Skip to content

Replace deprecated TLS cipher suite in SSLCertificateTest#1121

Merged
chrjohn merged 4 commits into
masterfrom
copilot/fix-ssl-certificate-test
Jan 21, 2026
Merged

Replace deprecated TLS cipher suite in SSLCertificateTest#1121
chrjohn merged 4 commits into
masterfrom
copilot/fix-ssl-certificate-test

Conversation

Copilot AI commented Jan 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

SSLCertificateTest fails on newer JDKs because TLS_RSA_WITH_AES_128_CBC_SHA is deprecated per IETF draft-ietf-tls-deprecate-obsolete-kex.

Changes

  • Replaced TLS_RSA_WITH_AES_128_CBC_SHA with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 in parameterized test configuration
  • Removed TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA from CERTIFICATE_REQUIRED_CIPHER_SUITES constant

The replacement cipher suite provides forward secrecy via ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchange and modern AES-GCM authenticated encryption while maintaining TLSv1.2 compatibility. This addresses the IETF deprecation of ALL cipher suites using static RSA key exchange (all TLS_RSA_* suites), not just CBC mode.

[!WARNING]

Original prompt

This section details on the original issue you should resolve

<filter_complete></filter_complete>

<issue_title>SSLCertificateTest fails with newer JDKs</issue_title>
<issue_description>This is most probably due to the deprecation of cipher suite TLS_RSA_WITH_AES_128_CBC_SHA which is used in this test.

See https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/

We should use an alternative cipher suite which is not deprecated.
</issue_description>

Comments on the Issue (you are @copilot in this section)

Original prompt

This section details on the original issue you should resolve

<issue_title>SSLCertificateTest fails with newer JDKs</issue_title>
<issue_description>This is most probably due to the deprecation of cipher suite TLS_RSA_WITH_AES_128_CBC_SHA which is used in this test.

See https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/

We should use an alternative cipher suite which is not deprecated.
</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@chrjohn chrjohn added this to the QFJ 3.0.0 milestone Jan 21, 2026
Copilot AI and others added 2 commits January 21, 2026 15:50
@chrjohn
Replace deprecated TLS_RSA_WITH_AES_128_CBC_SHA with TLS_RSA_WITH_AES…
a6d4adf 
…_128_GCM_SHA256

Co-authored-by: chrjohn <6644028+chrjohn@users.noreply.github.com>
@chrjohn
Remove deprecated cipher suites from CERTIFICATE_REQUIRED_CIPHER_SUIT…
c9031e3 
…ES constant

Co-authored-by: chrjohn <6644028+chrjohn@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix SSLCertificateTest to use non-deprecated cipher suite Replace deprecated TLS cipher suite in SSLCertificateTest Jan 21, 2026
Copilot AI requested a review from chrjohn January 21, 2026 16:05
@chrjohn chrjohn marked this pull request as ready for review January 21, 2026 16:41
@chrjohn chrjohn changed the title Replace deprecated TLS cipher suite in SSLCertificateTest Replace deprecated TLS cipher suite in SSLCertificateTest Jan 21, 2026
@chrjohn

chrjohn commented Jan 21, 2026

Copy link
Copy Markdown
Member

@copilot this does not look good, errors are the same. Please have a look.

@chrjohn
Use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 instead of TLS_RSA_* suites
2f524f9 
Co-authored-by: chrjohn <6644028+chrjohn@users.noreply.github.com>

Copilot AI commented Jan 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

@copilot this does not look good, errors are the same. Please have a look.

Fixed in commit 2f524f9. The issue was that ALL TLS_RSA_* cipher suites (including the GCM variant I initially used) are deprecated due to static RSA key exchange. The correct solution is to use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 which provides forward secrecy via ECDHE key exchange. Tests now pass successfully.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • datatracker.ietf.org
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • https://api.github.com/repos/quickfix-j/quickfixj/actions/runs
    • Triggering command: /usr/bin/curl curl -s -H Accept: application/vnd.github&#43;json REDACTED (http block)
  • localhost-quickfixj
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx2g -Djava.net.preferIPv4Stack=true --add-opens java.base/java.lang=ALL-UNNAMED -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire/surefirebooter-20260121174540627_3.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire 2026-01-21T17-45-39_717-jvmRun1 surefire-20260121174540627_1tmp surefire_0-20260121174540627_2tmp (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx2g -Djava.net.preferIPv4Stack=true --add-opens java.base/java.lang=ALL-UNNAMED -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire/surefirebooter-20260121174837517_3.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire 2026-01-21T17-48-37_452-jvmRun1 surefire-20260121174837517_1tmp surefire_0-20260121174837517_2tmp (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx2g -Djava.net.preferIPv4Stack=true --add-opens java.base/java.lang=ALL-UNNAMED -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire/surefirebooter-20260121175256043_3.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire 2026-01-21T17-52-55_972-jvmRun1 surefire-20260121175256043_1tmp surefire_0-20260121175256043_2tmp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@chrjohn chrjohn merged commit 2b1a850 into master Jan 21, 2026
21 checks passed
@chrjohn chrjohn deleted the copilot/fix-ssl-certificate-test branch January 21, 2026 19:45
@the-thing the-thing mentioned this pull request Jan 23, 2026
Open
chrjohn added a commit that referenced this pull request Feb 23, 2026
@chrjohn
Merge pull request #1121 from quickfix-j/copilot/fix-ssl-certificate-…
34a1790 
…test

Replace deprecated TLS cipher suite in `SSLCertificateTest`

(cherry picked from commit 2b1a850)
chrjohn added a commit that referenced this pull request Feb 23, 2026
@chrjohn
Merge pull request #1145 from quickfix-j/cherry-pick-ssl
12397bc 
Merge pull request #1121 from quickfix-j/copilot/fix-ssl-certificate-…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrjohn chrjohn Awaiting requested review from chrjohn

Assignees

@chrjohn chrjohn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

QFJ 3.0.0

Development

Successfully merging this pull request may close these issues.

SSLCertificateTest fails with newer JDKs

2 participants

@chrjohn