dan jatnieks created CASSANDRA-18540: ----------------------------------------
Summary: negotiatedProtocolMustBeAcceptedProtocolTest tests fail with "TLSv1.1 failed to negotiate" on JDK17 Key: CASSANDRA-18540 URL: https://issues.apache.org/jira/browse/CASSANDRA-18540 Project: Cassandra Issue Type: Bug Components: CI Reporter: dan jatnieks Note: This depends on having a fix for CASSANDRA-18180, otherwise most/all tests in {{NativeTransportEncryptionOptionsTest}} and {{InternodeEncryptionOptionsTest}} are failing due to that issue. Using the patch for CASSANDRA-18180, the {{negotiatedProtocolMustBeAcceptedProtocolTest}} test in both {{NativeTransportEncryptionOptionsTest}} and {{InternodeEncryptionOptionsTest}} fails with "TLSv1.1 failed to negotiate" on JDK17. >From what I can see, the {{negotiatedProtocolMustBeAcceptedProtocolTest}} is >failing because in JDK11 and JDK17 the "TLSv1.1" protocol is disabled. Since TLSv1.1 is disabled in JDK11 and 17, one possibility is to change the test to use TLSv1.2 instead of TLSv1.1. That should work directly with JDK11 and 17, since TLSv1.2 is one of the defaults, and it won't be an issue for JDK8 as that will be dropped. Also, I think the point of the {{negotiatedProtocolMustBeAcceptedProtocolTest}} is to test that the {{accepted_protocols}} option is working correctly rather than the choice of _which_ protocol is used. Meaning, I don’t think the intent was to test TLSv1.1 specifically, rather that the mechanism of accepted protocols works and choosing TLSv1.1 was at the time convenient - but I could be wrong. It also seems to me like bit of a coincidence that these tests are currently working on JDK11, at least on CI. Indeed, running locally with JDK11, these fail for me: {noformat} $ pwd /Users/dan.jatnieks/apache/cassandra-4.0 $ java -version openjdk version "11.0.11" 2021-04-20 OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9) OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode) $ ant test-jvm-dtest-some -Dtest.name=org.apache.cassandra.distributed.test.NativeTransportEncryptionOptionsTest -Duse.jdk11=true ... [junit-timeout] Testcase: negotiatedProtocolMustBeAcceptedProtocolTest(org.apache.cassandra.distributed.test.NativeTransportEncryptionOptionsTest): FAILED [junit-timeout] Should be possible to establish a TLSv1.1 connection expected:<NEGOTIATED> but was:<FAILED_TO_NEGOTIATE> [junit-timeout] junit.framework.AssertionFailedError: Should be possible to establish a TLSv1.1 connection expected:<NEGOTIATED> but was:<FAILED_TO_NEGOTIATE> [junit-timeout] at org.apache.cassandra.distributed.test.NativeTransportEncryptionOptionsTest.negotiatedProtocolMustBeAcceptedProtocolTest(NativeTransportEncryptionOptionsTest.java:160) [junit-timeout] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [junit-timeout] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [junit-timeout] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) {noformat} I believe these work on CI because of CASSANDRA-16848 - in that ticket, a specific JDK8 build (accidentally?) dropped TLSv1.1 (later added again) which led to adding some docker code to make sure TLSv1.1 is accepted. I say coincidence because this change also makes it work for JDK11 and JDK17, and I've been able to verify that making a change locally to the JDK {{java.security}} file. I’m not sure that at the time of CASSANDRA-16848 it was intended for any JDK versions. The point of mentioning this is that if {{negotiatedProtocolMustBeAcceptedProtocolTest}} is changed to use TLSv1.2, and support for JDK8 is dropped, then the changes made in CASSANDRA-16848 could also be reverted. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org