search

netty / netty-tcnative

A fork of Apache Tomcat Native, based on finagle-native
Apache License 2.0
236 stars 179 forks source link

Failed to get the list of available OpenSSL cipher suites #537

Open dwservice opened 4 years ago

dwservice commented 4 years ago

Hi, I get a warning when I run my application as NOT root user under Linux CentOS 7 and OpenJDK 1.8.0_242 (IcedTea 3.15.0). I use netty-tcnative openssl-static 1.1.1e This is the warning:

WARNING: Failed to get the list of available OpenSSL cipher suites. java.lang.Exception: Invalid format (error:0200100D:system library:fopen:Permission denied) at io.netty.internal.tcnative.SSL.parseX509Chain(Native Method) at io.netty.handler.ssl.OpenSsl.(OpenSsl.java:242) at io.netty.handler.ssl.ReferenceCountedOpenSslContext.(ReferenceCountedOpenSslContext.java:196) at io.netty.handler.ssl.OpenSslContext.(OpenSslContext.java:43) at io.netty.handler.ssl.OpenSslServerContext.(OpenSslServerContext.java:346) at io.netty.handler.ssl.OpenSslServerContext.(OpenSslServerContext.java:334) at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:471) at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:571) at Test.main(Test.java:11)

The application seem work fine but I wonder if possible avoid this warning? or never mind? Here a simple example in order to reproduce the issue:

import io.netty.handler.ssl.*;
import java.io.*;

public class Test {
        public static void main(String[] ar) {
                try{
                        File certificate = new File("test.crt");
                        File privateKey = new File("test.key");
                        SslContextBuilder sslcb = SslContextBuilder.forServer(certificate, privateKey);
                        sslcb.sslProvider(SslProvider.OPENSSL);
                        SslContext sslc=sslcb.build();
                        System.out.println("OK");
                }catch(Exception e){
                        e.printStackTrace();
                }
        }
}

COMPILE IT: javac -cp netty.jar:netty-tcnative.jar Test.java

RUN IT (Important NOT root user): java -cp netty.jar:netty-tcnative.jar:. Test

Thank you, Danilo

hyperxpro commented 4 years ago

Grant permission of the netty-tcnative library file to the non-root user.

hyperxpro commented 4 years ago

Is it OpenSSL Dynamic, OpenSSL Static or BoringSSL Static?

dwservice commented 4 years ago

OpenSSL Static

hyperxpro commented 4 years ago

Maven project?

dwservice commented 4 years ago

No. I've compile it

hyperxpro commented 4 years ago

Did you try chmod 777 on OpenSSL-Static, test.crt and test.key?

dwservice commented 4 years ago

Yes for test.crt and test.key but OpenSSL-Static is embedded in netty-tcnative.jar. I've take a look to netty-tcnative source and the issue don't seem when read the certificate but just when initialize io.netty.handler.ssl.OpenSsl for first time. Anyway my application work fine and certificate is loaded correctly.

hyperxpro commented 4 years ago

Add this code on the top OpenSsl.ensureAvailability();

dwservice commented 4 years ago

I get same warning but stack trace is shortest:

WARNING: Failed to get the list of available OpenSSL cipher suites. java.lang.Exception: Invalid format (error:0200100D:system library:fopen:Permission denied) at io.netty.internal.tcnative.SSL.parseX509Chain(Native Method) at io.netty.handler.ssl.OpenSsl.(OpenSsl.java:242) at Test.main(Test.java:7)

hyperxpro commented 4 years ago

Use Log4j2 at DEBUG Level with Root Logger, Log everything and put it in a file and upload here.

dwservice commented 4 years ago

Ok. Anyway the error is when inizialize OpenSsl. So now the test example to riproduce it is this:

import io.netty.handler.ssl.*;

public class Test {
        public static void main(String[] ar) {
                OpenSsl.ensureAvailability();
        }
}
dwservice commented 4 years ago

Here the log: debug.log

hyperxpro commented 4 years ago

Tried reproducing with the latest commit and it works fine. Can you try with 2.0.30.Final release?

dwservice commented 4 years ago

I've compiled it a week ago without choose tag/snapshot, so It's the lastest version I think:

git clone https://github.com/netty/netty-tcnative.git
cd netty-tcnative
./mvnw clean install

have you run your test as NOT root user?

hyperxpro commented 4 years ago

Sorry for the delay. Little busy temporarily. I'll test it as non-root user soon and let you know.

hyperxpro commented 4 years ago

Working fine as non-root user.

dwservice commented 4 years ago

Thanks for your test. What is your software configuration? Here my configuration: LINUX: CentOS Linux release 7.7.1908 (Core) JAVA: OpenJDK 1.8.0_242 (IcedTea 3.15.0) NETTY: 4.1.48 NETTY TCNATIVE: 2.0.31 (openssl-static 1.1.1e)

hyperxpro commented 4 years ago

Linux hyperxpro 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux openjdk version "11.0.6" 2020-01-14 LTS Netty 4.1.48.Final Netty-TCNative 2.0.30 (openssl-static 1.1.1f)

hyperxpro commented 4 years ago

SELinux is disabled btw

dwservice commented 4 years ago

I've tried a new configuration but warning still:

Linux Centos 8 (4.1.18-147.5.1.el8_1) openjdk version "11.0.6" 2020-01-14 LTS Netty 4.1.48.Final Netty-TCNative 2.0.30 (openssl-static 1.1.1f) SELinux disabled Linux user not root

Anyway this warning seems don't cause problems to application. So I don't consider it. Thanks for your help.

hyperxpro commented 4 years ago

@normanmaurer Can you have a look?

johnou commented 4 years ago

@dwservice you probably have /tmp mounted as noexec, try setting java.io.tmpdir to a path that your user has permissions to eg. java.io.tmpdir=/home/my_user/tmp

johnou commented 4 years ago

Netty is suppose to have io.netty.util.internal.NativeLibraryLoader.NoexecVolumeDetector but it doesn't seem to be doing its job.

dwservice commented 4 years ago

@johnou I've tried it, unfortunately it doesn't solve the problem.

normanmaurer commented 4 years ago

can you provide a docker image that reproduces this issue @dwservice ?

dwservice commented 4 years ago

@normanmaurer here the docker image:

https://www.dwservice.net/5ro495x7m4sanytb0y2362vg8r7q1p1c3qwonj7r.dlk (Public Folder / dockerimage.gz)

su test cd /home/test/ ./run.sh

tnk

zouxyan commented 4 months ago

I met the same and looks like the reason is that the directory where building netty-tcnative-openssl-static the program runner user has no auth to read.

If you build the netty-tcnative-openssl-static under /root. And run the program with user admin for example, the exception permission deny comes out.

The openssl would try to read some files under /root and here is the exception comes out. Looks like it's about the openssldir in pom. For me it's /root/netty-tcnative-netty-tcnative-parent-2.0.61.Final/openssl-static/target/openssl.

I guess this is where openssl try to read the file openssl.cnf.

/* Return default config file name */
char *CONF_get1_default_config_file(void)
{
    const char *t;
    char *file;
    size_t size;

    if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
        return OPENSSL_strdup(file);

    t = X509_get_default_cert_area();
    size = strlen(t) + strlen("/") + strlen(OPENSSL_CONF) + 1;
    file = OPENSSL_malloc(size);

    if (file == NULL)
        return NULL;
    BIO_snprintf(file, size, "%s/%s", t, OPENSSL_CONF);

    return file;
}

I don't have the details of how and why openssl code try to read the /root/netty-tcnative-netty-tcnative-parent-2.0.61.Final/openssl-static/target/openssl/openssl.cnf. Maybe someone can comment it.

Btw, mine is 2.0.61.Final.

@normanmaurer @dwservice @hyperxpro