SOLR-12988: Skip running tests with SSL on Java 11 to 11.0.2

solr/CHANGES.txt

@@ -167,8 +167,6 @@ Bug Fixes
   CloudSolrClient to be triggered on liveNode changes.  Also add Predicate<DocCollection> equivilents
   for callers that don't care about liveNodes. (hossman)
 
-* SOLR-12988: Avoid using TLSv1.3 for HttpClient (Cao Manh Dat)
-
 Other Changes
 ----------------------
 

solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java

@@ -85,6 +85,9 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 {
   
   @Before
   public void before() {
+    assumeFalse("SOLR-12988: TLSv1.3 in Java 11.0.2 or lower versions does not working correctly with HttpClient",
+        Constants.JRE_IS_MINIMUM_JAVA11 && Runtime.version().compareTo(Runtime.Version.parse("11.0.3")) < 0);
+
     // undo the randomization of our super class
     log.info("NOTE: This Test ignores the randomized SSL & clientAuth settings selected by base class");
     HttpClientUtil.resetHttpClientBuilder(); // also resets SchemaRegistryProvider

solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java

@@ -19,6 +19,7 @@ package org.apache.solr.cloud;
 import java.lang.invoke.MethodHandles;
 import java.util.Arrays;
 
+import org.apache.lucene.util.Constants;
 import org.apache.solr.SolrTestCaseJ4;
 import org.apache.solr.util.SSLTestConfig;
 import org.apache.solr.util.RandomizeSSL;
@@ -43,6 +44,8 @@ public class TestSSLRandomization extends SolrCloudTestCase {
 
   @BeforeClass
   public static void createMiniSolrCloudCluster() throws Exception {
+    assumeFalse("SOLR-12988: TLSv1.3 in Java 11.0.2 or lower versions does not working correctly with HttpClient",
+        Constants.JRE_IS_MINIMUM_JAVA11 && Runtime.version().compareTo(Runtime.Version.parse("11.0.3")) < 0);
     configureCluster(TestMiniSolrCloudClusterSSL.NUM_SERVERS).configure();
   }
   

solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java

@@ -20,8 +20,6 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.lang.reflect.InvocationTargetException;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.CopyOnWriteArrayList;
@@ -61,7 +59,6 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.http.protocol.HttpContext;
 import org.apache.http.protocol.HttpRequestExecutor;
 import org.apache.http.ssl.SSLContexts;
-import org.apache.http.util.TextUtils;
 import org.apache.solr.common.params.ModifiableSolrParams;
 import org.apache.solr.common.params.SolrParams;
 import org.apache.solr.common.util.ObjectReleaseTracker;
@@ -78,8 +75,7 @@ import org.slf4j.LoggerFactory;
 public class HttpClientUtil {
   
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
-
-  public static final String[] SUPPORTED_SSL_PROTOCOLS = {"TLSv1.2", "TLSv1.1", "TLSv1", "DTLSv1.2", "DTLSv1.0"};
+  
   public static final int DEFAULT_CONNECT_TIMEOUT = 60000;
   public static final int DEFAULT_SO_TIMEOUT = 600000;
   public static final int DEFAULT_MAXCONNECTIONSPERHOST = 100000;
@@ -237,9 +233,7 @@ public class HttpClientUtil {
       boolean sslCheckPeerName = toBooleanDefaultIfNull(
           toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true);
       if (sslCheckPeerName) {
-        String[] cipherSuites = split(System.getProperty("https.cipherSuites"));
-        sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(),
-            getSupportedSSLProtocols(), cipherSuites, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
+        sslConnectionSocketFactory = SSLConnectionSocketFactory.getSystemSocketFactory();
       } else {
         sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(),
                                                                     NoopHostnameVerifier.INSTANCE);
@@ -250,30 +244,6 @@ public class HttpClientUtil {
       return builder.build();
     }
   }
-
-  static String[] getSupportedSSLProtocols() {
-    String[] protocols = split(System.getProperty("https.protocols"));
-    if (protocols == null) {
-      return SUPPORTED_SSL_PROTOCOLS;
-    }
-    List<String> list = new ArrayList<>(Arrays.asList(protocols));
-    list.remove("TLSv1.3");
-    if (protocols.length == list.size())
-      return protocols;
-
-    if (list.isEmpty()) {
-      throw new IllegalArgumentException("TLSv1.3 is not supported yet!");
-    }
-
-    return list.toArray(new String[0]);
-  }
-
-  private static String[] split(final String s) {
-    if (TextUtils.isBlank(s)) {
-      return null;
-    }
-    return s.split(" *, *");
-  }
   
   /**
    * Creates new http client by using the provided configuration.

solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java

@@ -67,17 +67,6 @@ public class HttpClientUtilTest extends SolrTestCase {
     assertSSLHostnameVerifier(NoopHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider());
   }
 
-  public void testSSLConfig() {
-    assertArrayEquals(HttpClientUtil.SUPPORTED_SSL_PROTOCOLS, HttpClientUtil.getSupportedSSLProtocols());
-    System.setProperty("https.protocols", "TLSv1.1,TLSv1.2");
-    assertArrayEquals(new String[]{"TLSv1.1","TLSv1.2"}, HttpClientUtil.getSupportedSSLProtocols());
-    System.setProperty("https.protocols", "TLSv1.1,TLSv1.2,TLSv1.3");
-    assertArrayEquals(new String[]{"TLSv1.1","TLSv1.2"}, HttpClientUtil.getSupportedSSLProtocols());
-    System.setProperty("https.protocols", "TLSv1.3");
-    expectThrows(IllegalArgumentException.class, HttpClientUtil::getSupportedSSLProtocols);
-    System.clearProperty("https.protocols");
-  }
-
   private void assertSSLHostnameVerifier(Class<? extends HostnameVerifier> expected,
                                          SchemaRegistryProvider provider) {
     ConnectionSocketFactory socketFactory = provider.getSchemaRegistry().lookup("https");

solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java

@@ -16,7 +16,7 @@
  */
 package org.apache.solr.util;
 
-import javax.net.ssl.SSLContext;
+import java.lang.invoke.MethodHandles;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -26,6 +26,8 @@ import java.security.SecureRandomSpi;
 import java.security.UnrecoverableKeyException;
 import java.util.Random;
 
+import javax.net.ssl.SSLContext;
+
 import org.apache.http.config.Registry;
 import org.apache.http.config.RegistryBuilder;
 import org.apache.http.conn.socket.ConnectionSocketFactory;
@@ -35,12 +37,15 @@ import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.ssl.SSLContexts;
+import org.apache.lucene.util.Constants;
 import org.apache.solr.client.solrj.embedded.SSLConfig;
 import org.apache.solr.client.solrj.impl.HttpClientUtil;
 import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.security.CertificateUtils;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * An SSLConfig that provides {@link SSLConfig} and {@link SchemaRegistryProvider} for both clients and servers
@@ -48,7 +53,7 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
  * Solr test-framework classes
  */
 public class SSLTestConfig {
-
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   private static final String TEST_KEYSTORE_BOGUSHOST_RESOURCE = "SSLTestConfig.hostname-and-ip-missmatch.keystore";
   private static final String TEST_KEYSTORE_LOCALHOST_RESOURCE = "SSLTestConfig.testing.keystore";
   private static final String TEST_PASSWORD = "secret";
@@ -99,6 +104,12 @@ public class SSLTestConfig {
    * @see HttpClientUtil#SYS_PROP_CHECK_PEER_NAME
    */
   public SSLTestConfig(boolean useSSL, boolean clientAuth, boolean checkPeerName) {
+    if (useSSL) {
+      if (Constants.JRE_IS_MINIMUM_JAVA11 && Runtime.version().compareTo(Runtime.Version.parse("11.0.3")) < 0) {
+        log.warn("SOLR-12988: TLSv1.3 in Java 11.0.2 or lower versions does not working correctly with HttpClient, disabling SSL for tests");
+        useSSL = false;
+      }
+    }
     this.useSsl = useSSL;
     this.clientAuth = clientAuth;
     this.checkPeerName = checkPeerName;
@@ -253,9 +264,7 @@ public class SSLTestConfig {
       if (checkPeerName == false) {
         sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
       } else {
-        sslConnectionFactory = new SSLConnectionSocketFactory(sslContext,
-            HttpClientUtil.SUPPORTED_SSL_PROTOCOLS,
-            null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
+        sslConnectionFactory = new SSLConnectionSocketFactory(sslContext);
       }
     } catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) {
       throw new IllegalStateException("Unable to setup https scheme for HTTPClient to test SSL.", e);