing or failed
10:54:01,958 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
10:54:01,959 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: WildFly Full 24.0.1.Final (WildFly Core 16.0.1.Final) started (with errors) in 2494ms - Started 309 of 556 services (6 services failed or missing dependencies, 344 services are lazy, passive or on-demand)

      See Steps to Reproduce for more info.

      I know that WildFly 24.0.1 was released before the OpenSSL 3.0.0 was out so this may be expected. It would be nice to have this fixed in some of the upcoming WildFly releases though.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-15274 Make WildFly able to use latest OpenSSL 3.0.0 libraries

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is caused by

          Feature Request - Feature requests from customers and/or users SSLNTV-13 Add support for openssl 3.0.0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. WFSSL-80 Add support for openssl 3.0.0

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22563 (7.4.z) WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              fjuma1@redhat.com Farah Juma
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: