<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
mso-fareast-language:DE;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi Sean, thanks for looking into it .<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p><span lang="EN-US">>However, there is no nextUpdate field set, which means there should be always newer information available. So while the 5 minute delay may not be a huge issue, the fact that they are returning cached responses,<o:p></o:p></span></p>
<p><span lang="EN-US">>looks like a problem to me.This could be the underlying problem, in that they are not generating fresh OCSPResponses. I will contact LuxTrust and see if we can get some information from them.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Can we exclude the test until the issue is resolved ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We see such failures very often .<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Best regards, Matthias<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-fareast-language:DE">From:</span></b><span lang="EN-US" style="mso-fareast-language:DE"> Sean Mullan <sean.mullan@oracle.com>
<br>
<b>Sent:</b> Donnerstag, 23. Januar 2020 21:46<br>
<b>To:</b> Baesken, Matthias <matthias.baesken@sap.com>; security-dev@openjdk.java.net<br>
<b>Subject:</b> Re: jtreg test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java instabilities<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 1/17/20 8:09 AM, Baesken, Matthias wrote:<span style="mso-fareast-language:DE"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hello, I wonder if you have some input regarding the following issue.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I noticed a couple of instabilities (in jdk13 and higher) in the test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java .</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The test sometimes fails when validating the “validity interval” of OCSP responses :</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Example output is like :</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">certpath: OCSP response validity interval is from Wed Dec 04
<b>01:05:27 CET 2019</b></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">certpath: Checking validity of OCSP response on: Wed Dec 04
<b>01:39:15 CET 2019</b> <b><--------- default interval is system time “on” machine +/- 15 minutes , this is seen as valid by OpenJDK</b></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> …</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at LuxTrustCA.main(LuxTrustCA.java:186)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at java.base/java.lang.reflect.Method.invoke(Method.java:564)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> at java.base/java.lang.Thread.run(Thread.java:832)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">stdout contains :</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Received exception: java.security.cert.CertPathValidatorException:
<b><span style="color:red">Response is unreliable: its validity interval is out-of-date</span></b></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">So our <b> system time “on” machine ( 01:39:15 CET 2019</b>
<b> +/- 15 minutes ) </b>does not contain the time from OCSP response<b> ( 01:05:27 CET 2019) .</b></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Reason is unclear , of course the time on the test machine could be wrong but we see the issue on multiple machines and when looking into the system times of the machines they look fine .</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Maybe the time info from the OCSP response is wrong , at least it looks like this is the issue here .</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Have you seen similar issues (also in other tests dealing with OCSP response validity checks) ?</span><o:p></o:p></p>
</blockquote>
<p>Yes, I can confirm we have seen this at least once before. There is a bug filed for it, but it is currently marked Confidential because it has some internal information in it.<o:p></o:p></p>
<p>Can you send me the whole log file or at least more of it which shows the info below?<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Do you think that increasing the acceptance interval e.g. by setting it to -Dcom.sun.security.ocsp.clockSkew=9000000 in security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
would be okay ?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">( I’d like to add a little bit more tracing too so that in case of such errors it is easier to understand the issue )</span><o:p></o:p></p>
</blockquote>
<p>No that would be too much skew. If there is an issue with the time on the OCSP Responder, that is a more serious issue which this property might mask.
<o:p></o:p></p>
<p>I just ran this test myself locally. I noticed that one of the OCSP Responders appears to be returning pre-produced OCSPResponses:<o:p></o:p></p>
<p>certpath: connecting to OCSP service at: <a href="http://qca.ocsp.luxtrust.lu">
http://qca.ocsp.luxtrust.lu</a><br>
certpath: OCSP response status: SUCCESSFUL<br>
certpath: OCSP response type: basic<br>
certpath: Responder ID: byKey: AFC136FF2B78DC9F78E0100F2ABC24DDBD6F12B6<br>
certpath: OCSP response produced at: Thu Jan 23 15:23:08 EST 2020<br>
certpath: OCSP number of SingleResponses: 1<br>
certpath: thisUpdate: Thu Jan 23 15:18:13 EST 2020<o:p></o:p></p>
<p>However, there is no nextUpdate field set, which means there should be always newer information available. So while the 5 minute delay may not be a huge issue, the fact that they are returning cached responses, looks like a problem to me.<o:p></o:p></p>
<p>This could be the underlying problem, in that they are not generating fresh OCSPResponses. I will contact LuxTrust and see if we can get some information from them.<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Sean<o:p></o:p></p>
</div>
</div>
</body>
</html>