-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
None
-
False
-
-
-
-
-
-
-
I see test failures from KerberosNativeMgmtSaslTestCase in wildfly-core-eap:10.1.x branch using JDK 8:
cd wildfly-core/testsuite/elytron mvn clean install -Dtest=KerberosHttpMgmtSaslTestCase,KerberosNativeMgmtSaslTestCase
[🎩 lgao@lins-p1 elytron]$ java -version
openjdk version "1.8.0_392"
OpenJDK Runtime Environment (build 1.8.0_392-b08)
OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)
Running org.wildfly.test.integration.elytron.sasl.mgmt.KerberosHttpMgmtSaslTestCase Tests run: 7, Failures: 0, Errors: 6, Skipped: 0, Time elapsed: 2.1 sec <<< FAILURE! - in org.wildfly.test.integration.elytron.sasl.mgmt.KerberosHttpMgmtSaslTestCase testGs2Krb5PlusWithoutSsl(org.wildfly.test.integration.elytron.sasl.mgmt.KerberosHttpMgmtSaslTestCase) Time elapsed: 0.285 sec <<< ERROR! javax.security.auth.login.LoginException: no supported default etypes for default_tkt_enctypes at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.wildfly.test.security.common.kerberos.KerberosTestUtils.loginWithKerberos(KerberosTestUtils.java:102) at org.wildfly.test.integration.elytron.sasl.mgmt.AbstractKerberosMgmtSaslTestBase.assertKerberosSaslMechFails(AbstractKerberosMgmtSaslTestBase.java:265) at org.wildfly.test.integration.elytron.sasl.mgmt.AbstractKerberosMgmtSaslTestBase.testGs2Krb5PlusWithoutSsl(AbstractKerberosMgmtSaslTestBase.java:215) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
The cause is Deprecate 3DES and RC4 in Kerberos (JDK-8139348). The RN mentions that "Users can set allow_weak_crypto = true in the krb5.conf configuration file  to re-enable" This is actually what we have already configured in https://github.com/wildfly/wildfly/blob/27.0.1.Final/testsuite/shared/src/main/resources/org/jboss/as/test/integration/security/common/krb5.conf#LL8 for our testsuite. But the value is incorrect, it should be allow_weak_crypto = true instead.
The allow_weak_crypto attribuet is described here https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
NOTE: this does not affect when using JDK11, it only occurs on JDK 8, so it does not affect EAP8.
- clones
-
JBEAP-27378 (7.4.z) Incorrect allow_weak_crypto value in krb5.conf file in core/testsuite/elytron
- Verified
- is cloned by
-
JBEAP-27389 (7.2.z) Incorrect allow_weak_crypto value in krb5.conf file in core/testsuite/elytron
- Pull Request Sent