Test fix for handshake failure in SSLDriverTests in JDK16 (elastic#67337

) This fixes the mismatch test between "TLSv1.3" and "TLSv1.2" when running in JDK16 with `-Dtests.fips.enabled=false` and it otherwise maintains the original mismatch test between "TLSv1.1" and "TLSv1.2". Closes elastic#67324
DaveCTurner · Jan 12, 2021 · 443f882 · 443f882
1 parent 23dccec
commit 443f882
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/...security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SSLDriverTests.java b/...security/src/test/java/org/elasticsearch/xpack/security/transport/nio/SSLDriverTests.java
@@ -29,6 +29,8 @@
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.IntFunction;
 
+import static org.hamcrest.Matchers.is;
+
 public class SSLDriverTests extends ESTestCase {
 
     private final IntFunction<Page> pageAllocator = (n) -> new Page(ByteBuffer.allocate(n), () -> {});
@@ -159,20 +161,32 @@ public void testHandshakeFailureBecauseProtocolMismatch() throws Exception {
         SSLEngine clientEngine = sslContext.createSSLEngine();
         SSLEngine serverEngine = sslContext.createSSLEngine();
 
-        String[] serverProtocols = {"TLSv1.2"};
+        final String[] serverProtocols;
+        final String[] clientProtocols;
+        final String expectedMessage;
+        if (inFipsJvm()) {
+            // fips JSSE does not support TLSv1.3 yet
+            serverProtocols = new String[]{"TLSv1.2"};
+            clientProtocols = new String[]{"TLSv1.1"};
+            expectedMessage = "org.bouncycastle.tls.TlsFatalAlert: protocol_version(70)";
+        } else if (JavaVersion.current().compareTo(JavaVersion.parse("16")) >= 0) {
+            // JDK16 https://jdk.java.net/16/release-notes does not permit protocol TLSv1.1 OOB
+            serverProtocols = new String[]{"TLSv1.3"};
+            clientProtocols = new String[]{"TLSv1.2"};
+            expectedMessage = "The client supported protocol versions [TLSv1.2] are not accepted by server preferences [TLS13]";
+        } else {
+            serverProtocols = new String[]{"TLSv1.2"};
+            clientProtocols = new String[]{"TLSv1.1"};
+            expectedMessage = "The client supported protocol versions [TLSv1.1] are not accepted by server preferences [TLS12]";
+        }
+
         serverEngine.setEnabledProtocols(serverProtocols);
-        String[] clientProtocols = {"TLSv1.1"};
         clientEngine.setEnabledProtocols(clientProtocols);
         SSLDriver clientDriver = getDriver(clientEngine, true);
         SSLDriver serverDriver = getDriver(serverEngine, false);
 
         SSLException sslException = expectThrows(SSLException.class, () -> handshake(clientDriver, serverDriver));
-        String oldExpected = "Client requested protocol TLSv1.1 not enabled or not supported";
-        String jdk11Expected = "The client supported protocol versions [TLSv1.1] are not accepted by server preferences [TLS12]";
-        String bctlsExpected = "org.bouncycastle.tls.TlsFatalAlert: protocol_version(70)";
-        boolean expectedMessage = oldExpected.equals(sslException.getMessage()) || jdk11Expected.equals(sslException.getMessage())
-            || bctlsExpected.equals(sslException.getMessage());
-        assertTrue("Unexpected exception message: " + sslException.getMessage(), expectedMessage);
+        assertThat(sslException.getMessage(), is(expectedMessage));
 
         // Prior to JDK11 we still need to send a close alert
         if (serverDriver.isClosed() == false) {