Re: [PR] ZOOKEEPER-5045: Fall back to TLSv1.2 default in FIPS mode [zookeeper]

Tue, 05 May 2026 01:53:08 -0700 


meszibalu commented on code in PR #2380:
URL: https://github.com/apache/zookeeper/pull/2380#discussion_r3187132935


##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -87,13 +87,17 @@ public abstract class X509Util implements Closeable, 
AutoCloseable {
         }
     }
 
-    public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();

Review Comment:
   How can a static constant help? The default protocol might be different for 
fips and non fips configurations. We should have two constants in this case.



##########
zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java:
##########
@@ -100,24 +104,39 @@ public void testCreateSSLContextWithoutCustomProtocol(
             X509KeyType caKeyType, X509KeyType certKeyType, String 
keyPassword, Integer paramIndex)
             throws Exception {
         init(caKeyType, certKeyType, keyPassword, paramIndex);
+        System.setProperty(FIPS_MODE_PROPERTY, Boolean.FALSE.toString());
         SSLContext sslContext = x509Util.getDefaultSSLContext();
-        assertEquals(X509Util.DEFAULT_PROTOCOL, sslContext.getProtocol());
+        String defaultTlsProtocol = X509Util.defaultTlsProtocol(new 
ZKConfig());
+        assertEquals(defaultTlsProtocol, sslContext.getProtocol());
 
         // Check that TLSv1.3 is selected in JDKs that support it (OpenJDK 
8u272 and later).
         List<String> supported = 
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
-        if (supported.contains(X509Util.TLS_1_3)) {
+        if (supported.contains(TLS_1_3)) {
             // SSLContext protocol.
-            assertEquals(X509Util.TLS_1_3, sslContext.getProtocol());
+            assertEquals(TLS_1_3, sslContext.getProtocol());
             // Enabled protocols.
             List<String> protos = 
Arrays.asList(sslContext.getDefaultSSLParameters().getProtocols());
-            assertTrue(protos.contains(X509Util.TLS_1_2));
-            assertTrue(protos.contains(X509Util.TLS_1_3));
+            assertTrue(protos.contains(TLS_1_2));
+            assertTrue(protos.contains(TLS_1_3));
         } else {
-            assertEquals(X509Util.TLS_1_2, sslContext.getProtocol());
-            assertArrayEquals(new String[]{X509Util.TLS_1_2}, 
sslContext.getDefaultSSLParameters().getProtocols());
+            assertEquals(TLS_1_2, sslContext.getProtocol());
+            assertArrayEquals(new String[]{TLS_1_2}, 
sslContext.getDefaultSSLParameters().getProtocols());
         }
     }
 
+    @ParameterizedTest
+    @MethodSource("data")
+    @Timeout(value = 5)
+    public void testCreateSSLContextWithoutCustomProtocol_FIPSEnabled(

Review Comment:
   Is this the right naming convention? (`_FIPSEnabled`)



##########
zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java:
##########
@@ -100,24 +104,39 @@ public void testCreateSSLContextWithoutCustomProtocol(
             X509KeyType caKeyType, X509KeyType certKeyType, String 
keyPassword, Integer paramIndex)
             throws Exception {
         init(caKeyType, certKeyType, keyPassword, paramIndex);
+        System.setProperty(FIPS_MODE_PROPERTY, Boolean.FALSE.toString());
         SSLContext sslContext = x509Util.getDefaultSSLContext();
-        assertEquals(X509Util.DEFAULT_PROTOCOL, sslContext.getProtocol());
+        String defaultTlsProtocol = X509Util.defaultTlsProtocol(new 
ZKConfig());
+        assertEquals(defaultTlsProtocol, sslContext.getProtocol());
 
         // Check that TLSv1.3 is selected in JDKs that support it (OpenJDK 
8u272 and later).
         List<String> supported = 
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
-        if (supported.contains(X509Util.TLS_1_3)) {
+        if (supported.contains(TLS_1_3)) {
             // SSLContext protocol.
-            assertEquals(X509Util.TLS_1_3, sslContext.getProtocol());
+            assertEquals(TLS_1_3, sslContext.getProtocol());
             // Enabled protocols.
             List<String> protos = 
Arrays.asList(sslContext.getDefaultSSLParameters().getProtocols());
-            assertTrue(protos.contains(X509Util.TLS_1_2));
-            assertTrue(protos.contains(X509Util.TLS_1_3));
+            assertTrue(protos.contains(TLS_1_2));
+            assertTrue(protos.contains(TLS_1_3));
         } else {
-            assertEquals(X509Util.TLS_1_2, sslContext.getProtocol());
-            assertArrayEquals(new String[]{X509Util.TLS_1_2}, 
sslContext.getDefaultSSLParameters().getProtocols());
+            assertEquals(TLS_1_2, sslContext.getProtocol());
+            assertArrayEquals(new String[]{TLS_1_2}, 
sslContext.getDefaultSSLParameters().getProtocols());
         }
     }
 
+    @ParameterizedTest
+    @MethodSource("data")
+    @Timeout(value = 5)
+    public void testCreateSSLContextWithoutCustomProtocol_FIPSEnabled(
+            X509KeyType caKeyType, X509KeyType certKeyType, String 
keyPassword, Integer paramIndex)
+            throws Exception {
+        init(caKeyType, certKeyType, keyPassword, paramIndex);
+        System.setProperty(FIPS_MODE_PROPERTY, Boolean.TRUE.toString());
+        SSLContext sslContext = x509Util.getDefaultSSLContext();
+        assertEquals(TLS_1_2, sslContext.getProtocol());
+        assertArrayEquals(new String[]{TLS_1_2}, 
sslContext.getDefaultSSLParameters().getProtocols());
+    }

Review Comment:
   Can you create a test case where use set `javax.net.ssl.trustStore`, 
`javax.net.ssl.trustStorePassword` and `javax.net.ssl.trustStoreType` to a not 
existent keystore and see if the default protocol determination does work?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to