[GitHub] [kafka] nizhikov commented on a change in pull request #8695: KAFKA-9320: Enable TLSv1.3 by default (KIP-573)

Mon, 01 Jun 2020 07:34:14 -0700 


nizhikov commented on a change in pull request #8695:
URL: https://github.com/apache/kafka/pull/8695#discussion_r433270767



##########
File path: 
clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
##########
@@ -622,6 +632,108 @@ public void testUnsupportedTLSVersion() throws Exception {
         server.verifyAuthenticationMetrics(0, 1);
     }
 
+    /**
+     * Tests that connections fails if TLSv1.3 enabled but cipher suite 
suitable only for TLSv1.2 used.
+     */
+    @Test
+    public void testCiphersSuiteForTls12FailsForTls13() throws Exception {
+        assumeTrue(Java.IS_JAVA11_COMPATIBLE);
+
+        SSLContext context = SSLContext.getInstance(tlsProtocol);
+        context.init(null, null, null);
+
+        String cipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+
+        sslServerConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.3");
+        sslServerConfigs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, 
Collections.singletonList("TLSv1.3"));
+        sslServerConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Collections.singletonList(cipherSuite));
+        server = createEchoServer(SecurityProtocol.SSL);
+
+        sslClientConfigs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, 
Collections.singletonList("TLSv1.3"));
+        sslClientConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Collections.singletonList(cipherSuite));
+
+        checkAuthentiationFailed("0", "TLSv1.3");
+        server.verifyAuthenticationMetrics(0, 1);
+    }
+
+    /**
+     * Tests that connections can't be made if server uses TLSv1.2 with custom 
cipher suite and client uses TLSv1.3.
+     */
+    @Test
+    public void testCiphersSuiteFailForServerTls12ClientTls13() throws 
Exception {
+        assumeTrue(Java.IS_JAVA11_COMPATIBLE);
+
+        String tls12CipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+        String tls13CipherSuite = "TLS_AES_128_GCM_SHA256";
+
+        sslServerConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2");
+        sslServerConfigs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, 
Collections.singletonList("TLSv1.2"));
+        sslServerConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Collections.singletonList(tls12CipherSuite));
+        server = createEchoServer(SecurityProtocol.SSL);
+
+        sslClientConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.3");
+        sslClientConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Collections.singletonList(tls13CipherSuite));
+
+        checkAuthentiationFailed("0", "TLSv1.3");
+        server.verifyAuthenticationMetrics(0, 1);
+    }
+
+    /**
+     * Tests that connections can be made with TLSv1.3 cipher suite.
+     */
+    @Test
+    public void testCiphersSuiteForTls13() throws Exception {

Review comment:
       Fixed.
   The cause was the line 
   `NetworkTestUtils.waitForChannelClose(selector, node, 
ChannelState.State.READY);`
   
   We shouldn't wait channel to close.
   Now, locally test run less than second.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to