search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.56k stars 2.62k forks source link

JDBC Driver - Microsoft SQL Server extension doesn't work in FIPS-enabled environment with OpenJDK 17 and RHEL8 but works with OpenJDK 21 #40813

Open michalvavrik opened 3 months ago

michalvavrik commented 3 months ago

Describe the bug

I run Quarkus application with MSSQL extension in FIPS-enabled environment with Red Hat OpenJDK 17 and encrypted communication is always forced, even though I disable it. That seems appropriate as official Microsoft SQL Server 2022 docs suggested that encrypted communication should be used in FIPS-enabled environment https://learn.microsoft.com/en-us/sql/connect/jdbc/fips-mode?view=sql-server-ver16. However even when I configure everything according to the SQL Server FIPS docs, SSL handshake timeouts.

I expected issue is in my setup or certs, but I use SHA256WithRSAEncryption signature algorithm and then there is OpenJDK 21. I run the app with the latest Red Hat OpenJDK 21 and both connection that trusts server certificates and stricter setup with PKCS12 truststore and verified hostname works. I've verified logged SSL handshake, certs etc.

I run the tests on RHEL 8.9, therefore FIPS-mode is enabled automatically with the Red Hat OpenJDK 21.

Expected behavior

I am actually confused why this behavior is OpenJDK specific and don't understand why my setup doesn't work with the OpenJDK 17. It works with OpenJDK 21:

13:00:09,036 INFO  [app] 13:00:07,236 TDSChannel (ConnectionID:1) Enabling SSL...
13:00:09,036 INFO  [app] 13:00:07,237 TDSChannel (ConnectionID:1) SSL handshake will validate server certificate
13:00:09,036 INFO  [app] 13:00:07,270 X509Certificate: Alg:SHA256withRSA, Serial:f0daa261c60, Subject:CN=localhost, Issuer:CN=localhost, Key type:RSA, Length:2048, Cert Id:3076419420, Valid from:5/20/24, 12:59 PM, Valid until:5/24/24, 12:59 PM
13:00:09,036 INFO  [app] 13:00:07,328 TDSChannel (ConnectionID:1) Starting SSL handshake
13:00:09,036 INFO  [app] 13:00:07,374 X509Certificate: Alg:SHA256withRSA, Serial:f0daa261c60, Subject:CN=localhost, Issuer:CN=localhost, Key type:RSA, Length:2048, Cert Id:3076419420, Valid from:5/20/24, 12:59 PM, Valid until:5/24/24, 12:59 PM
13:00:09,036 INFO  [app] 13:00:07,401  TLSHandshake: localhost:32788, TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 3076419420
13:00:09,036 INFO  [app] 13:00:07,402 TDSChannel (ConnectionID:1) SSL enabled
13:00:09,036 INFO  [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Network packet size is 8000 bytes
13:00:09,036 INFO  [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for AE.
13:00:09,036 INFO  [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for Data Classification.
13:00:09,036 INFO  [app] 13:00:07,418 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for UTF8 support.
13:00:09,036 INFO  [app] 13:00:07,419 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for Azure SQL DNS Caching.
13:00:09,036 INFO  [app] 13:00:07,419 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 Received feature extension acknowledgement for Idle Connection Resiliency.
13:00:09,036 INFO  [app] 13:00:07,420 ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1 End of connect
13:00:09,036 INFO  [app] 13:00:07,420 RETURN ConnectionID:1 ClientConnectionId: 36417244-0c5d-4281-b2d8-b49bfe9e45c1
13:00:09,036 INFO  [app] 13:00:07,420 ENTRY true

Actual behavior

Connection timeouts and app startup fails:

14:05:06,597 INFO  [app] 14:05:04,365 TDSChannel (ConnectionID:1) Enabling SSL...
14:05:06,597 INFO  [app] 14:05:04,366 TDSChannel (ConnectionID:1) SSL handshake will validate server certificate
14:05:06,597 INFO  [app] 14:05:04,378 X509Certificate: Alg:SHA256withRSA, Serial:6508f801e10d, Subject:CN=localhost, Issuer:CN=localhost, Key type:RSA, Length:2048, Cert Id:1935473840, Valid from:5/21/24, 2:04 PM, Valid until:5/25/24, 2:04 PM
14:05:06,597 INFO  [app] 14:05:04,446 TDSChannel (ConnectionID:1) Starting SSL handshake
14:05:06,597 INFO  [app] 14:05:04,585 TDSReader@1 (ConnectionID:1 ClientConnectionId: 121f498d-eccb-4dd8-bbd2-7ccc3b4284c1) Premature EOS in response. packetNum:0 headerBytesRead:0
14:05:06,597 INFO  [app] 14:05:04,586 *** SQLException:ConnectionID:1 ClientConnectionId: 121f498d-eccb-4dd8-bbd2-7ccc3b4284c1 com.microsoft.sqlserver.jdbc.SQLServerException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:121f498d-eccb-4dd8-bbd2-7ccc3b4284c1 SQL Server did not return a response. The connection has been closed. ClientConnectionId:121f498d-eccb-4dd8-bbd2-7ccc3b4284c1
14:05:06,597 INFO  [app] 14:05:04,586 com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:4266)com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:4255)com.microsoft.sqlserver.jdbc.TDSReader.readPacket(IOBuffer.java:6872)com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.ensureSSLPayload(IOBuffer.java:892)com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.readInternal(IOBuffer.java:949)com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.read(IOBuffer.java:942)com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.readInternal(IOBuffer.java:1206)com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.read(IOBuffer.java:1192)java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1854)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3792)com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3348)com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3179)com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1953)com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1263)io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:225)io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:545)io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:526)java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75)java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1134)java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)java.base/java.lang.Thread.run(Thread.java:840)
14:05:06,597 INFO  [app] 14:05:04,586 ENTRY
14:05:06,597 INFO  [app] 14:05:04,587 TDSChannel (ConnectionID:1) Disabling SSL...
14:05:06,597 INFO  [app] 14:05:04,587 TDSChannel (ConnectionID:1) Closing SSL socket
14:05:06,597 INFO  [app] 14:05:04,589 TDSChannel (ConnectionID:1) SSL disabled
14:05:06,597 INFO  [app] 14:05:04,589 TDSChannel (ConnectionID:1): Closing TCP socket...

How to Reproduce?

Steps to reproduce the behavior:

  1. RHEL8.9, FIPS-enabled, Red_Hat-17.0.10.0.7-1.el7openjdkportable
  2. git clone git@github.com:quarkus-qe/quarkus-test-suite.git

strict version with verified hostname, server certs:

  1. cd quarkus-test-suite/sql-db/sql-app
  2. mvn clean verify -Dit.test=MssqlDatabaseIT

trusting version:

  1. cd quarkus-test-suite/sql-db/sql-app-compatibility
  2. mvn clean verify -Dit.test=MssqlDatabaseIT

Output of uname -a or ver

RHEL 8.9 4.18.0-513.24.1.el8_9.x86_64

Output of java -version

OpenJDK Runtime Environment (Red_Hat-17.0.10.0.7-1.el7openjdkportable) (build 17.0.10+7-LTS)

Quarkus version or git rev

999-SNAPSHOT, 3.8.x + (didn't try older versions)

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.6

Additional information

No response

quarkus-bot[bot] commented 3 months ago

/cc @Karm (securepipeline), @jerboaa (securepipeline)