Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 27.0.0.Final
Affects Version/s: 24.0.1.Final
Component/s: Security
Labels:
- downstream_dependency

Steps to Reproduce:
Hide

download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them

install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch)

in the extracted OpenSSL sources directory execute:

./Configure && make && make test

download latest WildFly build https://download.jboss.org/wildfly/24.0.1.Final/wildfly-24.0.1.Final.zip

unzip somewhere and start server pointing it to the OpenSSL built libraries:

./wildfly-24.0.1.Final/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0

in a new terminal connect to the servers CLI via:

./wildfly-24.0.1.Final/bin/jboss-cli.sh -c

and perform following commands to enable use of OpenSSL libraries by the server:

/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload

we expect to see correct reload operation with a following message like this:

10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0

but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release
Show
download OpenSSL 3.0.0 sources from https://www.openssl.org/source/openssl-3.0.0.tar.gz and extract them install prerequisities described in `Install.md` file of the OpenSSL sources (I had to install following Perl5 packages on my Fedora 34 system: perl-File-Copy.noarch perl-IPC-Cmd.noarch perl-FindBin.noarch perl-File-Compare.noarch perl-Test-Harness.noarch perl-Test-More-UTF8.noarch ) in the extracted OpenSSL sources directory execute: ./Configure && make && make test download latest WildFly build https://download.jboss.org/wildfly/24.0.1.Final/wildfly-24.0.1.Final.zip unzip somewhere and start server pointing it to the OpenSSL built libraries: ./wildfly-24.0.1.Final/bin/standalone.sh -Dorg.wildfly.openssl.path=/home/jstourac/workspace/tmp/openssl/openssl-3.0.0 in a new terminal connect to the servers CLI via: ./wildfly-24.0.1.Final/bin/jboss-cli.sh -c and perform following commands to enable use of OpenSSL libraries by the server: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) reload we expect to see correct reload operation with a following message like this: 10:51:02,271 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-5) WFOPENSSL0002 OpenSSL Version OpenSSL 3.0.0 but instead we can see error as server cannot reload successfully with latest OpenSSL 3.0.0 release

Latest release of WildFly 24.0.1 isn't able to use recently released OpenSSL 3.0.0 libraries with its wildfly-openssl project.

One can see the following error during the server startup/reload operation when OpenSSL 3.0.0 build is used:

10:54:01,843 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-7) WFLYDS0013: Started FileSystemDeploymentService for directory /tmp/openssl-check/wildfly-24.0.1.Final/standalone/deployments
10:54:01,852 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
	at org.jboss.as.domain-management@16.0.1.Final//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:116)
	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
	at org.jboss.msc@1.4.12.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
	at java.base/java.security.Provider$Service.newInstance(Provider.java:1901)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
	at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
	at org.jboss.as.domain-management@16.0.1.Final//org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:105)
	... 8 more
Caused by: java.lang.IllegalStateException: Could not load required symbol from libssl: SSL_get_peer_certificate
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSLImpl.initialize0(Native Method)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSLImpl.initialize(SSLImpl.java:33)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.SSL.init(SSL.java:194)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.OpenSSLContextSPI.<init>(OpenSSLContextSPI.java:137)
	at org.wildfly.openssl@2.1.4.Final//org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi.<init>(OpenSSLContextSPI.java:448)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at java.base/java.security.Provider.newInstanceUtil(Provider.java:154)
	at java.base/java.security.Provider$Service.newInstance(Provider.java:1894)
	... 12 more

10:54:01,923 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("security-realm" => "ApplicationRealm")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context" => "WFLYDM0018: Unable to start service
    Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: openssl.TLS, provider: openssl, class: org.wildfly.openssl.OpenSSLContextSPI$OpenSSLTLSContextSpi)
    Caused by: java.lang.IllegalStateException: Could not load required symbol from libssl: SSL_get_peer_certificate"}}
10:54:01,929 INFO  [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
WFLYCTL0448: 2 additional services are down due to their dependencies being missing or failed
10:54:01,958 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
10:54:01,959 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: WildFly Full 24.0.1.Final (WildFly Core 16.0.1.Final) started (with errors) in 2494ms - Started 309 of 556 services (6 services failed or missing dependencies, 344 services are lazy, passive or on-demand)

See Steps to Reproduce for more info.

I know that WildFly 24.0.1 was released before the OpenSSL 3.0.0 was out so this may be expected. It would be nice to have this fixed in some of the upcoming WildFly releases though.

is caused by

WFSSL-80 Add support for openssl 3.0.0

Resolved

is cloned by

JBEAP-22559 (8.0.0) WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries

Closed

JBEAP-22563 (7.4.z) WFLY-15274 - Make JBoss EAP able to use latest OpenSSL 3.0.0 libraries

Closed

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates