Exclude SetClientMode test in FIPS 140-3 excludes

[jasonkatonica]

This test fails as follows :

Execution failed: `main' threw exception: java.lang.SecurityException:
Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically
when in FIPS mode

This test should be excluded accordingly.

Signed-off-by: Jason Katonica katonica@us.ibm.com

[keithc-ca]

Please add some detail explaining why this particular test should be excluded.

[jasonkatonica]

This test fails as follows :

Execution failed: `main' threw exception: java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode 

There are numerous tests failing with this message since we intentionally disable setting of these properties programmatically when in various FIPS modes.

[keithc-ca]

Could we not just exclude the two subtests that try to modify jdk.tls.disabledAlgorithms?

        if ("TLSv1".equals(protocol) || "TLSv1.1".equals(protocol)) {
            SecurityUtils.removeFromDisabledTlsAlgs(protocol);
        }

[jasonkatonica]

Could we not just exclude the two subtests that try to modify jdk.tls.disabledAlgorithms?

In the long run we do want to modify the TLS tests in a more comprehensive way similar to what you are suggesting. Today very very few of the TLS tests are running including this one. We are still talking about reviving this effort to finish PR #891 and enable as many tests as possible however it is a bigger size effort to get the tests working correctly.

Chances even if we change the code just for this one test the crypto in the test will cause a failure when running in FIPS mode.

[keithc-ca]

I wasn't proposing any test code changes; I was just suggesting that rather than exclude all four subtests, we only exclude the two that fail; that is

sun/security/ssl/SSLSocketImpl/SetClientMode.java#TLSv1 https://github.com/eclipse-openj9/openj9/issues/20978 generic-all
sun/security/ssl/SSLSocketImpl/SetClientMode.java#TLSv1.1 https://github.com/eclipse-openj9/openj9/issues/20978 generic-all

instead of

sun/security/ssl/SSLSocketImpl/SetClientMode.java https://github.com/eclipse-openj9/openj9/issues/20978 generic-all

If you know that the other two subtests fail, please describe the problem they encounter.

[jasonkatonica]

When this runs in the test buckets such as extended.openjdk it appears to exit after running just the TLSv1 variation. This is failing in an early Java 25 test run and other releases such as https://hyc-runtimes-jenkins.swg-devops.com/job/Test_openjdk25_j9_extended.openjdk_aarch64_mac_fips140_3_openjceplusfips.fips140-3/1/consoleFull

Which has the relevant test failure like:

...
...
14:31:33  command: main SetClientMode TLSv1
14:31:33  reason: User specified action: run main/othervm SetClientMode TLSv1 
14:31:33  started: Sat Aug 16 11:31:30 PDT 2025
14:31:33  Mode: othervm [/othervm specified]
14:31:33  Process id: 10677
14:31:33  finished: Sat Aug 16 11:31:33 PDT 2025
14:31:33  elapsed time (seconds): 2.911
14:31:33  configuration:
14:31:33  STDOUT:
14:31:33  STDERR:
14:31:33  java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode
14:31:33  	at java.base/openj9.internal.security.RestrictedSecurity.checkSetSecurityProperty(RestrictedSecurity.java:451)
14:31:33  	at java.base/java.security.Security.setProperty(Security.java:856)
14:31:33  	at jdk.test.lib.security.SecurityUtils.removeFromDisabledAlgs(SecurityUtils.java:124)
14:31:33  	at jdk.test.lib.security.SecurityUtils.removeFromDisabledTlsAlgs(SecurityUtils.java:107)
14:31:33  	at SetClientMode.main(SetClientMode.java:68)
14:31:33  	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
14:31:33  	at java.base/java.lang.reflect.Method.invoke(Method.java:571)
14:31:33  	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
14:31:33  	at java.base/java.lang.Thread.run(Thread.java:1485)
14:31:33  
14:31:33  JavaTest Message: Test threw exception: java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode
14:31:33  JavaTest Message: shutting down test
14:31:33  
14:31:33  STATUS:Failed.`main' threw exception: java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode
14:31:33  rerun:
...
...

I don't see any of the other subtests attempting to run once it hits this issue to see if they pass or fail. Maybe subtests can be run somehow that i am not aware of.

[keithc-ca]

Did you run that test in the context of my suggestion? If not, it's conceivable that the framework stops at the first subtest failure.
My preference is to exclude two (sub)tests instead of four.

[jasonkatonica]

I gave this a try today with Java 21 using this jenkins job. This run made use of this set of exclude changes. Note that this uses the # notation to try to be more precise with the exclusions as suggested. From the logs it seems like it attempts to execute the first single (sub)test then the framework stops. It does not seem to proceed to run the others when searching through the log messages. I only see this one subtest TLSv1 failing twice in the log:

[2025-08-21T20:32:30.931Z] command: main SetClientMode TLSv1
[2025-08-21T20:32:30.931Z] reason: User specified action: run main/othervm SetClientMode TLSv1 
[2025-08-21T20:32:30.931Z] started: Thu Aug 21 13:32:27 PDT 2025
[2025-08-21T20:32:30.931Z] Mode: othervm [/othervm specified]
[2025-08-21T20:32:30.931Z] finished: Thu Aug 21 13:32:28 PDT 2025
[2025-08-21T20:32:30.931Z] elapsed time (seconds): 0.749
[2025-08-21T20:32:30.931Z] configuration:
[2025-08-21T20:32:30.931Z] STDOUT:
[2025-08-21T20:32:30.931Z] STDERR:
[2025-08-21T20:32:30.931Z] java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode
[2025-08-21T20:32:30.931Z] 	at java.base/openj9.internal.security.RestrictedSecurity.checkSetSecurityProperty(RestrictedSecurity.java:473)
[2025-08-21T20:32:30.931Z] 	at java.base/java.security.Security.setProperty(Security.java:798)
[2025-08-21T20:32:30.931Z] 	at jdk.test.lib.security.SecurityUtils.removeFromDisabledAlgs(SecurityUtils.java:120)
[2025-08-21T20:32:30.931Z] 	at jdk.test.lib.security.SecurityUtils.removeFromDisabledTlsAlgs(SecurityUtils.java:103)
[2025-08-21T20:32:30.931Z] 	at SetClientMode.main(SetClientMode.java:68)
[2025-08-21T20:32:30.931Z] 	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
[2025-08-21T20:32:30.931Z] 	at java.base/java.lang.reflect.Method.invoke(Method.java:586)
[2025-08-21T20:32:30.931Z] 	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2025-08-21T20:32:30.931Z] 	at java.base/java.lang.Thread.run(Thread.java:1595)
[2025-08-21T20:32:30.931Z] 
[2025-08-21T20:32:30.931Z] JavaTest Message: Test threw exception: java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode
[2025-08-21T20:32:30.931Z] JavaTest Message: shutting down test
[2025-08-21T20:32:30.931Z] 
[2025-08-21T20:32:30.931Z] STATUS:Failed.`main' threw exception: java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode

and

[2025-08-21T20:49:35.196Z] command: main SetClientMode TLSv1
[2025-08-21T20:49:35.196Z] reason: User specified action: run main/othervm SetClientMode TLSv1 
[2025-08-21T20:49:35.196Z] started: Thu Aug 21 13:49:31 PDT 2025
[2025-08-21T20:49:35.196Z] Mode: othervm [/othervm specified]
[2025-08-21T20:49:35.196Z] finished: Thu Aug 21 13:49:31 PDT 2025
[2025-08-21T20:49:35.196Z] elapsed time (seconds): 0.493
[2025-08-21T20:49:35.196Z] configuration:
[2025-08-21T20:49:35.196Z] STDOUT:
[2025-08-21T20:49:35.196Z] STDERR:
[2025-08-21T20:49:35.196Z] java.lang.SecurityException: Property 'jdk.tls.disabledAlgorithms' cannot be set programmatically when in FIPS mode
[2025-08-21T20:49:35.196Z] 	at java.base/openj9.internal.security.RestrictedSecurity.checkSetSecurityProperty(RestrictedSecurity.java:473)
[2025-08-21T20:49:35.196Z] 	at java.base/java.security.Security.setProperty(Security.java:798)
[2025-08-21T20:49:35.196Z] 	at jdk.test.lib.security.SecurityUtils.removeFromDisabledAlgs(SecurityUtils.java:120)
[2025-08-21T20:49:35.196Z] 	at jdk.test.lib.security.SecurityUtils.removeFromDisabledTlsAlgs(SecurityUtils.java:103)
[2025-08-21T20:49:35.196Z] 	at SetClientMode.main(SetClientMode.java:68)
[2025-08-21T20:49:35.196Z] 	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
[2025-08-21T20:49:35.196Z] 	at java.base/java.lang.reflect.Method.invoke(Method.java:586)
[2025-08-21T20:49:35.196Z] 	at com.sun.javatest.regtest.agent.MainWrapper$MainTask.run(MainWrapper.java:138)
[2025-08-21T20:49:35.196Z] 	at java.base/java.lang.Thread.run(Thread.java:1595)

[keithc-ca]

With this in the problem list:

sun/security/ssl/SSLSocketImpl/SetClientMode.java#TLSv1 https://github.com/eclipse-openj9/openj9/issues/20978 generic-all
sun/security/ssl/SSLSocketImpl/SetClientMode.java#TLSv1.1 https://github.com/eclipse-openj9/openj9/issues/20978 generic-all

I would not expect to even attempt running SetClientMode TLSv1.

The changes you reference (ibmruntimes/openj9-openjdk-jdk21@openj9...jasonkatonica:openj9-openjdk-jdk21:katonica/issue/fipsexcludes) are for jdk21 which will have no bearing on this repository.

[jasonkatonica]

Correct I am only running this there since Java 21 is more stable then building JDKs and running tests / builds on next. The same framework for test execution should be in place there.

[keithc-ca]

Perhaps the exclusion SetClientMode.java#TLSv1 is not working because that has no id=TLSv1 annotation. I think that means we can only exclude the whole class. Sorry for the diversion.

[jasonkatonica]

Perhaps the exclusion SetClientMode.java#TLSv1 is not working because that has no id=TLSv1 annotation.

Do you happen to have an example in a test that uses a id= syntax? Would be good to try to notice these in the future if possible.

[keithc-ca]

Perhaps we can use id0 and id1 like ProblemList-FIPS140_3_OpenJCEPlusFIPS.FIPS140-3.txt does even though SecureValidation.java has not id= tags.

[jasonkatonica]

Perhaps we can use id0 and id11 like ProblemList-FIPS140_3_OpenJCEPlusFIPS.FIPS140-3.txt does even though SecureValidation.java has not id= tags.

I can try this. Id assume that TLSv1 is treated as id 0 and TLSv1.1 is treated as 1 if the order in which they are declared in the comment for the test is honored that way....

[keithc-ca]

This seems to be confirmed by the jtreg FAQ.

[jasonkatonica]

I gave this a try using the syntax #id0 , #id1 as can be seen here by running this Jenkins job and did not have too much luck getting it to exclude just two subtests. I also tried #id=0, and #id=1 and this too did not honor the id.

[keithc-ca]

Ok, we tried. I guess for now we can just exclude the whole class.

[keithc-ca]

Please rebase to avoid implicit merges (e.g. with #1073).

[jasonkatonica]

Rebased this PR