Java version of ome/omero-py#336 and ome/omero-py#377

[chris-allan]

.

[chris-allan]

Like ome/omero-py#336, removes support for ADH, and adds support for TLS 1.3 like ome/omero-py#377.

[chris-allan]

Since we have less experience with wider TLS settings on the JDK this will require a little more testing than ome/omero-py#377. If you negotiate a TLS 1.3 connection with omero-py, the behaviour on the JDK without this PR is pretty ugly. For example, using the importer:

...
2023-07-10 10:37:30,306 585        [      main] ERROR  formats.importer.cli.CommandLineImporter - Error during import process.
Ice.ConnectionLostException: null
        at IceInternal.AsyncResultI.__wait(AsyncResultI.java:276)
        at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
        at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
        at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
        at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
        at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
        at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:1787)
        at omero.client.getRouter(client.java:889)
        at omero.client.createSession(client.java:810)
        at omero.client.joinSession(client.java:745)
        at ome.formats.OMEROMetadataStoreClient.initialize(OMEROMetadataStoreClient.java:764)
        at ome.formats.importer.ImportConfig.createStore(ImportConfig.java:381)
        at ome.formats.importer.cli.CommandLineImporter.<init>(CommandLineImporter.java:162)
        at ome.formats.importer.cli.CommandLineImporter.main(CommandLineImporter.java:997)

[chris-allan]

Once we're happy with what's here we should be able to revert all or just the a9a5a85afe0a8ec4f5867000fc65a46c609bf0ae part of #23.

[sbesson]

Tested using a very similar set-up as https://github.com/ome/omero-py/pull/377#pullrequestreview-1545401152 using a derivative of https://github.com/ome/minimal-omero-client, built with this PR included and a simplified version of the connector calling omero.client(args) directly and passing --IceSSL.Trace.Security=1 to log the negotiated protocol

Client / Server	CentOS 7	Rocky 8	Rocky 9	Ubuntu 20.04	Ubuntu 22.04
CentOS 7	TLS 1.2	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3
Rocky 8	fail	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3
Rocky 9	fail	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3
Ubuntu 20.04	TLS 1.2	TLS 1.2	TLS 1.3	TLS 1.3	TLS 1.3
Ubuntu 22.04	TLS 1.2	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3

The two Rocky / CentOS failures showed the following stack trace

Exception in thread "main" Ice.SecurityException
    reason = "IceSSL: error during read"
    at IceInternal.AsyncResultI.__wait(AsyncResultI.java:276)
    at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
    at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
    at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
    at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
    at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
    at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:1787)
    at omero.client.getRouter(client.java:885)
    at omero.client.createSession(client.java:806)
    at omero.client.createSession(client.java:750)
    at com.glencoesoftware.SimpleConnection.main(SimpleConnection.java:36)
Caused by: javax.net.ssl.SSLHandshakeException: DH ServerKeyExchange does not comply to algorithm constraints
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:347)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:294)
    at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeConsumer.consume(DHServerKeyExchange.java:538)
    at java.base/sun.security.ssl.ServerKeyExchange$ServerKeyExchangeConsumer.consume(ServerKeyExchange.java:122)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1076)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1063)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1010)
    at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:363)
    at IceSSL.TransceiverI.initialize(TransceiverI.java:33)
    at Ice.ConnectionI.initialize(ConnectionI.java:1921)
    at Ice.ConnectionI.message(ConnectionI.java:940)
    at IceInternal.ThreadPool.run(ThreadPool.java:395)
    at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
    at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:832)
    at java.base/java.lang.Thread.run(Thread.java:829)

so I suspect a similar patch as the one discussed in https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574 should be applied.

Proposed next steps on this effort:

• apply the CentOS 7 specific patch (either regenerating the DH key or setting the Ciphers)
• test the Java + Python client negotation e.g. an import
• possibly add additional clients (OS X, Windows) into the testing matrix

[sbesson]

I was able to reproduce https://github.com/ome/omero-blitz/pull/139#issuecomment-1628684247 on Ubuntu 22.04 after setting up TLS 1.3 exclusively:

omero config set omero.glacier2.IceSSL.Protocols "TLS1_3"
omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3

• without https://github.com/ome/omero-py/pull/377, the import fails with

  omero@462ac410e0f7:~$ OMERODIR=/opt/omero/OMERO.current OMERO.venv/bin/omero import test.fake
  Previously logged in to localhost:4064 as root
  Server: [localhost:4064]
  Username: [root]
  Password:
  WARNING:omero.client:..Ignoring error in client.__del__:<class 'Ice.SocketException'>
  InternalException: Failed to connect: Ice.SocketException:
  Cannot assign requested address

• with https://github.com/ome/omero-py/pull/377 only, the Python client creates a successful creation but the Java importer is unable to join the session with the cryptic exception displayed in https://github.com/ome/omero-blitz/pull/139#issuecomment-1628684247 (note this is already the case when certificates are not set-up client-side - see https://forum.image.sc/t/omero-import-error-ice-securityexception-javax-net-ssl-sslhandshakeexception-no-appropriate-protocol-again/52154/7)
• with both https://github.com/ome/omero-py/pull/377 and a JAR built from the HEAD of this PR copied under lib/client, I am able to complete a minimal import workflow

I will run another round of testing cross-platforms with an import workflow i.e. testing both Python and Java clients to assess things are working as expected. From a tester perspective, I am starting to be worried about the dangers and limitations of integrating multiple development efforts (omero-py, omero-blitz, ice binaries on Rocky9). Especially as several of us will be in an out over the next few week, it would be useful to define the expectations for getting these PRs merged and possibly available as release artifacts or minimally release candidates. @jburel @chris-allan

[jburel]

Ticket created https://github.com/ome/omero-blitz/issues/143 for cleanup

[imagesc-bot]

This pull request has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574/17