ssl-tests-gnutls-client.sh tries to use unsupported RSA ciphers on x86_64 Alpine Linux #39
Description
Summary
ssl-tests-gnutls-client.sh fails when it is run against JDK8 on Alpine x86_64 Linux at the Adoptium project.
Test URL
https://ci.adoptium.net/job/Test_openjdk8_hs_dev.functional_x86-64_alpine-linux/46/consoleFull
Error messages
FAILED: SunJSSE/TLSv1.2: TLSv1.2 + TLS_RSA_WITH_AES_256_GCM_SHA384
FAILED: SunJSSE/TLSv1.2: TLSv1.2 + TLS_RSA_WITH_AES_128_GCM_SHA256
IGNORED: SunJSSE/TLSv1.2: TLSv1.2 + TLS_RSA_WITH_AES_256_CBC_SHA256
IGNORED: SunJSSE/TLSv1.2: TLSv1.2 + TLS_RSA_WITH_AES_128_CBC_SHA256
FAILED: SunJSSE/TLSv1.2: TLSv1.2 + TLS_RSA_WITH_AES_256_CBC_SHA
FAILED: SunJSSE/TLSv1.2: TLSv1.2 + TLS_RSA_WITH_AES_128_CBC_SHA
And, later in the test:
stderr: *** Fatal error: The encryption algorithm is not supported.
Full test output
ssl-tests-gnutls-client.jtr.txt
Analysis
The TLS_RSA cipher suites are the only suites that appear affected by this issue.
We only see this problem on Alpine because other versions of Linux don't appear to run the gnutls tests, and JDK11+ does not use TLS_RSA ciphers.
The reason TLS_RSA ciphers are not tested for JDK11+ is almost certainly related to those ciphers' exclusions as documented here: https://bugs.openjdk.org/browse/JDK-8245545
For JDK8, this type of wildcard exclusion doesn't appear to be possible yet. PR 763 has been raised to add this functionality, after which the stated plan is to then backport JDK-8245545.
Keep in mind that the openssl-client doesn't appear to have any problems using the affected ciphers on JDK8 Alpine.
In short, gnutls seems to have problems using the TLS_RSA ciphers, though this issue may not be relevant for long as the aforementioned planned JDK8 change may remove the need to accommodate TLS_RSA altogether.