-
-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create SSLContext and no proper reason code for failure. #883
Comments
Hi team, Any thoughts on this issue? |
Also reproducible on RHEL 9.4 - also you only see the error in FIPS mode |
I wonder if you could log |
We did some further research on this issue and below are the findings.
Regards, |
@ramtech123 thanks for the info... I think we can improve stuff a bit here to make things easier in the future. Let me look into it soonish |
…ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
@ramtech123 sorry it took me longer then expected but this should fix it and help also to better debug things in the future netty/netty#14434 |
…ers in the SSLException Motivation: At the moment it's hard to understand why the configuration of the SSLContext fails when we can not configure the accepted issuers. Let's include more details if possible to make debugging easier. Modifications: Check if we have more details and if so include it in the exception message Result: Related to netty/netty-tcnative#883
…ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
…ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
…ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
#14435) …ers in the SSLException Motivation: At the moment it's hard to understand why the configuration of the SSLContext fails when we can not configure the accepted issuers. Let's include more details if possible to make debugging easier. Modifications: Check if we have more details and if so include it in the exception message Result: Related to netty/netty-tcnative#883
#14435) …ers in the SSLException Motivation: At the moment it's hard to understand why the configuration of the SSLContext fails when we can not configure the accepted issuers. Let's include more details if possible to make debugging easier. Modifications: Check if we have more details and if so include it in the exception message Result: Related to netty/netty-tcnative#883
#14438) …… (#14435) …ers in the SSLException Motivation: At the moment it's hard to understand why the configuration of the SSLContext fails when we can not configure the accepted issuers. Let's include more details if possible to make debugging easier. Modifications: Check if we have more details and if so include it in the exception message Result: Related to netty/netty-tcnative#883
#14435) …ers in the SSLException Motivation: At the moment it's hard to understand why the configuration of the SSLContext fails when we can not configure the accepted issuers. Let's include more details if possible to make debugging easier. Modifications: Check if we have more details and if so include it in the exception message Result: Related to netty/netty-tcnative#883
…ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
#14434) …ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
#14434) …ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
#14441) …… (#14434) …ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
#14441) …… (#14434) …ntation Motivation: We should verify that the default named groups are actually supported by our native SSL implementation. This might not always be the case as for example when FIPS is used. Modifications: - Verify that default named groups are supported - Fail creation of ReferenceCountedOpenSslContext if setting of groups fails and also include details about why it failed if possible Result: Easier to debug miss-configuration of groups and make things work out of the box even if FIPS is used. Related to netty/netty-tcnative#883
Hi, we are running netty server on Alma 9.2 (FIPS version) with OpenSSL 3.0.7+TuxCare_FIPS 1 Nov 2022. while I am trying to create the server SSLContext in netty using
SslContextBuilder contextBuilder = SslContextBuilder.forServer
Error is seen in the line: ReferenceCountedOpenSSLServerContext.java line#165 where it fails but the native call returns false value and does not provide a reasonable explanation to identify a possible way to rectify the issue.
Is there any way to debug and find out the reason for failure?
The text was updated successfully, but these errors were encountered: