svn commit: r1845893 - in /tomcat/trunk/test/org/apache/tomcat/util/net: TestClientCertTls13.java TestSsl.java TesterSupport.java jsse/TesterBug50640SslImpl.java

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1845893 - in /tomcat/trunk/test/org/apache/tomcat/util/net: TestClientCertTls13.java TestSsl.java TesterSupport.java jsse/TesterBug50640SslImpl.java

markt
Author: markt
Date: Tue Nov  6 11:16:48 2018
New Revision: 1845893

URL: http://svn.apache.org/viewvc?rev=1845893&view=rev
Log:
Make tests more robust when running with different JREs and APR/native connectors built with different versions of OpenSSL.

Modified:
    tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
    tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java
    tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
    tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java

Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java?rev=1845893&r1=1845892&r2=1845893&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java Tue Nov  6 11:16:48 2018
@@ -25,9 +25,7 @@ import org.junit.Test;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
-import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.util.buf.ByteChunk;
-import org.apache.tomcat.util.compat.TLS;
 
 /**
  * The keys and certificates used in this file are all available in svn and were
@@ -42,13 +40,7 @@ public class TestClientCertTls13 extends
 
     @Test
     public void testClientCertGet() throws Exception {
-        Assume.assumeTrue(TLS.isTlsv13Available());
         Tomcat tomcat = getTomcatInstance();
-        Connector connector = tomcat.getConnector();
-        if (connector.getProtocolHandlerClassName().contains("Apr")) {
-            Assume.assumeTrue(SSL.version() >= 0x1010100f);
-        }
-
         tomcat.start();
         ByteChunk res = getUrl("https://localhost:" + getPort() + "/protected");
         Assert.assertEquals("OK-" + TesterSupport.ROLE, res.toString());
@@ -56,13 +48,7 @@ public class TestClientCertTls13 extends
 
     @Test
     public void testClientCertPost() throws Exception {
-        Assume.assumeTrue(TLS.isTlsv13Available());
         Tomcat tomcat = getTomcatInstance();
-        Connector connector = tomcat.getConnector();
-        if (connector.getProtocolHandlerClassName().contains("Apr")) {
-            Assume.assumeTrue(SSL.version() >= 0x1010100f);
-        }
-
         tomcat.start();
 
         int size = 32 * 1024;
@@ -84,9 +70,12 @@ public class TestClientCertTls13 extends
 
         Tomcat tomcat = getTomcatInstance();
 
+        Connector connector = tomcat.getConnector();
+        Assume.assumeTrue(TesterSupport.isDefaultTLSProtocolForTesting13(connector));
+
         TesterSupport.configureClientCertContext(tomcat);
         // Need to override some of the previous settings
-        tomcat.getConnector().setProperty("sslEnabledProtocols", "TLSv1.3");
+        tomcat.getConnector().setProperty("sslEnabledProtocols", Constants.SSL_PROTO_TLSv1_3);
         // And add force authentication to occur on the initial handshake
         tomcat.getConnector().setProperty("clientAuth", "required");
 

Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java?rev=1845893&r1=1845892&r2=1845893&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java Tue Nov  6 11:16:48 2018
@@ -39,7 +39,6 @@ import org.apache.catalina.startup.Teste
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;
-import org.apache.tomcat.util.compat.TLS;
 import org.apache.tomcat.websocket.server.WsContextListener;
 
 /**
@@ -111,13 +110,13 @@ public class TestSsl extends TomcatBaseT
         tomcat.start();
 
         SSLContext sslCtx;
-        if (TLS.isTlsv13Available()) {
+        if (TesterSupport.isDefaultTLSProtocolForTesting13(tomcat.getConnector())) {
             // Force TLS 1.2 if TLS 1.3 is available as JSSE's TLS 1.3
             // implementation doesn't support Post Handshake Authentication
             // which is required for this test to pass.
-            sslCtx = SSLContext.getInstance("TLSv1.2");
+            sslCtx = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_2);
         } else {
-            sslCtx = SSLContext.getInstance("TLS");
+            sslCtx = SSLContext.getInstance(Constants.SSL_PROTO_TLS);
         }
         sslCtx.init(null, TesterSupport.getTrustManagers(), null);
         SSLSocketFactory socketFactory = sslCtx.getSocketFactory();

Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1845893&r1=1845892&r2=1845893&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Tue Nov  6 11:16:48 2018
@@ -53,6 +53,7 @@ import org.apache.tomcat.jni.Library;
 import org.apache.tomcat.jni.LibraryNotFoundError;
 import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.util.compat.JrePlatform;
+import org.apache.tomcat.util.compat.TLS;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityCollection;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
@@ -182,7 +183,7 @@ public final class TesterSupport {
 
     protected static void configureClientSsl() {
         try {
-            SSLContext sc = SSLContext.getInstance("TLS");
+            SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLS);
             sc.init(TesterSupport.getUser1KeyManagers(),
                     TesterSupport.getTrustManagers(),
                     null);
@@ -239,7 +240,7 @@ public final class TesterSupport {
          * depend. Therefore, force these tests to use TLSv1.2 so that they pass
          * when running on TLSv1.3.
          */
-        tomcat.getConnector().setProperty("sslEnabledProtocols", "TLSv1.2");
+        tomcat.getConnector().setProperty("sslEnabledProtocols", Constants.SSL_PROTO_TLSv1_2);
 
         // Need a web application with a protected and unprotected URL
         // No file system docBase required
@@ -560,4 +561,36 @@ public final class TesterSupport {
             }
         }
     }
+
+
+    /*
+     * We want to use TLS 1.3 where we can but this requires TLS 1.3 to be
+     * supported on the client and the server.
+     */
+    public static String getDefaultTLSProtocolForTesting(Connector connector) {
+        // Clients always use JSSE
+        if (!TLS.isTlsv13Available()) {
+            // Client doesn't support TLS 1.3 so we have to use TLS 1.2
+            return Constants.SSL_PROTO_TLSv1_2;
+        }
+
+        if (connector.getProtocolHandlerClassName().contains("Apr")) {
+            // APR connector so OpenSSL is used for TLS.
+            if (SSL.version() >= 0x1010100f) {
+                return Constants.SSL_PROTO_TLSv1_3;
+            } else {
+                return Constants.SSL_PROTO_TLSv1_2;
+            }
+        } else {
+            // NIO or NIO2. Tests do not use JSSE+OpenSSL so JSSE will be used.
+            // Due to check above, it is known that TLS 1.3 is available
+            return Constants.SSL_PROTO_TLSv1_3;
+        }
+    }
+
+
+    public static boolean isDefaultTLSProtocolForTesting13(Connector connector) {
+        return Constants.SSL_PROTO_TLSv1_3.equals(
+                TesterSupport.getDefaultTLSProtocolForTesting(connector));
+    }
 }

Modified: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java?rev=1845893&r1=1845892&r2=1845893&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java Tue Nov  6 11:16:48 2018
@@ -16,6 +16,7 @@
  */
 package org.apache.tomcat.util.net.jsse;
 
+import org.apache.tomcat.util.net.Constants;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLUtil;
@@ -31,7 +32,7 @@ public class TesterBug50640SslImpl exten
         SSLHostConfig sslHostConfig = certificate.getSSLHostConfig();
         if (sslHostConfig.getProtocols().size() == 1 &&
                 sslHostConfig.getProtocols().contains(PROPERTY_VALUE)) {
-            sslHostConfig.setProtocols("TLSv1,TLSv1.1,TLSv1.2");
+            sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_2);
             return super.getSSLUtil(certificate);
         } else {
             return null;



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]