Failed to get the list of available OpenSSL cipher suites

[dwservice]

Hi, I get a warning when I run my application as NOT root user under Linux CentOS 7 and OpenJDK 1.8.0_242 (IcedTea 3.15.0). I use netty-tcnative openssl-static 1.1.1e
This is the warning:

WARNING: Failed to get the list of available OpenSSL cipher suites.
java.lang.Exception: Invalid format (error:0200100D:system library:fopen:Permission denied)
at io.netty.internal.tcnative.SSL.parseX509Chain(Native Method)
at io.netty.handler.ssl.OpenSsl.(OpenSsl.java:242)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.(ReferenceCountedOpenSslContext.java:196)
at io.netty.handler.ssl.OpenSslContext.(OpenSslContext.java:43)
at io.netty.handler.ssl.OpenSslServerContext.(OpenSslServerContext.java:346)
at io.netty.handler.ssl.OpenSslServerContext.(OpenSslServerContext.java:334)
at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:471)
at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:571)
at Test.main(Test.java:11)

The application seem work fine but I wonder if possible avoid this warning? or never mind?
Here a simple example in order to reproduce the issue:

import io.netty.handler.ssl.*;
import java.io.*;

public class Test {
        public static void main(String[] ar) {
                try{
                        File certificate = new File("test.crt");
                        File privateKey = new File("test.key");
                        SslContextBuilder sslcb = SslContextBuilder.forServer(certificate, privateKey);
                        sslcb.sslProvider(SslProvider.OPENSSL);
                        SslContext sslc=sslcb.build();
                        System.out.println("OK");
                }catch(Exception e){
                        e.printStackTrace();
                }
        }
}

COMPILE IT:
javac -cp netty.jar:netty-tcnative.jar Test.java

RUN IT (Important NOT root user):
java -cp netty.jar:netty-tcnative.jar:. Test

Thank you,
Danilo

[hyperxpro]

Grant permission of the netty-tcnative library file to the non-root user.

[hyperxpro]

Is it OpenSSL Dynamic, OpenSSL Static or BoringSSL Static?

[dwservice]

OpenSSL Static

[hyperxpro]

Maven project?

[dwservice]

No. I've compile it

[hyperxpro]

Did you try chmod 777 on OpenSSL-Static, test.crt and test.key?

[dwservice]

Yes for test.crt and test.key but OpenSSL-Static is embedded in netty-tcnative.jar. I've take a look to netty-tcnative source and the issue don't seem when read the certificate but just when initialize io.netty.handler.ssl.OpenSsl for first time. Anyway my application work fine and certificate is loaded correctly.

[hyperxpro]

Add this code on the top OpenSsl.ensureAvailability();

[dwservice]

I get same warning but stack trace is shortest:

WARNING: Failed to get the list of available OpenSSL cipher suites.
java.lang.Exception: Invalid format (error:0200100D:system library:fopen:Permission denied)
at io.netty.internal.tcnative.SSL.parseX509Chain(Native Method)
at io.netty.handler.ssl.OpenSsl.(OpenSsl.java:242)
at Test.main(Test.java:7)

[hyperxpro]

Use Log4j2 at DEBUG Level with Root Logger, Log everything and put it in a file and upload here.

[dwservice]

Ok. Anyway the error is when inizialize OpenSsl. So now the test example to riproduce it is this:

import io.netty.handler.ssl.*;

public class Test {
        public static void main(String[] ar) {
                OpenSsl.ensureAvailability();
        }
}

[dwservice]

Here the log:
debug.log

[hyperxpro]

Tried reproducing with the latest commit and it works fine. Can you try with 2.0.30.Final release?

[dwservice]

I've compiled it a week ago without choose tag/snapshot, so It's the lastest version I think:

git clone https://github.com/netty/netty-tcnative.git
cd netty-tcnative
./mvnw clean install

have you run your test as NOT root user?

[hyperxpro]

Sorry for the delay. Little busy temporarily. I'll test it as non-root user soon and let you know.

[hyperxpro]

Working fine as non-root user.

[dwservice]

Thanks for your test. What is your software configuration?
Here my configuration:
LINUX: CentOS Linux release 7.7.1908 (Core)
JAVA: OpenJDK 1.8.0_242 (IcedTea 3.15.0)
NETTY: 4.1.48
NETTY TCNATIVE: 2.0.31 (openssl-static 1.1.1e)

[hyperxpro]

Linux hyperxpro 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
openjdk version "11.0.6" 2020-01-14 LTS
Netty 4.1.48.Final
Netty-TCNative 2.0.30 (openssl-static 1.1.1f)

[hyperxpro]

SELinux is disabled btw

[dwservice]

I've tried a new configuration but warning still:

Linux Centos 8 (4.1.18-147.5.1.el8_1)
openjdk version "11.0.6" 2020-01-14 LTS
Netty 4.1.48.Final
Netty-TCNative 2.0.30 (openssl-static 1.1.1f)
SELinux disabled
Linux user not root

Anyway this warning seems don't cause problems to application. So I don't consider it.
Thanks for your help.

[hyperxpro]

@normanmaurer Can you have a look?

[johnou]

@dwservice you probably have /tmp mounted as noexec, try setting java.io.tmpdir to a path that your user has permissions to eg. java.io.tmpdir=/home/my_user/tmp

[johnou]

Netty is suppose to have io.netty.util.internal.NativeLibraryLoader.NoexecVolumeDetector but it doesn't seem to be doing its job.

[dwservice]

@johnou I've tried it, unfortunately it doesn't solve the problem.

[normanmaurer]

can you provide a docker image that reproduces this issue @dwservice ?

[dwservice]

@normanmaurer here the docker image:

https://www.dwservice.net/5ro495x7m4sanytb0y2362vg8r7q1p1c3qwonj7r.dlk (Public Folder / dockerimage.gz)

su test
cd /home/test/
./run.sh

tnk

[zouxyan]

I met the same and looks like the reason is that the directory where building netty-tcnative-openssl-static the program runner user has no auth to read.

If you build the netty-tcnative-openssl-static under /root. And run the program with user admin for example, the exception permission deny comes out.

The openssl would try to read some files under /root and here is the exception comes out. Looks like it's about the openssldir in pom. For me it's /root/netty-tcnative-netty-tcnative-parent-2.0.61.Final/openssl-static/target/openssl.

I guess this is where openssl try to read the file openssl.cnf.

/* Return default config file name */
char *CONF_get1_default_config_file(void)
{
    const char *t;
    char *file;
    size_t size;

    if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
        return OPENSSL_strdup(file);

    t = X509_get_default_cert_area();
    size = strlen(t) + strlen("/") + strlen(OPENSSL_CONF) + 1;
    file = OPENSSL_malloc(size);

    if (file == NULL)
        return NULL;
    BIO_snprintf(file, size, "%s/%s", t, OPENSSL_CONF);

    return file;
}

I don't have the details of how and why openssl code try to read the /root/netty-tcnative-netty-tcnative-parent-2.0.61.Final/openssl-static/target/openssl/openssl.cnf. Maybe someone can comment it.

Btw, mine is 2.0.61.Final.

@normanmaurer @dwservice @hyperxpro