Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22563

(7.4.z) WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.4.4.CR1, 7.4.4.GA
    • 7.4.1.GA
    • Security
    • None
    • False
    • False
    • +
    • Hide
      • download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them
      • install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch)
      • in the extracted OpenSSL sources directory execute: 
        ./Configure && make && make test
      • unzip JBoss EAP 7.4.1.GA server somewhere and start server pointing it to the OpenSSL built libraries: 
        ./jboss-eap-7.4/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0
      • in a new terminal connect to the servers CLI via: 
        ./jboss-eap-7.4/bin/jboss-cli.sh -c
      • and perform following commands to enable use of OpenSSL libraries by the server: 
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
reload
      • we expect to see correct reload operation with a following message like this: 
        10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0
      • but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release
      Show
      download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch ) in the extracted OpenSSL sources directory execute: ./Configure && make && make test unzip JBoss EAP 7.4.1.GA server somewhere and start server pointing it to the OpenSSL built libraries: ./jboss-eap-7.4/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0 in a new terminal connect to the servers CLI via: ./jboss-eap-7.4/bin/jboss-cli.sh -c and perform following commands to enable use of OpenSSL libraries by the server: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload we expect to see correct reload operation with a following message like this: 10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0 but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release

      Latest release of JBoss EAP 7.4.1 isn't able to use recently released OpenSSL 3.0.0 libraries with its wildfly-openssl project.

      One can see the following error during the server startup/reload operation when OpenSSL 3.0.0 build is used:

      00:24:52,701 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-7) WFLYDS0013: Started FileSystemDeploymentService for directory /tmp/repro/jboss-eap-7.4/standalone/deployments
00:24:52,712 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
	at org.jboss.as.domain-management@15.0.4.Final-redhat-00001//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116)
	at org.jboss.msc@1.4.12.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
	at org.jboss.msc@1.4.12.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
	at org.jboss.msc@1.4.12.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
	at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
	at java.base/java.security.Provider$Service.newInstance(Provider.java:1901)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
	at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
	at org.jboss.as.domain-management@15.0.4.Final-redhat-00001//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105)
	... 8 more
Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
	at org.wildfly.openssl@2.1.3.Final-redhat-00001//org.wildfly.openssl.SSL.init(SSL.java:87)
	at org.wildfly.openssl@2.1.3.Final-redhat-00001//org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:137)
	at org.wildfly.openssl@2.1.3.Final-redhat-00001//org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi.<init>(OpenSSLContextSPI.java:448)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at java.base/java.security.Provider.newInstanceUtil(Provider.java:154)
	at java.base/java.security.Provider$Service.newInstance(Provider.java:1894)
	... 12 more
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.wildfly.openssl@2.1.3.Final-redhat-00001//org.wildfly.openssl.SSL.init(SSL.java:82)
	... 20 more
Caused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path: [/usr/java/packages/lib, /usr/lib64, /lib64, /lib, /usr/lib]
	at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2670)
	at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:830)
	at java.base/java.lang.System.loadLibrary(System.java:1873)
	at org.wildfly.openssl.SSL$LibraryLoader.load(SSL.java:288)
	... 25 more

00:24:52,733 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("security-realm" => "ApplicationRealm")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service
    Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
    Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
    Caused by: java.lang.reflect.InvocationTargetException
    Caused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path: [/usr/java/packages/lib, /usr/lib64, /lib64, /lib, /usr/lib]"}}

      See Steps to Reproduce for more info.

      It looks that OpenSSL 3.0.0 will be part of the RHEL9 release. To be able to certify JBoss EAP 7.4.x stream against RHEL9, we need to support that version of OpenSSL in EAP too.

              rhn-support-rmartinc Ricardo Martin Camarero
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: