Bug ID: JDK-8293657 sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"

JDK-8293657 : sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"

Type: Bug
Component: core-svc
Sub-Component: javax.management
Affected Version: 20

Priority: P3
Status: Resolved
Resolution: Fixed
OS: linux_ubuntu
CPU: x86_64

Submitted: 2022-09-12
Updated: 2022-10-24
Resolved: 2022-09-23

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 17	JDK 20
17.0.6-oracleFixed	20 b17Fixed

Related Reports

Relates :	JDK-8293335 - sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1failed with "Agent communication error: java.io.EOFException"
Relates :	JDK-8152523 - sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh failed intermittently
Relates :	JDK-8030616 - sun/management/jmxremote/bootstrap/RmiBootstrapTest fails intermittently with cannot find a free port

Sub Tasks

JDK-8293875 :

ProblemList sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 on linux-x64 - Resolved

Description

The following test failed in the JDK20 CI:

sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1

Here's a snippet from the log file:

#section:main
----------messages:(7/563)----------
command: main RmiBootstrapTest .*_ssltest.*.in
reason: User specified action: run main/othervm/timeout=300 RmiBootstrapTest .*_ssltest.*.in 
started: Mon Sep 12 15:39:10 UTC 2022
Mode: othervm [/othervm specified]
Additional options from @modules: --add-modules java.management,jdk.management.agent --add-exports java.management/sun.management=ALL-UNNAMED --add-exports jdk.management.agent/jdk.internal.agent=ALL-UNNAMED --add-exports jdk.management.agent/sun.management.jmxremote=ALL-UNNAMED
finished: Mon Sep 12 15:39:13 UTC 2022
elapsed time (seconds): 3.002
----------configuration:(6/293)----------
Boot Layer
  add modules: java.management jdk.management.agent          
  add exports: java.management/sun.management                ALL-UNNAMED
               jdk.management.agent/jdk.internal.agent       ALL-UNNAMED
               jdk.management.agent/sun.management.jmxremote ALL-UNNAMED

----------System.out:(6/1197)----------
***
*** Testing configuration (port=45399): /opt/mach5/mesos/work_dir/slaves/0c72054a-24ab-4dbb-944f-97f9341a1b96-S54353/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/d84a0f71-b8ca-49b5-9e20-76e6b6d800e0/runs/c8069094-63fc-4702-8bca-78f3c4950af6/testoutput/test-support/jtreg_open_test_jdk_jdk_management/classes/3/sun/management/jmxremote/bootstrap/RmiBootstrapTest_id1.d/management_ssltest07_ok.properties
***
Connection failed for no credentials: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
Test Failed: Failed to connect to agent {url=service:jmx:rmi://<host>/jndi/rmi://localhost:45399/jmxrmi}: java.lang.RuntimeException: Test /opt/mach5/mesos/work_dir/slaves/0c72054a-24ab-4dbb-944f-97f9341a1b96-S54353/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/d84a0f71-b8ca-49b5-9e20-76e6b6d800e0/runs/c8069094-63fc-4702-8bca-78f3c4950af6/testoutput/test-support/jtreg_open_test_jdk_jdk_management/classes/3/sun/management/jmxremote/bootstrap/RmiBootstrapTest_id1.d/management_ssltest07_ok.properties failed with 1 error(s)
----------System.err:(0/0)----------
----------rerun:(42/7242)*----------

<snip>

result: Failed. Unexpected exit from test [exit code: 1]

Comments

Fix request [17u] I backport this for parity with 17.0.6-oracle. Small risk, simple change. The related issues are failures of the same test, but the issues are different, so they are not needed. The change includes a cleanup of import forgotten in JDK-8280010 which I had to remove as that change is not in 17. Test passes before and after. SAP nighlty testing passed.
21-10-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/817 Date: 2022-10-20 13:34:55 +0000
20-10-2022
Changeset: f6d78cda Author: Jaikiran Pai <jpai@openjdk.org> Date: 2022-09-23 04:54:39 +0000 URL: https://git.openjdk.org/jdk/commit/f6d78cda853ce6ec6fdda845f1799253461fc618
23-09-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/10323 Date: 2022-09-18 12:57:28 +0000
18-09-2022
I had a more detailed look at this test failure which runs into: Connection failed for no credentials: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake The test is launced in othervm and then runs tests for various configuration files which are named "management_ssltestxx_ok.properties" and "management_ssltestxx_ko.properties. The xx in that name is a digit. These files are picked up using the java.io.File.listFiles(filter) API against a pre-defined directory. Looking at the failures so far, it always happens when the "management_ssltest07_ok.properties" test is being run. More interestingly, the failure happens only when management_ssltest07_ok.properties is the first one against which the test is run. So locally I edited the test to run the test only against this specific management_ssltest07_ok.properties, to see if it is reproducible locally. Indeed it is. In fact, every single run fails with that exact exception. That properties file has this: com.sun.management.jmxremote.ssl.enabled.cipher.suites=TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 com.sun.management.jmxremote.ssl.enabled.protocols=SSLv2Hello,SSLv3,TLSv1 com.sun.management.jmxremote.ssl.need.client.auth=true com.sun.management.jmxremote.authenticate=false javax.rmi.ssl.client.enabledCipherSuites=TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 Looking at the code in the sun.security.ssl layer and enabling "javax.net.debug=all" for one of the local test runs shows that TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 is compatible only with TLSv1.2 https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java#L137. However, this specific configuration doesn't enable TLSv1.2. So the SSL handshake with the server fails (as noted in that exception message). The fix to this is to use a cipher suite that is usable with the enabled protocols (SSLv2Hello,SSLv3,TLSv1) in this configuration. A couple of such cipher suites that are usable for this are "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA". These were the ones that were chosen for another configuration file used in this test here https://mail.openjdk.org/pipermail/security-dev/2018-June/017489.html. Using these cipher suites gets that test passing. So now coming to the part about why this configuration passes at all when it isn't failing intermittently. That turns out to be a genuine bug in the sun.management.jmxremote.HostAwareSslSocketFactory, which I'll explain in a PR that I'm going to open (hard to explain here without the necessary references to code changes).
18-09-2022
The changeset with: 8293343: sun/management/jmxremote/bootstrap/RmiSslNoKeyStoreTest.java failed with "Agent communication error: java.io.EOFException" 8293335: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1failed with "Agent communication error: java.io.EOFException" has reached jdk-20+15-995-tier8 so it looks like this test failure is limited to Tier3. However, it only seems to happen on Ubuntu machines and this test may not have been executed on a Ubuntu machines in Tier[4-8].
15-09-2022
The test has failed in three Tier3 job sets in rows so I'm bumping the priority from P4 -> P3. [~bhuang] and [~kevinw] - So far there are two failure modes here and neither matches what was just fixed in JDK-8293335. I'll keep an eye on this test, but if the noise level stays the same/similar to JDK-8293335, we should ProblemList again... Update: The failure sighting about free ports has been moved to JDK-8030616.
14-09-2022
Thank you Kevin. I've now moved my ports issue related comments to https://bugs.openjdk.org/browse/JDK-8030616
14-09-2022
There are 4 failures in RmiBootstrapTest.java linked here so far. Only one is about a free port (again, so far). The other two, and the bug title, are: Connection failed for no credentials: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake Test Failed: Failed to connect to agent {url=service:jmx:rmi://HOSTNAME/jndi/rmi://localhost:45399/jmxrmi}: java.lang.RuntimeException: Test ...similar to JDK-8152523, but it is a different SSLHandshakeException. The long history of port problems can continue in JDK-8030616
13-09-2022
This failure occurred in jdk-20+15-987-tier3 which includes the fix for: JDK-8293335 sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1failed with "Agent communication error: java.io.EOFException"
12-09-2022