ssl-tests FAILED in Test_openjdk17_hs_dev.functional_x86-64_linux on certain machines

[smlambert]

ssl-tests-nss-client.sh fails on test-ibmcloud-ubuntu1604-x64-1

Run in Grinder/8445 on test-docker-centos8-x64-1 to see if it still passes there (last ran on Dec 31st on that machine and passes).

07:25:27  Warning:
07:25:27  <server-dsa> uses a 1024-bit DSA key which is considered a security risk. This key size will be disabled in a future update.
07:25:27  Certificate was added to keystore
07:25:27  stderr: Usage:  tstclnt -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]
07:25:27  stderr: [-D | -d certdir] [-C] [-b | -R root-module] 
07:25:27  stderr: [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]
07:25:27  stderr: [-V [min-version]:[max-version]] [-K] [-T] [-U]
07:25:27  stderr: [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]
07:25:27  stderr: [-A requestfile] [-L totalconnections]-a name              Send different SNI name. 1st_hs_name - at first
07:25:27  stderr:                      handshake, 2nd_hs_name - at second handshake.
07:25:27  stderr:                      Default is host from the -h argument.
07:25:27  stderr: -h host              Hostname to connect with
07:25:27  stderr: -p port              Port number for SSL server
07:25:27  stderr: -d certdir           Directory with cert database (default is ~/.netscape)
07:25:27  stderr: -D                   Run without a cert database
07:25:27  stderr: -b                   Load the default "builtins" root CA module
07:25:27  stderr: -R                   Load the given root CA module
07:25:27  stderr: -C                   Print certificate chain information
07:25:27  stderr:                      (use -C twice to print more certificate details)
07:25:27  stderr:                      (use -C three times to include PEM format certificate dumps)
07:25:27  stderr: -n nickname          Nickname of key and cert for client auth
07:25:27  stderr: -V [min]:[max]       Restricts the set of enabled SSL/TLS protocols versions.
07:25:27  stderr:                      All versions are enabled by default.
07:25:27  stderr:                      Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3
07:25:27  stderr:                      Example: "-V ssl3:" enables SSL 3 and newer.
07:25:27  stderr: -K                   Send TLS_FALLBACK_SCSV
07:25:27  stderr: -S                   Prints only payload data. Skips HTTP header.
07:25:27  stderr: -f                   Client speaks first. 
07:25:27  stderr: -O                   Use synchronous certificate validation
07:25:27  stderr: -o                   Override bad server cert. Make it OK.
07:25:27  stderr: -s                   Disable SSL socket locking.
07:25:27  stderr: -v                   Verbose progress reporting.
07:25:27  stderr: -q                   Ping the server and then exit.
07:25:27  stderr: -t seconds           Timeout for server ping (default: no timeout).
07:25:27  stderr: -r N                 Renegotiate N times (resuming session if N>1).
07:25:27  stderr: -u                   Enable the session ticket extension.
07:25:27  stderr: -z                   Enable compression.
07:25:27  stderr: -g                   Enable false start.
07:25:27  stderr: -T                   Enable the cert_status extension (OCSP stapling).
07:25:27  stderr: -U                   Enable the signed_certificate_timestamp extension.
07:25:27  stderr: -F                   Require fresh revocation info from side channel.
07:25:27  stderr:                      -F once means: require for server cert only
07:25:27  stderr:                      -F twice means: require for intermediates, too
07:25:27  stderr:                      (Connect, handshake with server, disable dynamic download
07:25:27  stderr:                       of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.)
07:25:27  stderr:                      Exit code:
07:25:27  stderr:                      0: have fresh and valid revocation data, status good
07:25:27  stderr:                      1: cert failed to verify, prior to revocation checking
07:25:27  stderr:                      2: missing, old or invalid revocation data
07:25:27  stderr:                      3: have fresh and valid revocation data, status revoked
07:25:27  stderr: -M                   Test -F allows 0=any (default), 1=only OCSP, 2=only CRL
07:25:27  stderr: -c ciphers           Restrict ciphers
07:25:27  stderr: -Y                   Print cipher values allowed for parameter -c and exit
07:25:27  stderr: -4                   Enforce using an IPv4 destination address
07:25:27  stderr: -6                   Enforce using an IPv6 destination address
07:25:27  stderr:                      (Options -4 and -6 cannot be combined.)
07:25:27  stderr: -G                   Enable the extended master secret extension [RFC7627]
07:25:27  stderr: -H                   Require the use of FFDHE supported groups [I-D.ietf-tls-negotiated-ff-dhe]
07:25:27  stderr: -A                   Read from a file instead of stdin
07:25:27  stderr: -Z                   Allow 0-RTT data (TLS 1.3 only)
07:25:27  stderr: -L                   Disconnect and reconnect up to N times total
07:25:27  stderr: -I                   Comma separated list of enabled groups for TLS key exchange.
07:25:27  stderr:                      The following values are valid:
07:25:27  stderr:                      P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192
07:25:27  Jan 07, 2024 12:25:24 PM SSLSocketTester testConfiguration
07:25:27  SEVERE: null
07:25:27  java.lang.RuntimeException: Program exit value not zero: 1
07:25:27  	at ExternalClient.test(ExternalClient.java:267)
07:25:27  	at SSLSocketTester.testConfiguration(SSLSocketTester.java:392)
07:25:27  	at SSLSocketTester.testConfigurations(SSLSocketTester.java:322)
07:25:27  	at SSLSocketTester.testProvider(SSLSocketTester.java:234)
07:25:27  	at SSLSocketTester.testProviders(SSLSocketTester.java:190)
07:25:27  	at Main.main(Main.java:30)

Test Info
Test Name: ssl-tests_0
Test Duration: 5 min 39 sec
Machine: test-ibmcloud-ubuntu1604-x64-1
TRSS link for the test output: https://trss.adoptium.net/output/test?id=659b041720748f006f222d5d

Build Info
Build Name: Test_openjdk17_hs_dev.functional_x86-64_linux
Jenkins Build start time: Jan 07 2024, 07:17 am
Jenkins Build URL: https://ci.adoptium.net/job/Test_openjdk17_hs_dev.functional_x86-64_linux/5/
TRSS link for the build: https://trss.adoptium.net/allTestsInfo?buildId=659b02eb20748f006f22283c

Java Version
openjdk version "17.0.10-beta" 2024-01-16
OpenJDK Runtime Environment Temurin-17.0.10+6-202401071206 (build 17.0.10-beta+6-202401071206)
OpenJDK 64-Bit Server VM Temurin-17.0.10+6-202401071206 (build 17.0.10-beta+6-202401071206, mixed mode, sharing)

Rerun in Grinder

[zzambers]

Seems like tstclnt on some systems does not support -Q option used by ssl-tests.
-Q Exit after handshake
I'll take a look how/where this can be fixed in ssl-test.

[zzambers]

Should be fixed by: rh-openjdk/ssl-tests#22

[zzambers]

Fix tested:
locally in ubuntu:16.04 container: OK

in grinder on problematic machine: OK
https://ci.adoptium.net/view/Test_grinder/job/Grinder/8708/

[smlambert]

Closed via rh-openjdk/ssl-tests#22