Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5069

libwfssl is not detected by EAP automatically -> cannot use OpenSSL security provider

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 13.0.0.Beta5, 13.0.0.Final
    • None
    • None
    • None
    • Hide
      1. Unzip server
      2. Start server ./bin/standalone.sh &
      3. Configure OpenSSL provider:
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
        reload
        
      4. see errors in the log
      Show
      Unzip server Start server ./bin/standalone.sh & Configure OpenSSL provider: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload see errors in the log
    • Hide

      There exists workaround to manually tell the server path to the `libwfssl` library, e.g.:

      $ find . -name *ssl*
      ./modules/system/layers/base/org/wildfly/openssl
      ./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so
      ./modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar
      $ pwd
      /tmp/jboss-eap-7.4
      $ ./bin/standalone.sh -Dorg.wildfly.openssl.libwfssl.path=/tmp/jboss-eap-7.4/modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so 

      Now the server starts with no issues and HTTPS connection seems just fine too.

      Show
      There exists workaround to manually tell the server path to the `libwfssl` library, e.g.: $ find . -name *ssl* ./modules/system/layers/base/org/wildfly/openssl ./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so ./modules/system/layers/base/org/wildfly/security/elytron- private /main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar $ pwd /tmp/jboss-eap-7.4 $ ./bin/standalone.sh -Dorg.wildfly.openssl.libwfssl.path=/tmp/jboss-eap-7.4/modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so Now the server starts with no issues and HTTPS connection seems just fine too.

      Looks like detection of `libwfssl` is broken in current build. When I try to configure OpenSSL security provider in legacy security, I can see following errors in standalone.log:

      15:39:44,704 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service15:39:44,704 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748)Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLSv1.2, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi) at java.security.Provider$Service.newInstance(Provider.java:1617) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105) ... 8 moreCaused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException at org.wildfly.openssl.SSL.init(SSL.java:87) at org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:129) at org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi.<init>(OpenSSLContextSPI.java:484) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.security.Provider$Service.newInstance(Provider.java:1595) ... 12 moreCaused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.wildfly.openssl.SSL.init(SSL.java:82) ... 19 moreCaused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1860) at java.lang.Runtime.loadLibrary0(Runtime.java:870) at java.lang.System.loadLibrary(System.java:1124) at org.wildfly.openssl.SSL$LibraryLoader.load(SSL.java:288) ... 24 more
      15:39:44,818 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([    ("core-service" => "management"),    ("security-realm" => "ApplicationRealm")]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service    Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLSv1.2, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLS_1_2_ContextSpi)    Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException    Caused by: java.lang.reflect.InvocationTargetException    Caused by: java.lang.UnsatisfiedLinkError: no wfssl in java.library.path"}} 

       

      This is a regression against previous release - EAP7.3.1. Expected behaviour is no error in the log, libwfssl is loaded successfully and OpenSSL is correctly used for TLS connections.

      Note - there has been a change in the location of the particular libwfssl native binaries in the distribution, see https://github.com/wildfly-security/wildfly-openssl/commit/c5c07d3dc0d6376409a028ffcff9af35dbc1b616

      7.3.1
      $ find . -name *wfssl*
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-i386/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-x86_64/libwfssl.so
      

      and

      7.4.0.CD20-CR1
      $ find . -name *ssl*
      ./modules/system/layers/base/org/wildfly/openssl
      ./modules/system/layers/base/org/wildfly/openssl/main/wildfly-openssl-java-1.1.0.Final-redhat-00001.jar
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-sparcv9/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/solaris-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-x86_64/wfssl.dll
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/win-i386/wfssl.dll
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/linux-s390x/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el8-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el7-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-x86_64/libwfssl.so
      ./modules/system/layers/base/org/wildfly/openssl/main/lib/el6-i386/libwfssl.so
      ./modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-ssl-1.12.1.Final-redhat-00001.jar
      

       

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: