Issue #2711 - TLS 1.3 compliance.

WIP. First full build achieved with JDK 11+28. Signed-off-by: Simone Bordet <[email protected]>
jetty · Aug 24, 2018 · f51c205 · f51c205
1 parent d26e196
commit f51c205
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 35 deletions.
diff --git a/jetty-client/src/test/java/org/eclipse/jetty/client/ssl/NeedWantClientAuthTest.java b/jetty-client/src/test/java/org/eclipse/jetty/client/ssl/NeedWantClientAuthTest.java
@@ -96,9 +96,7 @@ public void dispose() throws Exception
     @Test
     public void testWantClientAuthWithoutAuth() throws Exception
     {
-        SslContextFactory serverSSL = new SslContextFactory();
-        serverSSL.setKeyStorePath("src/test/resources/keystore.jks");
-        serverSSL.setKeyStorePassword("storepwd");
+        SslContextFactory serverSSL = createSslContextFactory();
         serverSSL.setWantClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
 
@@ -115,9 +113,7 @@ public void testWantClientAuthWithoutAuth() throws Exception
     @Test
     public void testWantClientAuthWithAuth() throws Exception
     {
-        SslContextFactory serverSSL = new SslContextFactory();
-        serverSSL.setKeyStorePath("src/test/resources/keystore.jks");
-        serverSSL.setKeyStorePassword("storepwd");
+        SslContextFactory serverSSL = createSslContextFactory();
         serverSSL.setWantClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
         CountDownLatch handshakeLatch = new CountDownLatch(1);
@@ -157,9 +153,14 @@ public void handshakeSucceeded(Event event)
     @Test
     public void testNeedClientAuthWithoutAuth() throws Exception
     {
-        SslContextFactory serverSSL = new SslContextFactory();
-        serverSSL.setKeyStorePath("src/test/resources/keystore.jks");
-        serverSSL.setKeyStorePassword("storepwd");
+        // In TLS 1.2, the TLS handshake on the client finishes after the TLS handshake on the server.
+        // The server detects the lack of the client certificate, fails its TLS handshake and sends
+        // bad_certificate to the client, which then fails its own TLS handshake.
+        // In TLS 1.3, the TLS handshake on the client finishes before the TLS handshake on the server.
+        // The server still sends bad_certificate to the client, but the client handshake has already
+        // completed successfully its TLS handshake.
+
+        SslContextFactory serverSSL = createSslContextFactory();
         serverSSL.setNeedClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
 
@@ -168,6 +169,13 @@ public void testNeedClientAuthWithoutAuth() throws Exception
         CountDownLatch handshakeLatch = new CountDownLatch(1);
         client.addBean(new SslHandshakeListener()
         {
+            @Override
+            public void handshakeSucceeded(Event event)
+            {
+                if ("TLSv1.3".equals(event.getSSLEngine().getSession().getProtocol()))
+                    handshakeLatch.countDown();
+            }
+
             @Override
             public void handshakeFailed(Event event, Throwable failure)
             {
@@ -182,7 +190,11 @@ public void handshakeFailed(Event event, Throwable failure)
                 .send(result ->
                 {
                     if (result.isFailed())
-                        latch.countDown();
+                    {
+                        Throwable failure = result.getFailure();
+                        if (failure instanceof SSLHandshakeException)
+                            latch.countDown();
+                    }
                 });
 
         Assert.assertTrue(handshakeLatch.await(5, TimeUnit.SECONDS));
@@ -192,9 +204,7 @@ public void handshakeFailed(Event event, Throwable failure)
     @Test
     public void testNeedClientAuthWithAuth() throws Exception
     {
-        SslContextFactory serverSSL = new SslContextFactory();
-        serverSSL.setKeyStorePath("src/test/resources/keystore.jks");
-        serverSSL.setKeyStorePassword("storepwd");
+        SslContextFactory serverSSL = createSslContextFactory();
         serverSSL.setNeedClientAuth(true);
         startServer(serverSSL, new EmptyServerHandler());
         CountDownLatch handshakeLatch = new CountDownLatch(1);

diff --git a/jetty-jaspi/pom.xml b/jetty-jaspi/pom.xml
@@ -4,14 +4,16 @@
     <artifactId>jetty-project</artifactId>
     <version>9.4.12-SNAPSHOT</version>
   </parent>
+
   <modelVersion>4.0.0</modelVersion>
   <artifactId>jetty-jaspi</artifactId>
   <name>Jetty :: JASPI Security</name>
   <description>Jetty security infrastructure</description>
-  <url>http://www.eclipse.org/jetty</url>
+
   <properties>
     <bundle-symbolic-name>${project.groupId}.security.jaspi</bundle-symbolic-name>
   </properties>
+
   <build>
     <plugins>
       <plugin>
@@ -23,24 +25,7 @@
       </plugin>
     </plugins>
   </build>
-  <profiles>
-    <profile>
-      <id>jdk9</id>
-      <activation>
-        <jdk>[1.9,)</jdk>
-      </activation>
-      <build>
-        <plugins>
-          <plugin>
-            <artifactId>maven-surefire-plugin</artifactId>
-            <configuration>
-              <argLine>@{argLine} --add-modules java.se.ee</argLine>
-            </configuration>
-          </plugin>
-        </plugins>
-      </build>
-    </profile>
-  </profiles>
+
   <dependencies>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
@@ -56,6 +41,24 @@
       <groupId>org.eclipse.jetty.orbit</groupId>
       <artifactId>javax.security.auth.message</artifactId>
     </dependency>
+    <dependency>
+      <groupId>javax.xml.bind</groupId>
+      <artifactId>jaxb-api</artifactId>
+      <version>2.3.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jaxb</groupId>
+      <artifactId>jaxb-runtime</artifactId>
+      <version>2.3.0.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>javax.activation</groupId>
+      <artifactId>javax.activation-api</artifactId>
+      <version>1.2.0</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.geronimo.components</groupId>
       <artifactId>geronimo-jaspi</artifactId>

diff --git a/tests/test-integration/src/test/java/org/eclipse/jetty/test/HttpInputIntegrationTest.java b/tests/test-integration/src/test/java/org/eclipse/jetty/test/HttpInputIntegrationTest.java
@@ -59,10 +59,12 @@
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.BufferUtil;
 import org.eclipse.jetty.util.IO;
+import org.eclipse.jetty.util.JavaVersion;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.hamcrest.Matchers;
 import org.junit.AfterClass;
 import org.junit.Assert;
+import org.junit.Assume;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -74,12 +76,12 @@
 @RunWith(Parameterized.class)
 public class HttpInputIntegrationTest
 {
-    
+
     enum Mode { BLOCKING, ASYNC_DISPATCHED, ASYNC_OTHER_DISPATCHED, ASYNC_OTHER_WAIT }
     public final static String EOF = "__EOF__";
     public final static String DELAY = "__DELAY__";
     public final static String ABORT = "__ABORT__";
-    
+
     private static Server __server;
     private static HttpConfiguration __config;
     private static HttpConfiguration __sslConfig;
@@ -342,10 +344,13 @@ public void testOne() throws Exception
         assertThat(response,Matchers.containsString("read="+_read));
         assertThat(response,Matchers.containsString("sum="+sum));
     }
-    
+
     @Test
     public void testStress() throws Exception
     {
+        // JDK 11's SSLSocket is not reliable enough to run this test.
+        Assume.assumeThat(JavaVersion.VERSION.getPlatform(), Matchers.lessThan(11));
+
         System.err.printf("[%d] STRESS c=%s, m=%s, delayDispatch=%b delayInFrame=%s content-length:%d expect=%d read=%d content:%s%n",_id,_client.getSimpleName(),_mode,__config.isDelayDispatchUntilContent(),_delay,_length,_status,_read,_send);
 
         int sum=0;