IGNITE-28444: Make JDBC thin SSL cipher tests JDK-aware

animovscw · animovscw · commit ca7d8ad2fc26 · 2026-04-07T17:04:21.000+07:00
diff --git a/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java b/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java
@@ -55,9 +55,6 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
     /** Enabled cipher. */
     private static final String ENABLED_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
 
-    /** Disabled-by-default cipher. */
-    private static final String DISABLED_BY_DEFAULT_CIPHER = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
-
     /** Unsupported cipher. */
     private static final String UNSUPPORTED_CIPHER = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
 
@@ -73,12 +70,16 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
     /** Supported ciphers. */
     private static String[] supportedCiphers;
 
+    /** Supported cipher that is not enabled by default on the current JDK. */
+    private static String disabledByDefaultCipher;
+
     /** {@inheritDoc} */
     @Override protected void beforeTest() throws Exception {
         setSslCtxFactoryToCli = false;
         setSslCtxFactoryToIgnite = false;
         supportedCiphers = null;
         sslCtxFactory = null;
+        disabledByDefaultCipher = null;
     }
 
     /** {@inheritDoc} */
@@ -105,6 +106,42 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
         return cfg;
     }
 
+    /**
+     * @return Supported RSA cipher suite that is not enabled by default on the current JDK.
+     * @throws NoSuchAlgorithmException If failed.
+     */
+    private static String disabledByDefaultCipher() throws NoSuchAlgorithmException {
+        if (disabledByDefaultCipher != null)
+            return disabledByDefaultCipher;
+
+        SSLContext ctx = SSLContext.getDefault();
+
+        SSLSocketFactory factory = ctx.getSocketFactory();
+
+        java.util.Set<String> supported = new java.util.HashSet<>();
+        java.util.Collections.addAll(supported, factory.getSupportedCipherSuites());
+
+        java.util.Set<String> enabled = new java.util.HashSet<>();
+        java.util.Collections.addAll(enabled, factory.getDefaultCipherSuites());
+
+        for (String cipher : supported) {
+            if (enabled.contains(cipher))
+                continue;
+
+            if (!cipher.contains("_RSA_"))
+                continue;
+
+            if (cipher.contains("_anon_") || cipher.contains("_NULL_") || cipher.contains("_ECDSA_"))
+                continue;
+
+            disabledByDefaultCipher = cipher;
+
+            return cipher;
+        }
+
+        throw new IllegalStateException("No supported non-default RSA cipher suite found for the current JDK");
+    }
+
     /**
      * @throws Exception If failed.
      */
@@ -265,7 +302,7 @@ public void testCustomCiphersOnClient() throws Exception {
 
             // Explicit ciphers.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + DISABLED_BY_DEFAULT_CIPHER + "," + ENABLED_CIPHER +
+                "&sslCipherSuites=" + disabledByDefaultCipher() + "," + ENABLED_CIPHER +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
                 "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -284,7 +321,7 @@ public void testCustomCiphersOnClient() throws Exception {
     @Test
     public void testCustomCiphersOnServer() throws Exception {
         setSslCtxFactoryToCli = true;
-        supportedCiphers = new String[] {ENABLED_CIPHER /* Enabled by default */};
+        supportedCiphers = new String[] {ENABLED_CIPHER};
         sslCtxFactory = getTestSslContextFactory();
 
         startGrids(1);
@@ -312,7 +349,7 @@ public void testCustomCiphersOnServer() throws Exception {
             // Disabled by default cipher.
             GridTestUtils.assertThrows(log, () -> {
                 return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                    "&sslCipherSuites=" + DISABLED_BY_DEFAULT_CIPHER +
+                    "&sslCipherSuites=" + disabledByDefaultCipher() +
                     "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                     "&sslClientCertificateKeyStorePassword=123456" +
                     "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -321,7 +358,7 @@ public void testCustomCiphersOnServer() throws Exception {
 
             // Explicit ciphers.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + DISABLED_BY_DEFAULT_CIPHER + "," + ENABLED_CIPHER +
+                "&sslCipherSuites=" + disabledByDefaultCipher() + "," + ENABLED_CIPHER +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
                 "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -340,15 +377,15 @@ public void testCustomCiphersOnServer() throws Exception {
     @Test
     public void testDisabledCustomCipher() throws Exception {
         setSslCtxFactoryToCli = true;
-        supportedCiphers = new String[] {DISABLED_BY_DEFAULT_CIPHER /* Disabled by default */};
+        supportedCiphers = new String[] {disabledByDefaultCipher()};
         sslCtxFactory = getTestSslContextFactory();
 
         startGrids(1);
 
         try {
             // Explicit supported ciphers.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + DISABLED_BY_DEFAULT_CIPHER +
+                "&sslCipherSuites=" + disabledByDefaultCipher() +
                 "&sslTrustAll=true" +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
@@ -378,8 +415,8 @@ public void testDisabledCustomCipher() throws Exception {
     public void testUnsupportedCustomCipher() throws Exception {
         setSslCtxFactoryToCli = true;
         supportedCiphers = new String[] {
-            DISABLED_BY_DEFAULT_CIPHER /* Disabled by default */,
-            UNSUPPORTED_CIPHER /* With disabled protocol/algorithm */
+            disabledByDefaultCipher(),
+            UNSUPPORTED_CIPHER
         };
         sslCtxFactory = getTestSslContextFactory();
 
@@ -399,7 +436,7 @@ public void testUnsupportedCustomCipher() throws Exception {
 
             // Supported cipher.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + DISABLED_BY_DEFAULT_CIPHER +
+                "&sslCipherSuites=" + disabledByDefaultCipher() +
                 "&sslTrustAll=true" +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
@@ -416,7 +453,6 @@ public void testUnsupportedCustomCipher() throws Exception {
                     "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
                     "&sslTrustCertificateKeyStorePassword=123456");
             }, SQLException.class, "Failed to SSL connect to server");
-
         }
         finally {
             stopAllGrids();
