Skip to content

Commit e6134d9

Browse files
animovscwanimovscw
committed
IGNITE-28444: Fix SSL cipher tests for current JDK defaults
1 parent 2ae5bab commit e6134d9

1 file changed

Lines changed: 101 additions & 36 deletions

File tree

modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java

Lines changed: 101 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@
2323
import java.sql.ResultSet;
2424
import java.sql.SQLException;
2525
import java.sql.Statement;
26+
import java.util.Arrays;
27+
import java.util.LinkedHashSet;
28+
import java.util.Set;
2629
import java.util.concurrent.Callable;
2730
import javax.cache.configuration.Factory;
2831
import javax.net.ssl.SSLContext;
@@ -33,6 +36,7 @@
3336
import org.apache.ignite.internal.util.typedef.internal.U;
3437
import org.apache.ignite.ssl.SslContextFactory;
3538
import org.apache.ignite.testframework.GridTestUtils;
39+
import org.junit.Assume;
3640
import org.junit.Test;
3741

3842
/**
@@ -96,6 +100,54 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
96100
return cfg;
97101
}
98102

103+
/**
104+
* @return One of default cipher suites for the current JDK.
105+
* @throws NoSuchAlgorithmException If failed.
106+
*/
107+
private static String defaultCipher() throws NoSuchAlgorithmException {
108+
String[] dflt = SSLContext.getDefault().getSocketFactory().getDefaultCipherSuites();
109+
110+
assertTrue("No default cipher suites available", dflt.length > 0);
111+
112+
return dflt[0];
113+
}
114+
115+
/**
116+
* @param exclude Cipher to exclude.
117+
* @return Another default cipher suite for the current JDK.
118+
* @throws NoSuchAlgorithmException If failed.
119+
*/
120+
private static String anotherDefaultCipher(String exclude) throws NoSuchAlgorithmException {
121+
String[] dflt = SSLContext.getDefault().getSocketFactory().getDefaultCipherSuites();
122+
123+
for (String cipher : dflt) {
124+
if (!cipher.equals(exclude))
125+
return cipher;
126+
}
127+
128+
fail("No alternative default cipher suite found");
129+
130+
return null;
131+
}
132+
133+
/**
134+
* @return Supported cipher suite that is not enabled by default, or {@code null} if none found.
135+
* @throws NoSuchAlgorithmException If failed.
136+
*/
137+
private static String supportedButNonDefaultCipherOrNull() throws NoSuchAlgorithmException {
138+
SSLSocketFactory factory = SSLContext.getDefault().getSocketFactory();
139+
140+
Set<String> supported = new LinkedHashSet<>(Arrays.asList(factory.getSupportedCipherSuites()));
141+
Set<String> dflt = new LinkedHashSet<>(Arrays.asList(factory.getDefaultCipherSuites()));
142+
143+
for (String cipher : supported) {
144+
if (!dflt.contains(cipher))
145+
return cipher;
146+
}
147+
148+
return null;
149+
}
150+
99151
/**
100152
* @throws Exception If failed.
101153
*/
@@ -232,10 +284,13 @@ public void testCustomCiphersOnClient() throws Exception {
232284
setSslCtxFactoryToCli = true;
233285
sslCtxFactory = getTestSslContextFactory();
234286

287+
String cipher1 = defaultCipher();
288+
String cipher2 = anotherDefaultCipher(cipher1);
289+
235290
startGrids(1);
236291

237292
try {
238-
// Default ciphers
293+
// Default ciphers.
239294
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
240295
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
241296
"&sslClientCertificateKeyStorePassword=123456" +
@@ -244,9 +299,9 @@ public void testCustomCiphersOnClient() throws Exception {
244299
checkConnection(conn);
245300
}
246301

247-
// Explicit cipher (one of defaults).
302+
// Explicit cipher.
248303
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
249-
"&sslCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256" +
304+
"&sslCipherSuites=" + cipher1 +
250305
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
251306
"&sslClientCertificateKeyStorePassword=123456" +
252307
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -256,7 +311,7 @@ public void testCustomCiphersOnClient() throws Exception {
256311

257312
// Explicit ciphers.
258313
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
259-
"&sslCipherSuites=TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" +
314+
"&sslCipherSuites=" + cipher2 + "," + cipher1 +
260315
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
261316
"&sslClientCertificateKeyStorePassword=123456" +
262317
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -275,7 +330,11 @@ public void testCustomCiphersOnClient() throws Exception {
275330
@Test
276331
public void testCustomCiphersOnServer() throws Exception {
277332
setSslCtxFactoryToCli = true;
278-
supportedCiphers = new String[] {"TLS_RSA_WITH_AES_256_CBC_SHA256" /* Enabled by default */};
333+
334+
String cipher1 = defaultCipher();
335+
String cipher2 = anotherDefaultCipher(cipher1);
336+
337+
supportedCiphers = new String[] {cipher1};
279338
sslCtxFactory = getTestSslContextFactory();
280339

281340
startGrids(1);
@@ -292,27 +351,28 @@ public void testCustomCiphersOnServer() throws Exception {
292351

293352
// Explicit cipher.
294353
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
295-
"&sslCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256" +
354+
"&sslCipherSuites=" + cipher1 +
296355
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
297356
"&sslClientCertificateKeyStorePassword=123456" +
298357
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
299358
"&sslTrustCertificateKeyStorePassword=123456")) {
300359
checkConnection(conn);
301360
}
302361

303-
// Disabled by default cipher.
304-
GridTestUtils.assertThrows(log, () -> {
305-
return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
306-
"&sslCipherSuites=TLS_RSA_WITH_NULL_SHA256" +
362+
// Explicit cipher not supported by server.
363+
GridTestUtils.assertThrows(log, () ->
364+
DriverManager.getConnection(
365+
"jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
366+
"&sslCipherSuites=" + cipher2 +
307367
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
308368
"&sslClientCertificateKeyStorePassword=123456" +
309369
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
310-
"&sslTrustCertificateKeyStorePassword=123456");
311-
}, SQLException.class, "Failed to SSL connect to server");
370+
"&sslTrustCertificateKeyStorePassword=123456"
371+
), SQLException.class, "Failed to SSL connect to server");
312372

313373
// Explicit ciphers.
314374
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
315-
"&sslCipherSuites=TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" +
375+
"&sslCipherSuites=" + cipher2 + "," + cipher1 +
316376
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
317377
"&sslClientCertificateKeyStorePassword=123456" +
318378
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -333,15 +393,20 @@ public void testCustomCiphersOnServer() throws Exception {
333393
*/
334394
@Test
335395
public void testDisabledCustomCipher() throws Exception {
396+
String nonDfltCipher = supportedButNonDefaultCipherOrNull();
397+
398+
Assume.assumeNotNull(nonDfltCipher);
399+
336400
setSslCtxFactoryToCli = true;
337-
supportedCiphers = new String[] {"TLS_RSA_WITH_NULL_SHA256" /* Disabled by default */};
401+
supportedCiphers = new String[] {nonDfltCipher};
338402
sslCtxFactory = getTestSslContextFactory();
339403

340404
startGrids(1);
405+
341406
try {
342-
// Explicit supported ciphers.
407+
// Explicit supported cipher.
343408
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
344-
"&sslCipherSuites=TLS_RSA_WITH_NULL_SHA256" +
409+
"&sslCipherSuites=" + nonDfltCipher +
345410
"&sslTrustAll=true" +
346411
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
347412
"&sslClientCertificateKeyStorePassword=123456" +
@@ -351,13 +416,13 @@ public void testDisabledCustomCipher() throws Exception {
351416
}
352417

353418
// Default ciphers.
354-
GridTestUtils.assertThrows(log, () -> {
355-
return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
419+
GridTestUtils.assertThrows(log, () -> DriverManager.getConnection(
420+
"jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
356421
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
357422
"&sslClientCertificateKeyStorePassword=123456" +
358423
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
359-
"&sslTrustCertificateKeyStorePassword=123456");
360-
}, SQLException.class, "Failed to SSL connect to server");
424+
"&sslTrustCertificateKeyStorePassword=123456"
425+
), SQLException.class, "Failed to SSL connect to server");
361426
}
362427
finally {
363428
stopAllGrids();
@@ -372,28 +437,29 @@ public void testDisabledCustomCipher() throws Exception {
372437
*/
373438
@Test
374439
public void testUnsupportedCustomCipher() throws Exception {
440+
String nonDfltCipher = supportedButNonDefaultCipherOrNull();
441+
442+
Assume.assumeNotNull(nonDfltCipher);
443+
375444
setSslCtxFactoryToCli = true;
376-
supportedCiphers = new String[] {
377-
"TLS_RSA_WITH_NULL_SHA256" /* Disabled by default */,
378-
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" /* With disabled protocol*/};
445+
supportedCiphers = new String[] {nonDfltCipher, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"};
379446
sslCtxFactory = getTestSslContextFactory();
380447

381448
startGrids(1);
449+
382450
try {
383-
// Enabled ciphers with unsupported algorithm can't be negotiated.
384-
GridTestUtils.assertThrows(log, () -> {
385-
return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
386-
"&sslCipherSuites=TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" +
387-
"&sslTrustAll=true" +
451+
// Unsupported cipher can't be negotiated.
452+
GridTestUtils.assertThrows(log, () -> DriverManager.getConnection(
453+
"jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
388454
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
389455
"&sslClientCertificateKeyStorePassword=123456" +
390456
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
391-
"&sslTrustCertificateKeyStorePassword=123456");
392-
}, SQLException.class, "Failed to SSL connect to server");
457+
"&sslTrustCertificateKeyStorePassword=123456"
458+
), SQLException.class, "Failed to SSL connect to server");
393459

394460
// Supported cipher.
395461
try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
396-
"&sslCipherSuites=TLS_RSA_WITH_NULL_SHA256" +
462+
"&sslCipherSuites=" + nonDfltCipher +
397463
"&sslTrustAll=true" +
398464
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
399465
"&sslClientCertificateKeyStorePassword=123456" +
@@ -403,14 +469,13 @@ public void testUnsupportedCustomCipher() throws Exception {
403469
}
404470

405471
// Default ciphers.
406-
GridTestUtils.assertThrows(log, () -> {
407-
return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
472+
GridTestUtils.assertThrows(log, () -> DriverManager.getConnection(
473+
"jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
408474
"&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
409475
"&sslClientCertificateKeyStorePassword=123456" +
410476
"&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
411-
"&sslTrustCertificateKeyStorePassword=123456");
412-
}, SQLException.class, "Failed to SSL connect to server");
413-
477+
"&sslTrustCertificateKeyStorePassword=123456"
478+
), SQLException.class, "Failed to SSL connect to server");
414479
}
415480
finally {
416481
stopAllGrids();

0 commit comments

Comments
 (0)