Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to netty-tcnative 2.0.68.Final #14422

Open
wants to merge 2 commits into
base: 4.1
Choose a base branch
from
Open

Update to netty-tcnative 2.0.68.Final #14422

wants to merge 2 commits into from
+6 −3

Conversation

normanmaurer
Copy link
Member

@normanmaurer normanmaurer commented Oct 29, 2024
edited
Loading

Motivation:

A new tcnative release is out

Modifications:

Update to 2.0.68.Final

Result:

Depend on latest release

@normanmaurer
Copy link
Member Author

We will need a new tcnative release...

2024-10-29T13:56:29.9481349Z 	Suppressed: java.lang.UnsatisfiedLinkError: /tmp/libnetty_tcnative_linux_x86_6414354760954349521464.so: /tmp/libnetty_tcnative_linux_x86_6414354760954349521464.so: undefined symbol: _ZTVN10__cxxabiv117__class_type_infoE

working on a fix

@chrisvest
Copy link
Contributor

I see a lot of log messages like

2024-10-29T14:27:53.4367239Z 14:27:53.421 [nioEventLoopGroup-12156-1] DEBUG i.n.h.s.ReferenceCountedOpenSslContext - verification of certificate failed
2024-10-29T14:27:53.4370287Z sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
2024-10-29T14:27:53.4377349Z 	at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
2024-10-29T14:27:53.4383768Z 	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:263)
2024-10-29T14:27:53.4385687Z 	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
2024-10-29T14:27:53.4389673Z 	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
2024-10-29T14:27:53.4394552Z 	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
2024-10-29T14:27:53.4397408Z 	at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
2024-10-29T14:27:53.4400355Z 	at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62)
2024-10-29T14:27:53.4404441Z 	at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslServerContext.java:280)
2024-10-29T14:27:53.4408717Z 	at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:817)
2024-10-29T14:27:53.4410658Z 	at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
2024-10-29T14:27:53.4412088Z 	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:660)
2024-10-29T14:27:53.4413497Z 	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1292)
2024-10-29T14:27:53.4414477Z 	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1443)
2024-10-29T14:27:53.4415311Z 	at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:218)
2024-10-29T14:27:53.4415933Z 	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1473)
2024-10-29T14:27:53.4416592Z 	at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1377)
2024-10-29T14:27:53.4417245Z 	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1417)
2024-10-29T14:27:53.4418149Z 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
2024-10-29T14:27:53.4419272Z 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
2024-10-29T14:27:53.4420120Z 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
2024-10-29T14:27:53.4421052Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
2024-10-29T14:27:53.4422072Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
2024-10-29T14:27:53.4423082Z 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
2024-10-29T14:27:53.4424047Z 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
2024-10-29T14:27:53.4425013Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
2024-10-29T14:27:53.4426030Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
2024-10-29T14:27:53.4426949Z 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
2024-10-29T14:27:53.4427962Z 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
2024-10-29T14:27:53.4428767Z 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
2024-10-29T14:27:53.4430205Z 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
2024-10-29T14:27:53.4431026Z 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
2024-10-29T14:27:53.4431677Z 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
2024-10-29T14:27:53.4432392Z 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
2024-10-29T14:27:53.4433161Z 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
2024-10-29T14:27:53.4433903Z 	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2024-10-29T14:27:53.4434512Z 	at java.base/java.lang.Thread.run(Thread.java:829)
2024-10-29T14:27:53.4435253Z Caused by: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
2024-10-29T14:27:53.4436360Z 	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
2024-10-29T14:27:53.4437435Z 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
2024-10-29T14:27:53.4438445Z 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
2024-10-29T14:27:53.4439608Z 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
2024-10-29T14:27:53.4440544Z 	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
2024-10-29T14:27:53.4441321Z 	at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
2024-10-29T14:27:53.4441862Z 	... 35 common frames omitted
2024-10-29T14:27:53.4442510Z Caused by: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
2024-10-29T14:27:53.4443566Z 	at java.base/sun.security.provider.certpath.ConstraintsChecker.checkBasicConstraints(ConstraintsChecker.java:259)
2024-10-29T14:27:53.4444558Z 	at java.base/sun.security.provider.certpath.ConstraintsChecker.check(ConstraintsChecker.java:122)
2024-10-29T14:27:53.4445573Z 	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
2024-10-29T14:27:53.4446293Z 	... 40 common frames omitted

Which I suppose could come from stricter validation in the new BoringSSL? If so, then I can look into preparing a PR that makes SelfSignedCertificate add these basic constraints.

@normanmaurer
Update to netty-tcnative 2.0.68.Final
a428cf7 
Motivation:

A new tcnative release is out

Modifications:

Update to 2.0.68.Final

Result:

Depend on latest release
@normanmaurer normanmaurer changed the title Update to netty-tcnative 2.0.67.Final Update to netty-tcnative 2.0.68.Final Oct 31, 2024
@normanmaurer normanmaurer mentioned this pull request Nov 1, 2024
Merged
normanmaurer
normanmaurer commented Nov 1, 2024
View reviewed changes
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
@@ -565,6 +567,7 @@ public void testWrapWithDifferentSizesTLSv1(SSLEngineTestParam param) throws Exc
testWrapWithDifferentSizes(param, SslProtocols.TLS_v1, "ECDHE-RSA-RC4-SHA");
}

@Disabled("TLSv1.1 is not supported by BoringSSL anymore")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be reverted once we pulled in netty/netty-tcnative#902 and released a new version

normanmaurer
normanmaurer commented Nov 1, 2024
View reviewed changes
handler/src/test/java/io/netty/handler/ssl/OpenSslEngineTest.java
@@ -533,6 +534,7 @@ protected void mySetupMutualAuthServerInitSslHandler(SslHandler handler) {
engine.setVerify(SSL_CVERIFY_IGNORED, 1);
}

@Disabled("TLSv1 is not supported by BoringSSL anymore")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be reverted once we pulled in netty/netty-tcnative#902 and released a new version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@normanmaurer @chrisvest