From 91944a468e6bf68bb46f1dad986533c9728c0690 Mon Sep 17 00:00:00 2001 From: Cao Manh Dat Date: Wed, 19 Jun 2019 10:43:17 +0100 Subject: [PATCH] SOLR-12988: Skip running tests with SSL on Java 11 to 11.0.2 --- solr/CHANGES.txt | 2 -- .../cloud/TestMiniSolrCloudClusterSSL.java | 3 ++ .../solr/cloud/TestSSLRandomization.java | 3 ++ .../client/solrj/impl/HttpClientUtil.java | 34 ++----------------- .../client/solrj/impl/HttpClientUtilTest.java | 11 ------ .../org/apache/solr/util/SSLTestConfig.java | 19 ++++++++--- 6 files changed, 22 insertions(+), 50 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index b5d15c3cdf3..6d2f2da9a80 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -167,8 +167,6 @@ Bug Fixes CloudSolrClient to be triggered on liveNode changes. Also add Predicate equivilents for callers that don't care about liveNodes. (hossman) -* SOLR-12988: Avoid using TLSv1.3 for HttpClient (Cao Manh Dat) - Other Changes ---------------------- diff --git a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java index b659a1f397b..946f3d16b3e 100644 --- a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java +++ b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java @@ -85,6 +85,9 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 { @Before public void before() { + assumeFalse("SOLR-12988: TLSv1.3 in Java 11.0.2 or lower versions does not working correctly with HttpClient", + Constants.JRE_IS_MINIMUM_JAVA11 && Runtime.version().compareTo(Runtime.Version.parse("11.0.3")) < 0); + // undo the randomization of our super class log.info("NOTE: This Test ignores the randomized SSL & clientAuth settings selected by base class"); HttpClientUtil.resetHttpClientBuilder(); // also resets SchemaRegistryProvider diff --git a/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java b/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java index e846f73bc33..773ddacbc36 100644 --- a/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java +++ b/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java @@ -19,6 +19,7 @@ package org.apache.solr.cloud; import java.lang.invoke.MethodHandles; import java.util.Arrays; +import org.apache.lucene.util.Constants; import org.apache.solr.SolrTestCaseJ4; import org.apache.solr.util.SSLTestConfig; import org.apache.solr.util.RandomizeSSL; @@ -43,6 +44,8 @@ public class TestSSLRandomization extends SolrCloudTestCase { @BeforeClass public static void createMiniSolrCloudCluster() throws Exception { + assumeFalse("SOLR-12988: TLSv1.3 in Java 11.0.2 or lower versions does not working correctly with HttpClient", + Constants.JRE_IS_MINIMUM_JAVA11 && Runtime.version().compareTo(Runtime.Version.parse("11.0.3")) < 0); configureCluster(TestMiniSolrCloudClusterSSL.NUM_SERVERS).configure(); } diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java index 0c501bd5d22..21177afd5b5 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java @@ -20,8 +20,6 @@ import java.io.IOException; import java.io.InputStream; import java.lang.invoke.MethodHandles; import java.lang.reflect.InvocationTargetException; -import java.util.ArrayList; -import java.util.Arrays; import java.util.List; import java.util.Optional; import java.util.concurrent.CopyOnWriteArrayList; @@ -61,7 +59,6 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpRequestExecutor; import org.apache.http.ssl.SSLContexts; -import org.apache.http.util.TextUtils; import org.apache.solr.common.params.ModifiableSolrParams; import org.apache.solr.common.params.SolrParams; import org.apache.solr.common.util.ObjectReleaseTracker; @@ -78,8 +75,7 @@ import org.slf4j.LoggerFactory; public class HttpClientUtil { private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); - - public static final String[] SUPPORTED_SSL_PROTOCOLS = {"TLSv1.2", "TLSv1.1", "TLSv1", "DTLSv1.2", "DTLSv1.0"}; + public static final int DEFAULT_CONNECT_TIMEOUT = 60000; public static final int DEFAULT_SO_TIMEOUT = 600000; public static final int DEFAULT_MAXCONNECTIONSPERHOST = 100000; @@ -237,9 +233,7 @@ public class HttpClientUtil { boolean sslCheckPeerName = toBooleanDefaultIfNull( toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true); if (sslCheckPeerName) { - String[] cipherSuites = split(System.getProperty("https.cipherSuites")); - sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(), - getSupportedSSLProtocols(), cipherSuites, SSLConnectionSocketFactory.getDefaultHostnameVerifier()); + sslConnectionSocketFactory = SSLConnectionSocketFactory.getSystemSocketFactory(); } else { sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(), NoopHostnameVerifier.INSTANCE); @@ -250,30 +244,6 @@ public class HttpClientUtil { return builder.build(); } } - - static String[] getSupportedSSLProtocols() { - String[] protocols = split(System.getProperty("https.protocols")); - if (protocols == null) { - return SUPPORTED_SSL_PROTOCOLS; - } - List list = new ArrayList<>(Arrays.asList(protocols)); - list.remove("TLSv1.3"); - if (protocols.length == list.size()) - return protocols; - - if (list.isEmpty()) { - throw new IllegalArgumentException("TLSv1.3 is not supported yet!"); - } - - return list.toArray(new String[0]); - } - - private static String[] split(final String s) { - if (TextUtils.isBlank(s)) { - return null; - } - return s.split(" *, *"); - } /** * Creates new http client by using the provided configuration. diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java index b5c5e3b7ca7..381e20297c7 100644 --- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java +++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java @@ -67,17 +67,6 @@ public class HttpClientUtilTest extends SolrTestCase { assertSSLHostnameVerifier(NoopHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider()); } - public void testSSLConfig() { - assertArrayEquals(HttpClientUtil.SUPPORTED_SSL_PROTOCOLS, HttpClientUtil.getSupportedSSLProtocols()); - System.setProperty("https.protocols", "TLSv1.1,TLSv1.2"); - assertArrayEquals(new String[]{"TLSv1.1","TLSv1.2"}, HttpClientUtil.getSupportedSSLProtocols()); - System.setProperty("https.protocols", "TLSv1.1,TLSv1.2,TLSv1.3"); - assertArrayEquals(new String[]{"TLSv1.1","TLSv1.2"}, HttpClientUtil.getSupportedSSLProtocols()); - System.setProperty("https.protocols", "TLSv1.3"); - expectThrows(IllegalArgumentException.class, HttpClientUtil::getSupportedSSLProtocols); - System.clearProperty("https.protocols"); - } - private void assertSSLHostnameVerifier(Class expected, SchemaRegistryProvider provider) { ConnectionSocketFactory socketFactory = provider.getSchemaRegistry().lookup("https"); diff --git a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java index 1f7b3d0099a..3539995d7d7 100644 --- a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java +++ b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java @@ -16,7 +16,7 @@ */ package org.apache.solr.util; -import javax.net.ssl.SSLContext; +import java.lang.invoke.MethodHandles; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; @@ -26,6 +26,8 @@ import java.security.SecureRandomSpi; import java.security.UnrecoverableKeyException; import java.util.Random; +import javax.net.ssl.SSLContext; + import org.apache.http.config.Registry; import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.socket.ConnectionSocketFactory; @@ -35,12 +37,15 @@ import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.SSLContexts; +import org.apache.lucene.util.Constants; import org.apache.solr.client.solrj.embedded.SSLConfig; import org.apache.solr.client.solrj.impl.HttpClientUtil; import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider; import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.security.CertificateUtils; import org.eclipse.jetty.util.ssl.SslContextFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * An SSLConfig that provides {@link SSLConfig} and {@link SchemaRegistryProvider} for both clients and servers @@ -48,7 +53,7 @@ import org.eclipse.jetty.util.ssl.SslContextFactory; * Solr test-framework classes */ public class SSLTestConfig { - + private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private static final String TEST_KEYSTORE_BOGUSHOST_RESOURCE = "SSLTestConfig.hostname-and-ip-missmatch.keystore"; private static final String TEST_KEYSTORE_LOCALHOST_RESOURCE = "SSLTestConfig.testing.keystore"; private static final String TEST_PASSWORD = "secret"; @@ -99,6 +104,12 @@ public class SSLTestConfig { * @see HttpClientUtil#SYS_PROP_CHECK_PEER_NAME */ public SSLTestConfig(boolean useSSL, boolean clientAuth, boolean checkPeerName) { + if (useSSL) { + if (Constants.JRE_IS_MINIMUM_JAVA11 && Runtime.version().compareTo(Runtime.Version.parse("11.0.3")) < 0) { + log.warn("SOLR-12988: TLSv1.3 in Java 11.0.2 or lower versions does not working correctly with HttpClient, disabling SSL for tests"); + useSSL = false; + } + } this.useSsl = useSSL; this.clientAuth = clientAuth; this.checkPeerName = checkPeerName; @@ -253,9 +264,7 @@ public class SSLTestConfig { if (checkPeerName == false) { sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE); } else { - sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, - HttpClientUtil.SUPPORTED_SSL_PROTOCOLS, - null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()); + sslConnectionFactory = new SSLConnectionSocketFactory(sslContext); } } catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) { throw new IllegalStateException("Unable to setup https scheme for HTTPClient to test SSL.", e);