Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to create SSLContext and no proper reason code for failure. #883

Open
kushalagrawal opened this issue Aug 27, 2024 · 7 comments
Open
Assignees

Comments

@kushalagrawal
Copy link

kushalagrawal commented Aug 27, 2024

Hi, we are running netty server on Alma 9.2 (FIPS version) with OpenSSL 3.0.7+TuxCare_FIPS 1 Nov 2022. while I am trying to create the server SSLContext in netty using SslContextBuilder contextBuilder = SslContextBuilder.forServer

javax.net.ssl.SSLException: unable to setup accepted issuers for trustmanager io.netty.handler.ssl.EnhancingX509ExtendedTrustManager@1fd77205
	at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext(ReferenceCountedOpenSslServerContext.java:166) ~[netty-handler-4.1.107.Final.jar:4.1.107.Final]
	at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:356) ~[netty-handler-4.1.107.Final.jar:4.1.107.Final]
	at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:336) ~[netty-handler-4.1.107.Final.jar:4.1.107.Final]
	at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:478) ~[netty-handler-4.1.107.Final.jar:4.1.107.Final]
	at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:610) ~[netty-handler-4.1.107.Final.jar:4.1.107.Final]

Error is seen in the line: ReferenceCountedOpenSSLServerContext.java line#165 where it fails but the native call returns false value and does not provide a reasonable explanation to identify a possible way to rectify the issue.

if (!SSLContext.setCACertificateBio(ctx, bio)) {
                            throw new SSLException("unable to setup accepted issuers for trustmanager " + manager);
                        }

Is there any way to debug and find out the reason for failure?

@ramtech123
Copy link

Hi team,

Any thoughts on this issue?

@sej7278
Copy link

sej7278 commented Sep 16, 2024

Also reproducible on RHEL 9.4 - also you only see the error in FIPS mode

@normanmaurer
Copy link
Member

I wonder if you could log SSL.getLastError() and see if there is some meaningful errors message ?

@ramtech123
Copy link

ramtech123 commented Sep 19, 2024

We did some further research on this issue and below are the findings.

  1. The error was on the native code was error:0A080106:SSL routines::passed invalid argument, it did not indicate what was the invalid parameter.
  2. Our initial observation was that error was already present when invocation of SSLContext.setCACertificateBio(ctx, bio) happened inside ReferenceCountedOpenSslServerContext.java. We did not have any clue on what is causing the issue.
  3. Eventually, after further troubleshooting, we could figure out that the issue happens when invoking SSLContext.setCurvesList(ctx, OpenSsl.NAMED_GROUPS) in ReferenceCountedOpenSslContext.java, with default settings.
  4. This is because of the named curve x25519 in the DEFAULT_NAMED_GROUPS list. This curve is being rejected by OpenSSL in FIPS mode. (Looks like correct behavior by OpenSSL, as X25519 does not seem to be in the list of its FIPS approved algorithms as of today)
  5. We were able to get the application working after overriding the named curves configuration with Java system property -Djdk.tls.namedGroups with value secp256r1,secp384r1,secp521r1.

Regards,
Rama

@normanmaurer
Copy link
Member

@ramtech123 thanks for the info... I think we can improve stuff a bit here to make things easier in the future. Let me look into it soonish

@normanmaurer normanmaurer self-assigned this Sep 19, 2024
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
…ntation

Motivation:

We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
@normanmaurer
Copy link
Member

@ramtech123 sorry it took me longer then expected but this should fix it and help also to better debug things in the future netty/netty#14434

normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
…ers in the SSLException

Motivation:

At the moment it's hard to understand why the configuration of the SSLContext fails when we can not configure the accepted issuers. Let's include more details if possible to make debugging easier.

Modifications:

Check if we have more details and if so include it in the exception message

Result:

Related to netty/netty-tcnative#883
@normanmaurer
Copy link
Member

And netty/netty#14435

normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
…ntation

Motivation:

We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
…ntation

Motivation:

We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
…ntation

Motivation:

We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
#14435)

…ers in the SSLException

Motivation:

At the moment it's hard to understand why the configuration of the
SSLContext fails when we can not configure the accepted issuers. Let's
include more details if possible to make debugging easier.

Modifications:

Check if we have more details and if so include it in the exception
message

Result:

Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
#14435)

…ers in the SSLException

Motivation:

At the moment it's hard to understand why the configuration of the
SSLContext fails when we can not configure the accepted issuers. Let's
include more details if possible to make debugging easier.

Modifications:

Check if we have more details and if so include it in the exception
message

Result:

Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
#14438)

…… (#14435)

…ers in the SSLException

Motivation:

At the moment it's hard to understand why the configuration of the
SSLContext fails when we can not configure the accepted issuers. Let's
include more details if possible to make debugging easier.

Modifications:

Check if we have more details and if so include it in the exception
message

Result:

Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
#14435)

…ers in the SSLException

Motivation:

At the moment it's hard to understand why the configuration of the
SSLContext fails when we can not configure the accepted issuers. Let's
include more details if possible to make debugging easier.

Modifications:

Check if we have more details and if so include it in the exception
message

Result:

Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 6, 2024
…ntation

Motivation:

We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 7, 2024
#14434)

…ntation

Motivation:

We should verify that the default named groups are actually supported by
our native SSL implementation. This might not always be the case as for
example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups
fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of
the box even if FIPS is used. Related to
netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 7, 2024
#14434)

…ntation

Motivation:

We should verify that the default named groups are actually supported by
our native SSL implementation. This might not always be the case as for
example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups
fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of
the box even if FIPS is used. Related to
netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 7, 2024
#14441)

…… (#14434)

…ntation

Motivation:

We should verify that the default named groups are actually supported by
our native SSL implementation. This might not always be the case as for
example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups
fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of
the box even if FIPS is used. Related to
netty/netty-tcnative#883
normanmaurer added a commit to netty/netty that referenced this issue Nov 7, 2024
#14441)

…… (#14434)

…ntation

Motivation:

We should verify that the default named groups are actually supported by
our native SSL implementation. This might not always be the case as for
example when FIPS is used.

Modifications:

- Verify that default named groups are supported
- Fail creation of ReferenceCountedOpenSslContext if setting of groups
fails and also include details about why it failed if possible

Result:

Easier to debug miss-configuration of groups and make things work out of
the box even if FIPS is used. Related to
netty/netty-tcnative#883
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants