From e54aeea1da958bcbcd2d4e127fa8bf85925df204 Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Tue, 11 May 2021 10:40:54 +0200 Subject: [PATCH] Update conscrypt and add workaround for test failure (#11238) Motivation: Conscrypt not correctly filters out non support TLS versions which may lead to test failures. Related to https://github.com/google/conscrypt/issues/1013 Modifications: - Bump up to latest patch release - Add workaround Result: No more test failures caused by conscrypt --- .../io/netty/handler/ssl/SSLEngineTest.java | 17 +++++++++++++---- pom.xml | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java index 94c1caf9cd..599887b07a 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java @@ -2052,6 +2052,15 @@ public abstract class SSLEngineTest { } } + private String[] nonContiguousProtocols(SslProvider provider) { + if (provider != null) { + // conscrypt not correctly filters out TLSv1 and TLSv1.1 which is required now by the JDK. + // https://github.com/google/conscrypt/issues/1013 + return new String[] { PROTOCOL_TLS_V1_2 }; + } + return new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1}; + } + @Test public void testHandshakeCompletesWithNonContiguousProtocolsTLSv1_2CipherOnly() throws Exception { SelfSignedCertificate ssc = new SelfSignedCertificate(); @@ -2061,14 +2070,14 @@ public abstract class SSLEngineTest { clientSslCtx = wrapContext(SslContextBuilder.forClient() .trustManager(InsecureTrustManagerFactory.INSTANCE) .ciphers(Collections.singletonList(sharedCipher)) - .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) + .protocols(nonContiguousProtocols(sslClientProvider())) .sslContextProvider(clientSslContextProvider()) .sslProvider(sslClientProvider()) .build()); serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) .ciphers(Collections.singletonList(sharedCipher)) - .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) + .protocols(nonContiguousProtocols(sslServerProvider())) .sslContextProvider(serverSslContextProvider()) .sslProvider(sslServerProvider()) .build()); @@ -2094,14 +2103,14 @@ public abstract class SSLEngineTest { clientSslCtx = wrapContext(SslContextBuilder.forClient() .trustManager(InsecureTrustManagerFactory.INSTANCE) .ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE) - .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) + .protocols(nonContiguousProtocols(sslClientProvider())) .sslContextProvider(clientSslContextProvider()) .sslProvider(sslClientProvider()) .build()); serverSslCtx = wrapContext(SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) .ciphers(Collections.singletonList(sharedCipher), SupportedCipherSuiteFilter.INSTANCE) - .protocols(PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1) + .protocols(nonContiguousProtocols(sslServerProvider())) .sslContextProvider(serverSslContextProvider()) .sslProvider(sslServerProvider()) .build()); diff --git a/pom.xml b/pom.xml index 71691533cf..f16830f76f 100644 --- a/pom.xml +++ b/pom.xml @@ -331,7 +331,7 @@ ${os.detected.classifier} org.conscrypt conscrypt-openjdk-uber - 2.5.1 + 2.5.2 1.68 ${os.detected.name}-${os.detected.arch}