<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Test update looks fine and regression test run is clear. I have
no more comments.<br>
</p>
Thanks,<br>
Valerie<br>
<br>
<div class="moz-cite-prefix">On 9/12/2018 4:22 AM, Martin Balao
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKZz+gdDOW9S5WetDemnhF6OdXBo0snbjnWjtOUYAvj=zOrWaw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Valerie,
<div><br>
</div>
<div>Thanks for your answer.</div>
<div><br>
</div>
<div>Webrev.09:</div>
<div><br>
</div>
<div> * <a
href="http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/8029661.webrev.09/"
moz-do-not-send="true">http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09/</a></div>
<div> * <a
href="http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/8029661.webrev.09.zip"
moz-do-not-send="true">http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.09.zip</a></div>
<div><br>
</div>
<div>In TestTLS12.java, we now capture any exception
during initialization phase and skip test execution if
that happens.</div>
<div><br>
</div>
<div>Kind regards,</div>
<div>Martin.-</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 12, 2018 at 2:20 AM,
Valerie Peng <span dir="ltr"><<a
href="mailto:valerie.peng@oracle.com" target="_blank"
moz-do-not-send="true">valerie.peng@oracle.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi, Martin,</p>
I am ok with your option#1.<br>
Note that your test fails at different places of the code,
so you will need to check and skip test execution before
those exception are thrown.<span class="HOEnZb"><font
color="#888888"><br>
<br>
Valerie</font></span>
<div>
<div class="h5"><br>
<br>
<div class="m_223099622882184183moz-cite-prefix">On
9/11/2018 7:54 AM, Martin Balao wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Valerie,
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug
31, 2018 at 9:16 PM, Valerie Peng
<span dir="ltr"><<a
href="mailto:valerie.peng@oracle.com"
target="_blank"
moz-do-not-send="true">valerie.peng@oracle.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hi
Martin,<br>
<br>
In TestTLS12.java, you call the
initSecmod() inside initialize()
and when initSecmod() returns
false, you return from
initialize() and continue down
the main(). Is this intentional?
Other tests seems to be skipping
execution when initSecmod()
return false.<br>
</blockquote>
<div><br>
</div>
<div>This test skips execution
too. That's because shouldRun
method returns false
if sunPKCS11NSSProvider variable
is null (which it is if
initSecmod returns false).</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
Changes in webrev.08 resolves 2
out of the 4 failure cases for
TestTLS12.java. However, when I
submit the changes for testing,
it failed on some OS (see
below):<br>
<br>
macosx-x64:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
jib > STDOUT:<br>
jib > nssLibDir:
/scratch/mesos/jib-master/inst<wbr>all/jpg/tests/jdk/nsslib/nssli<wbr>b-macosx_x64/3.35/nsslib-macos<wbr>x_x64-3.35.zip/nsslib/<br>
jib > STDERR:<br>
jib >
java.security.ProviderExceptio<wbr>n:
Could not initialize NSS<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.<init>(Sun<wbr>PKCS11.java:218)<span
class="m_223099622882184183gmail-"><br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11$1.run(SunP<wbr>KCS11.java:113)<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11$1.run(SunP<wbr>KCS11.java:110)<br>
jib > at
java.base/java.security.Access<wbr>Controller.doPrivileged(Native
Method)<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.configure(<wbr>SunPKCS11.java:110)<br>
</span> jib > at
PKCS11Test.getSunPKCS11(PKCS11<wbr>Test.java:156)<br>
jib > at
TestTLS12.initialize(TestTLS12<wbr>.java:416)<br>
jib > at
TestTLS12.main(TestTLS12.java:<wbr>84)<span
class="m_223099622882184183gmail-"><br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke0(Native
Method)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke(NativeMethodAccessorImpl.ja<wbr>va:62)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.DelegatingMethodAccessorImpl.<wbr>invoke(DelegatingMethodAccesso<wbr>rImpl.java:43)<br>
jib > at java.base/<a
href="http://java.lang.reflect.Me"
target="_blank"
moz-do-not-send="true">java.lang.reflect.Me</a><wbr>thod.invoke(Method.java:566)<br>
</span> jib > at
com.sun.javatest.regtest.agent<wbr>.MainWrapper$MainThread.run(Ma<wbr>inWrapper.java:127)<br>
jib > at
java.base/java.lang.Thread.run<wbr>(Thread.java:834)<br>
jib > Caused by:
java.io.IOException: NSS
initialization failed<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.Secmod.initialize(Se<wbr>cmod.java:234)<br>
jib > at
jdk.crypto.cryptoki/sun.securi<wbr>ty.pkcs11.SunPKCS11.<init>(Sun<wbr>PKCS11.java:213)<br>
jib > ... 13 more<br>
jib ><br>
jib > JavaTest Message:
Test threw exception:
java.security.ProviderExceptio<wbr>n:
Could not initialize NSS<br>
</blockquote>
</blockquote>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
</blockquote>
windows-x64:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
jib > STDOUT:<br>
jib > nssLibDir:
C:\ADE\mesos\work_dir\jib-mast<wbr>er\install\jpg\tests\jdk\nssli<wbr>b\nsslib-windows_x64\3.35\nssl<wbr>ib-windows_x64-3.35.zip\nsslib<wbr>\<br>
jib > SunPKCS11 provider:
SunPKCS11-NSSKeyStore version
12<br>
jib > STDERR:<br>
jib >
java.security.ProviderExceptio<wbr>n:
SunJSSE already initialized in
non-FIPS mode<br>
jib > at
java.base/sun.security.ssl.Sun<wbr>JSSE.ensureFIPS(SunJSSE.java:9<wbr>4)<br>
jib > at
java.base/sun.security.ssl.Sun<wbr>JSSE.<init>(SunJSSE.java:146)<br>
jib > at
java.base/sun.security.ssl.Sun<wbr>JSSE.<init>(SunJSSE.java:118)<br>
jib > at
java.base/com.sun.net.ssl.inte<wbr>rnal.ssl.Provider.<init>(Provi<wbr>der.java:47)<br>
jib > at
TestTLS12.initialize(TestTLS12<wbr>.java:424)<br>
jib > at
TestTLS12.main(TestTLS12.java:<wbr>84)<span
class="m_223099622882184183gmail-"><br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke0(Native
Method)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.NativeMethodAccessorImpl.invo<wbr>ke(NativeMethodAccessorImpl.ja<wbr>va:62)<br>
jib > at
java.base/jdk.internal.reflect<wbr>.DelegatingMethodAccessorImpl.<wbr>invoke(DelegatingMethodAccesso<wbr>rImpl.java:43)<br>
jib > at java.base/<a
href="http://java.lang.reflect.Me"
target="_blank"
moz-do-not-send="true">java.lang.reflect.Me</a><wbr>thod.invoke(Method.java:566)<br>
</span> jib > at
com.sun.javatest.regtest.agent<wbr>.MainWrapper$MainThread.run(Ma<wbr>inWrapper.java:127)<span
class="m_223099622882184183gmail-"><br>
jib > at
java.base/java.lang.Thread.run<wbr>(Thread.java:834)<br>
jib ><br>
</span> jib > JavaTest
Message: Test threw exception:
java.security.ProviderExceptio<wbr>n:
SunJSSE already initialized in
non-FIPS mode<br>
</blockquote>
<div
class="m_223099622882184183gmail-HOEnZb">
<div
class="m_223099622882184183gmail-h5"><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>The 2 tests that initialize
NSS in FIPS mode
(TrustManagerTest and
ClientJSSEServerJSSE) only run
on Solaris. My guess is that
these failures are not
particular to TestTLS12 but to
NSS + FIPS support on these
setups. I won't be able to
reproduce the macOS failure and
I'm not sure if I'll be able to
reproduce in my Windows x86_64
environment.</div>
<div><br>
</div>
<div>I propose the following
options:</div>
<div><br>
</div>
<div> 1) Make the test skip macOS
& Windows x86_64 (and any
other platform that fails to
initialize the SunPKCS11
provider)</div>
<div><br>
</div>
<div> 2) If you can provide access
to a testing environment where I
can reproduce these failures, I
can see what's happening</div>
<div><br>
</div>
<div>I intentionally want to use
FIPS in NSS configuration
because it represents a real use
case, and is what motivated us
to support TLS 1.2 in SunPKCS11.
So, even though removing FIPS
would be an option, I prefer not
to take it.</div>
<div><br>
</div>
<div>Kind regards,</div>
<div>Martin.-</div>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>