Hello,

> The test code appears to select TLSV1.2.


https://github.com/apache/commons-net/blob/fd06a81fd4ea3ace33d397935c76a4e014088fa2/src/test/java/org/apache/commons/net/ftp/FTPSClientTest.java#L103


the test code seems to limit the client to TLS1 only. Not sure why it does
that, if we remove it, it should probably run with most sane JDKs.



Gruss

Bernd

-- 

https://bernd.eckenfels.net



*Von: *sebb <seb...@gmail.com>
*Gesendet: *Montag, 26. Juli 2021 16:41
*An: *Bernd Eckenfels <e...@zusammenkunft.net>
*Cc: *Commons Developers List <dev@commons.apache.org>
*Betreff: *Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11



On Mon, 26 Jul 2021 at 15:18, Bernd Eckenfels <e...@zusammenkunft.net>
wrote:

>

> You can enable the protocols (see link below) in the Java.security policy
file, but in the long run it’s best to mainly test supported algorithms,
maybe by conditionally checking it only if available, then a manual
modified test environment can use the compatibility tests,



I have comparde the java.security files between Oracle 8 and AdoptOpenJDK 8.

The latter includes the following:



jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, ...



However Oracle does not list TLSv1 and TLSv1.1.

I tried dropping these two from the AdoptOpenJDK version, and that

allowed the test to complete OK.

However that is not a feasible approach in general.



I have no idea why one of the disabled algorithms is being used.

The test code appears to select TLSV1.2.

How does one choose a supported algo?



> (Btw I don’t think that Oracle behaves better, it is just not tested with
the commercially supported latest Oracle versions I suspect). The Crypto
roadmap states tls1 for example is disabled since April in Oracle 8u291.

>

> https://java.com/en/jre-jdk-cryptoroadmap.html

>

> Gruss

> Bernd

>

>

> --

> http://bernd.eckenfels.net

> ________________________________

> Von: Gary Gregory <garydgreg...@gmail.com>

> Gesendet: Monday, July 26, 2021 2:57:35 PM

> An: sebb <seb...@gmail.com>

> Cc: CommonsDev <dev@commons.apache.org>

> Betreff: Re: [NET] FTPSClientTest fails on AdoptOpenJDK 8 & 11

>

> Hm, there might be some system property to set that says "use this old and

> now deprecated algorithm" or we might have to recreate any certificates

> used in tests with a current JDK 8.

>

> Gary

>

>

> On Mon, Jul 26, 2021, 08:42 sebb <seb...@gmail.com> wrote:

>

> > As the subject says: FTPSClientTest fails with

> >

> > javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol

> > is disabled or cipher suites are inappropriate)

> >

> > when run with AdoptOpenJDK 8 & 11

> > However it works fine with the Oracle version of Java 8 & 11

> >

> > @Gary Gregory : I think you wrote the code -- any idea how to fix it

> > for AdoptOpenJDK?

> >

> > Sebb

> >

Reply via email to