IGNITE-28444: Fix SSL cipher tests for current JDK defaults

animovscw · animovscw · commit f6a57811b7eb · 2026-04-09T12:51:38.000+07:00
diff --git a/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java b/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java
@@ -23,6 +23,9 @@
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+import java.util.Arrays;
+import java.util.LinkedHashSet;
+import java.util.Set;
 import java.util.concurrent.Callable;
 import javax.cache.configuration.Factory;
 import javax.net.ssl.SSLContext;
@@ -33,6 +36,7 @@
 import org.apache.ignite.internal.util.typedef.internal.U;
 import org.apache.ignite.ssl.SslContextFactory;
 import org.apache.ignite.testframework.GridTestUtils;
+import org.junit.Assume;
 import org.junit.Test;
 
 /**
@@ -52,12 +56,6 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
     private static final String TRUST_KEY_STORE_PATH = U.getIgniteHome() +
         "/modules/clients/src/test/keystore/trust-one.jks";
 
-    /** Enabled cipher. */
-    private static final String ENABLED_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
-
-    /** Unsupported cipher. */
-    private static final String UNSUPPORTED_CIPHER = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
-
     /** SSL context factory. */
     private static Factory<SSLContext> sslCtxFactory;
 
@@ -70,16 +68,12 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
     /** Supported ciphers. */
     private static String[] supportedCiphers;
 
-    /** Supported cipher that is not enabled by default on the current JDK. */
-    private static String disabledByDefaultCipher;
-
     /** {@inheritDoc} */
     @Override protected void beforeTest() throws Exception {
         setSslCtxFactoryToCli = false;
         setSslCtxFactoryToIgnite = false;
         supportedCiphers = null;
         sslCtxFactory = null;
-        disabledByDefaultCipher = null;
     }
 
     /** {@inheritDoc} */
@@ -107,39 +101,51 @@ public class JdbcThinConnectionSSLTest extends JdbcThinAbstractSelfTest {
     }
 
     /**
-     * @return Supported RSA cipher suite that is not enabled by default on the current JDK.
+     * @return One of default cipher suites for the current JDK.
      * @throws NoSuchAlgorithmException If failed.
      */
-    private static String disabledByDefaultCipher() throws NoSuchAlgorithmException {
-        if (disabledByDefaultCipher != null)
-            return disabledByDefaultCipher;
+    private static String defaultCipher() throws NoSuchAlgorithmException {
+        String[] dflt = SSLContext.getDefault().getSocketFactory().getDefaultCipherSuites();
 
-        SSLContext ctx = SSLContext.getDefault();
+        assertTrue("No default cipher suites available", dflt.length > 0);
 
-        SSLSocketFactory factory = ctx.getSocketFactory();
+        return dflt[0];
+    }
 
-        java.util.Set<String> supported = new java.util.HashSet<>();
-        java.util.Collections.addAll(supported, factory.getSupportedCipherSuites());
+    /**
+     * @param exclude Cipher to exclude.
+     * @return Another default cipher suite for the current JDK.
+     * @throws NoSuchAlgorithmException If failed.
+     */
+    private static String anotherDefaultCipher(String exclude) throws NoSuchAlgorithmException {
+        String[] dflt = SSLContext.getDefault().getSocketFactory().getDefaultCipherSuites();
 
-        java.util.Set<String> enabled = new java.util.HashSet<>();
-        java.util.Collections.addAll(enabled, factory.getDefaultCipherSuites());
+        for (String cipher : dflt) {
+            if (!cipher.equals(exclude))
+                return cipher;
+        }
 
-        for (String cipher : supported) {
-            if (enabled.contains(cipher))
-                continue;
+        fail("No alternative default cipher suite found");
 
-            if (!cipher.contains("_RSA_"))
-                continue;
+        return null;
+    }
 
-            if (cipher.contains("_anon_") || cipher.contains("_NULL_") || cipher.contains("_ECDSA_"))
-                continue;
+    /**
+     * @return Supported cipher suite that is not enabled by default, or {@code null} if none found.
+     * @throws NoSuchAlgorithmException If failed.
+     */
+    private static String supportedButNonDefaultCipherOrNull() throws NoSuchAlgorithmException {
+        SSLSocketFactory factory = SSLContext.getDefault().getSocketFactory();
 
-            disabledByDefaultCipher = cipher;
+        Set<String> supported = new LinkedHashSet<>(Arrays.asList(factory.getSupportedCipherSuites()));
+        Set<String> dflt = new LinkedHashSet<>(Arrays.asList(factory.getDefaultCipherSuites()));
 
-            return cipher;
+        for (String cipher : supported) {
+            if (!dflt.contains(cipher))
+                return cipher;
         }
 
-        throw new IllegalStateException("No supported non-default RSA cipher suite found for the current JDK");
+        return null;
     }
 
     /**
@@ -278,6 +284,9 @@ public void testCustomCiphersOnClient() throws Exception {
         setSslCtxFactoryToCli = true;
         sslCtxFactory = getTestSslContextFactory();
 
+        String cipher1 = defaultCipher();
+        String cipher2 = anotherDefaultCipher(cipher1);
+
         startGrids(1);
 
         try {
@@ -290,9 +299,9 @@ public void testCustomCiphersOnClient() throws Exception {
                 checkConnection(conn);
             }
 
-            // Explicit cipher (one of defaults).
+            // Explicit cipher.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + ENABLED_CIPHER +
+                "&sslCipherSuites=" + cipher1 +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
                 "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -302,7 +311,7 @@ public void testCustomCiphersOnClient() throws Exception {
 
             // Explicit ciphers.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + disabledByDefaultCipher() + "," + ENABLED_CIPHER +
+                "&sslCipherSuites=" + cipher2 + "," + cipher1 +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
                 "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -321,7 +330,11 @@ public void testCustomCiphersOnClient() throws Exception {
     @Test
     public void testCustomCiphersOnServer() throws Exception {
         setSslCtxFactoryToCli = true;
-        supportedCiphers = new String[] {ENABLED_CIPHER};
+
+        String cipher1 = defaultCipher();
+        String cipher2 = anotherDefaultCipher(cipher1);
+
+        supportedCiphers = new String[] {cipher1};
         sslCtxFactory = getTestSslContextFactory();
 
         startGrids(1);
@@ -338,27 +351,28 @@ public void testCustomCiphersOnServer() throws Exception {
 
             // Explicit cipher.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + ENABLED_CIPHER +
+                "&sslCipherSuites=" + cipher1 +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
                 "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
                 "&sslTrustCertificateKeyStorePassword=123456")) {
                 checkConnection(conn);
             }
 
-            // Disabled by default cipher.
-            GridTestUtils.assertThrows(log, () -> {
-                return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                    "&sslCipherSuites=" + disabledByDefaultCipher() +
+            // Explicit cipher not supported by server.
+            GridTestUtils.assertThrows(log, () ->
+                    DriverManager.getConnection(
+                    "jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
+                    "&sslCipherSuites=" + cipher2 +
                     "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                     "&sslClientCertificateKeyStorePassword=123456" +
                     "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
-                    "&sslTrustCertificateKeyStorePassword=123456");
-            }, SQLException.class, "Failed to SSL connect to server");
+                    "&sslTrustCertificateKeyStorePassword=123456"
+            ), SQLException.class, "Failed to SSL connect to server");
 
             // Explicit ciphers.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + disabledByDefaultCipher() + "," + ENABLED_CIPHER +
+                "&sslCipherSuites=" + cipher2 + "," + cipher1 +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
                 "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
@@ -373,19 +387,26 @@ public void testCustomCiphersOnServer() throws Exception {
 
     /**
      * @throws Exception If failed.
+     *
+     * Note: Disabled cipher suite can be enabled via Java Security property "jdk.tls.disabledAlgorithms" or in
+     * &lt;JAVA_HOME&gt;/conf/security/java.security file.
      */
     @Test
     public void testDisabledCustomCipher() throws Exception {
+        String nonDfltCipher = supportedButNonDefaultCipherOrNull();
+
+        Assume.assumeNotNull(nonDfltCipher);
+
         setSslCtxFactoryToCli = true;
-        supportedCiphers = new String[] {disabledByDefaultCipher()};
+        supportedCiphers = new String[] {nonDfltCipher};
         sslCtxFactory = getTestSslContextFactory();
 
         startGrids(1);
 
         try {
-            // Explicit supported ciphers.
+            // Explicit supported cipher.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + disabledByDefaultCipher() +
+                "&sslCipherSuites=" + nonDfltCipher +
                 "&sslTrustAll=true" +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
@@ -395,13 +416,13 @@ public void testDisabledCustomCipher() throws Exception {
             }
 
             // Default ciphers.
-            GridTestUtils.assertThrows(log, () -> {
-                return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
+            GridTestUtils.assertThrows(log, () -> DriverManager.getConnection(
+                "jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
                     "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                     "&sslClientCertificateKeyStorePassword=123456" +
                     "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
-                    "&sslTrustCertificateKeyStorePassword=123456");
-            }, SQLException.class, "Failed to SSL connect to server");
+                    "&sslTrustCertificateKeyStorePassword=123456"
+            ), SQLException.class, "Failed to SSL connect to server");
         }
         finally {
             stopAllGrids();
@@ -410,33 +431,35 @@ public void testDisabledCustomCipher() throws Exception {
 
     /**
      * @throws Exception If failed.
+     *
+     * Note: Disabled cipher suite can be enabled via Java Security property "jdk.tls.disabledAlgorithms" or in
+     * &lt;JAVA_HOME&gt;/conf/security/java.security file.
      */
     @Test
     public void testUnsupportedCustomCipher() throws Exception {
+        String nonDfltCipher = supportedButNonDefaultCipherOrNull();
+
+        Assume.assumeNotNull(nonDfltCipher);
+
         setSslCtxFactoryToCli = true;
-        supportedCiphers = new String[] {
-            disabledByDefaultCipher(),
-            UNSUPPORTED_CIPHER
-        };
+        supportedCiphers = new String[] {nonDfltCipher, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"};
         sslCtxFactory = getTestSslContextFactory();
 
         startGrids(1);
 
         try {
-            // Enabled ciphers with unsupported algorithm can't be negotiated.
-            GridTestUtils.assertThrows(log, () -> {
-                return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                    "&sslCipherSuites=" + UNSUPPORTED_CIPHER +
-                    "&sslTrustAll=true" +
+            // Unsupported cipher can't be negotiated.
+            GridTestUtils.assertThrows(log, () -> DriverManager.getConnection(
+                "jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
                     "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                     "&sslClientCertificateKeyStorePassword=123456" +
                     "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
-                    "&sslTrustCertificateKeyStorePassword=123456");
-            }, SQLException.class, "Failed to SSL connect to server");
+                    "&sslTrustCertificateKeyStorePassword=123456"
+            ), SQLException.class, "Failed to SSL connect to server");
 
             // Supported cipher.
             try (Connection conn = DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
-                "&sslCipherSuites=" + disabledByDefaultCipher() +
+                "&sslCipherSuites=" + nonDfltCipher +
                 "&sslTrustAll=true" +
                 "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                 "&sslClientCertificateKeyStorePassword=123456" +
@@ -446,13 +469,13 @@ public void testUnsupportedCustomCipher() throws Exception {
             }
 
             // Default ciphers.
-            GridTestUtils.assertThrows(log, () -> {
-                return DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
+            GridTestUtils.assertThrows(log, () -> DriverManager.getConnection(
+                "jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
                     "&sslClientCertificateKeyStoreUrl=" + CLI_KEY_STORE_PATH +
                     "&sslClientCertificateKeyStorePassword=123456" +
                     "&sslTrustCertificateKeyStoreUrl=" + TRUST_KEY_STORE_PATH +
-                    "&sslTrustCertificateKeyStorePassword=123456");
-            }, SQLException.class, "Failed to SSL connect to server");
+                    "&sslTrustCertificateKeyStorePassword=123456"
+            ), SQLException.class, "Failed to SSL connect to server");
         }
         finally {
             stopAllGrids();
