Re: [ovirt-devel] SSO and the engine

27 Jan 2017

      Сергей Скурлаев suggested to me that there is newer version of jdk in
updates-testing.

I had updated java-1.8.0-openjdk to 1:1.8.0.121-1.b14.fc24 and I was
able to add host properly.

On Fri, Jan 27, 2017 at 2:57 PM, Piotr Kliczewski
<piotr.kliczewski@gmail.com> wrote:
...
I downgraded jdk and it did not help.
My dnf says when I attempt to install as in the link:
No package nss-3.27.0-1.1.fc25.x86_64 available.
No package nss-softokn-3.27.0-1.0.fc25.x86_64 available.
No package nss-softokn-freebl-3.27.0-1.0.fc25.x86_64 available.
No package nss-sysinit-3.27.0-1.1.fc25.x86_64 available.
No package nss-tools-3.27.0-1.1.fc25.x86_64 available.
No package nss-util-3.27.0-1.0.fc25.x86_64 available.
I am not able to downgrade nss due to conflicts with other packages.:
On Fri, Jan 27, 2017 at 2:23 PM, Benny Zlotnik <bzlotnik@redhat.com> wrote:
...
You can also try downgrading the nss packages, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1415137#c15
On Fri, Jan 27, 2017 at 3:18 PM, Piotr Kliczewski
<piotr.kliczewski@gmail.com> wrote:
...
I was too fast to send the update. I am able to login now but I see
core dump during host add:
2017-01-27 14:14:01,906+01 ERROR
[org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-58)
[20086bed-e76d-42ef-9ab1-30c8e965374b] Failed to establish session
with host 'fedora': SSH session closed during connection
'root@192.168.1.102'
2017-01-27 14:14:01,907+01 WARN
[org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-58)
[20086bed-e76d-42ef-9ab1-30c8e965374b] Validation of action 'AddVds'
failed for user admin@internal-authz. Reasons:
VAR__ACTION__ADD,VAR__TYPE__HOST,$server
192.168.1.102,VDS_CANNOT_CONNECT_TO_SERVER
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f7c9d773734, pid=20890,
tid=0x00007f7c6c148700
#
# JRE version: OpenJDK Runtime Environment (8.0_111-b16) (build
1.8.0_111-b16)
# Java VM: OpenJDK 64-Bit Server VM (25.111-b16 mixed mode linux-amd64
compressed oops)
# Problematic frame:
# C  [libc.so.6+0x14a734]  __memcpy_avx_unaligned+0x2c4
#
# Failed to write core dump. Core dumps have been disabled. To enable
core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /tmp/hs_err_pid20890.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#
ovirt-engine[20848] ERROR run:554 Error: process terminated with status
code -6
2017-01-27 14:14:01,756+01 INFO
[org.apache.sshd.common.util.SecurityUtils] (default task-58)
BouncyCastle not registered, using the default JCE provider
2017-01-27 14:14:01,870+01 INFO
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[26c9f7da]-nio2-thread-1) Client session created
2017-01-27 14:14:01,885+01 INFO
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[26c9f7da]-nio2-thread-1) Server version string:
SSH-2.0-OpenSSH_7.2
2017-01-27 14:14:01,886+01 INFO
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[26c9f7da]-nio2-thread-1) Kex: server->client
aes128-ctr hmac-sha2-256 none
2017-01-27 14:14:01,886+01 INFO
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[26c9f7da]-nio2-thread-1) Kex: client->server
aes128-ctr hmac-sha2-256 none
2017-01-27 14:14:01,896+01 WARN
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[26c9f7da]-nio2-thread-1) Exception caught:
java.security.ProviderException: java.lang.NegativeArraySizeException
at
sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
at
java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:703)
[rt.jar:1.8.0_111]
at org.apache.sshd.common.kex.ECDH.getE(ECDH.java:59)
at
org.apache.sshd.client.kex.AbstractDHGClient.init(AbstractDHGClient.java:78)
at
org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:359)
at
org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:295)
at
org.apache.sshd.client.session.ClientSessionImpl.handleMessage(ClientSessionImpl.java:256)
at
org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:731)
at
org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:277)
at
org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
at
org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:187)
at
org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:173)
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.8.0_111]
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) [rt.jar:1.8.0_111]
at sun.nio.ch.Invoker.invokeDirect(Invoker.java:157) [rt.jar:1.8.0_111]
at
sun.nio.ch.UnixAsynchronousSocketChannelImpl.implRead(UnixAsynchronousSocketChannelImpl.java:553)
[rt.jar:1.8.0_111]
at
sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:276)
[rt.jar:1.8.0_111]
at
sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:297)
[rt.jar:1.8.0_111]
at
java.nio.channels.AsynchronousSocketChannel.read(AsynchronousSocketChannel.java:420)
[rt.jar:1.8.0_111]
at
org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:173)
at
org.apache.sshd.common.io.nio2.Nio2Connector$1.onCompleted(Nio2Connector.java:53)
at
org.apache.sshd.common.io.nio2.Nio2Connector$1.onCompleted(Nio2Connector.java:46)
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.8.0_111]
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) [rt.jar:1.8.0_111]
at sun.nio.ch.Invoker$2.run(Invoker.java:218) [rt.jar:1.8.0_111]
at
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
[rt.jar:1.8.0_111]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_111]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_111]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
Caused by: java.lang.NegativeArraySizeException
at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
at
sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
... 32 more
On Fri, Jan 27, 2017 at 1:56 PM, Piotr Kliczewski
<piotr.kliczewski@gmail.com> wrote:
...
Thank you Juan, It fixed my issue
I updated java.security and changed:
from
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
to
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768, EC, ECDHE, ECDH
Thanks,
Piotr
On Fri, Jan 27, 2017 at 1:42 PM, Juan Hernández <jhernand@redhat.com>
wrote:
...
See this Piotr:
http://post-office.corp.redhat.com/archives/rhev-devel/2017-January/msg00269...
Benny, may be worth publishing it to the upstream devel list.
On 01/27/2017 01:35 PM, Piotr Kliczewski wrote:
...
All,
I pulled the latest source from master and rebuilt my engine. Every
time I attempt to login I see:
2017-01-27 13:22:51,403+01 INFO
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default
task-54) [] User admin@internal successfully logged in with scopes:
ovirt-app-admin ovirt-app-api ovirt-app-portal
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
ovirt-ext=token-info:authz-search
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
ovirt-ext=token:password-access
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f514eb45734, pid=2519,
tid=0x00007f51119a6700
#
# JRE version: OpenJDK Runtime Environment (8.0_111-b16) (build
1.8.0_111-b16)
# Java VM: OpenJDK 64-Bit Server VM (25.111-b16 mixed mode linux-amd64
compressed oops)
# Problematic frame:
# C  [libc.so.6+0x14a734]  __memcpy_avx_unaligned+0x2c4
#
# Failed to write core dump. Core dumps have been disabled. To enable
core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /tmp/hs_err_pid2519.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#
ovirt-engine[2471] ERROR run:554 Error: process terminated with status
code -6
I enabled ssl debug to find:
2017-01-27 13:22:37,641+01 INFO  [stdout] (default I/O-2) default
I/O-2, fatal error: 80: problem unwrapping net record
2017-01-27 13:22:37,642+01 INFO  [stdout] (default I/O-2)
java.lang.RuntimeException: java.lang.NegativeArraySizeException
2017-01-27 13:22:37,642+01 INFO  [stdout] (default I/O-2) %%
Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
I/O-2, SEND TLSv1.2 ALERT:  fatal, description = internal_error
2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
I/O-2, WRITE: TLSv1.2 Alert, length = 2
2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
I/O-2, called closeInbound()
2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
I/O-2, fatal: engine already closed.  Rethrowing
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
I/O-2, called closeOutbound()
2017-01-27 13:22:37,643+01 INFO  [stdout] (default I/O-2) default
I/O-2, closeOutboundInternal()
2017-01-27 13:22:37,644+01 INFO  [stdout] (default task-1) default
task-1, received EOFException: error
2017-01-27 13:22:37,644+01 INFO  [stdout] (default task-1) default
task-1, handling exception: javax.net.ssl.SSLHandshakeException:
Remote host closed connection during handshake
2017-01-27 13:22:37,645+01 INFO  [stdout] (default task-1) default
task-1, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
2017-01-27 13:22:37,645+01 INFO  [stdout] (default task-1) default
task-1, WRITE: TLSv1.2 Alert, length = 2
2017-01-27 13:22:37,645+01 INFO  [stdout] (default task-1) [Raw
write]: length = 7
2017-01-27 13:22:37,647+01 INFO  [stdout] (default task-1) 0000: 15 03
03 00 02 02 28                               ......(
2017-01-27 13:22:37,647+01 INFO  [stdout] (default task-1) default
task-1, called closeSocket()
2017-01-27 13:22:37,644+01 ERROR [org.xnio.nio] (default I/O-2)
XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@6d665208
failed with an exception: java.lang.RuntimeException:
java.lang.NegativeArraySizeException
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
[jsse.jar:1.8.0_111]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
[jsse.jar:1.8.0_111]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
[rt.jar:1.8.0_111]
at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:742)
at
io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:639)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1035)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
[xnio-nio-3.4.0.Final.jar:3.4.0.Final]
at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
[xnio-nio-3.4.0.Final.jar:3.4.0.Final]
Caused by: java.security.ProviderException:
java.lang.NegativeArraySizeException
at
sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
at
java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:703)
[rt.jar:1.8.0_111]
at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:64)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1432)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1219)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1023)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738)
[jsse.jar:1.8.0_111]
at
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
[jsse.jar:1.8.0_111]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
[jsse.jar:1.8.0_111]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
[jsse.jar:1.8.0_111]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
[jsse.jar:1.8.0_111]
at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.8.0_111]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
[jsse.jar:1.8.0_111]
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1023)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_111]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_111]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
Caused by: java.lang.NegativeArraySizeException
at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
at
sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
... 16 more
Are we aware of the issue? Is there any workaround?
I am using fedora 24 with all recent updates applied.
Thanks,
Piotr
_______________________________________________
Devel mailing list
Devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel