ZOOKEEPER-5045: Fall back to TLSv1.2 default in FIPS mode

Author: PDavid

zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java

@@ -87,13 +87,17 @@ public abstract class X509Util implements Closeable, AutoCloseable {
         }
     }
 
-    public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();
-
     /**
-     * Return TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
+     * Return TLSv1.2 when FIPS mode is enabled.
+     * Otherwise, returns TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
      * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
      */
-    private static String defaultTlsProtocol() {
+    public static String defaultTlsProtocol(ZKConfig config) {
+        if (getFipsMode(config)) {
+            LOG.info("FIPS mode is enabled. Fall back to TLSv1.2 as the default protocol.");
+            return TLS_1_2;
+        }
+
         String defaultProtocol = TLS_1_2;
         List<String> supported = new ArrayList<>();
         try {
@@ -410,8 +414,8 @@ public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config
                     + ": "
                     + trustStoreTypeProp, e);
         }
-
-        String protocol = config.getProperty(sslProtocolProperty, DEFAULT_PROTOCOL);
+        String defaultTlsProtocol = defaultTlsProtocol(config);
+        String protocol = config.getProperty(sslProtocolProperty, defaultTlsProtocol);
         try {
             SSLContext sslContext = SSLContext.getInstance(protocol);
             sslContext.init(keyManagers, trustManagers, null);

zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java

@@ -18,6 +18,9 @@
 
 package org.apache.zookeeper.common;
 
+import static org.apache.zookeeper.common.X509Util.FIPS_MODE_PROPERTY;
+import static org.apache.zookeeper.common.X509Util.TLS_1_2;
+import static org.apache.zookeeper.common.X509Util.TLS_1_3;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -90,6 +93,7 @@ public void cleanUp() {
         System.clearProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty());
         System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY);
         System.clearProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET);
+        System.clearProperty(FIPS_MODE_PROPERTY);
         x509Util.close();
     }
 
@@ -100,24 +104,36 @@ public void testCreateSSLContextWithoutCustomProtocol(
             X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword, Integer paramIndex)
             throws Exception {
         init(caKeyType, certKeyType, keyPassword, paramIndex);
+        System.setProperty(FIPS_MODE_PROPERTY, Boolean.FALSE.toString());
         SSLContext sslContext = x509Util.getDefaultSSLContext();
-        assertEquals(X509Util.DEFAULT_PROTOCOL, sslContext.getProtocol());
+        String defaultTlsProtocol = X509Util.defaultTlsProtocol(new ZKConfig());
+        assertEquals(defaultTlsProtocol, sslContext.getProtocol());
 
-        // Check that TLSv1.3 is selected in JDKs that support it (OpenJDK 8u272 and later).
         List<String> supported = Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
-        if (supported.contains(X509Util.TLS_1_3)) {
-            // SSLContext protocol.
-            assertEquals(X509Util.TLS_1_3, sslContext.getProtocol());
-            // Enabled protocols.
+        if (supported.contains(TLS_1_3)) {
+            assertEquals(TLS_1_3, sslContext.getProtocol());
             List<String> protos = Arrays.asList(sslContext.getDefaultSSLParameters().getProtocols());
-            assertTrue(protos.contains(X509Util.TLS_1_2));
-            assertTrue(protos.contains(X509Util.TLS_1_3));
+            assertTrue(protos.contains(TLS_1_2));
+            assertTrue(protos.contains(TLS_1_3));
         } else {
-            assertEquals(X509Util.TLS_1_2, sslContext.getProtocol());
-            assertArrayEquals(new String[]{X509Util.TLS_1_2}, sslContext.getDefaultSSLParameters().getProtocols());
+            assertEquals(TLS_1_2, sslContext.getProtocol());
+            assertArrayEquals(new String[]{TLS_1_2}, sslContext.getDefaultSSLParameters().getProtocols());
         }
     }
 
+    @ParameterizedTest
+    @MethodSource("data")
+    @Timeout(value = 5)
+    public void testCreateSSLContextWithoutCustomProtocol_FIPSEnabled(
+            X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword, Integer paramIndex)
+            throws Exception {
+        init(caKeyType, certKeyType, keyPassword, paramIndex);
+        System.setProperty(FIPS_MODE_PROPERTY, Boolean.TRUE.toString());
+        SSLContext sslContext = x509Util.getDefaultSSLContext();
+        assertEquals(TLS_1_2, sslContext.getProtocol());
+        assertArrayEquals(new String[]{TLS_1_2}, sslContext.getDefaultSSLParameters().getProtocols());
+    }
+
     @ParameterizedTest
     @MethodSource("data")
     @Timeout(value = 5)
@@ -873,4 +889,5 @@ private void testCreateSSLContext_withWrongPasswordFromFile(final String keyPass
             x509Util.getDefaultSSLContext();
         });
     }
+
 }

zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/CommandAuthTest.java

@@ -48,6 +48,8 @@
 import org.apache.zookeeper.common.ClientX509Util;
 import org.apache.zookeeper.common.QuorumX509Util;
 import org.apache.zookeeper.common.X509Exception;
+import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.server.NettyServerCnxnFactory;
@@ -281,7 +283,8 @@ private void setupTLS() throws Exception {
         System.setProperty("zookeeper.admin.needClientAuth", "true");
 
         // create SSLContext
-        final SSLContext sslContext = SSLContext.getInstance(ClientX509Util.DEFAULT_PROTOCOL);
+        String defaultTlsProtocol = X509Util.defaultTlsProtocol(new ZKConfig());
+        final SSLContext sslContext = SSLContext.getInstance(defaultTlsProtocol);
         final X509AuthenticationProvider authProvider = (X509AuthenticationProvider) ProviderRegistry.getProvider("x509");
         if (authProvider == null) {
             throw new X509Exception.SSLContextException("Could not create SSLContext with x509 auth provider");