[GitHub] [kafka] nizhikov commented on a change in pull request #8695: KAFKA-9320: Enable TLSv1.3 by default (KIP-573)

Thu, 28 May 2020 07:01:08 -0700 


nizhikov commented on a change in pull request #8695:
URL: https://github.com/apache/kafka/pull/8695#discussion_r431857886



##########
File path: 
clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
##########
@@ -622,6 +619,81 @@ public void testUnsupportedTLSVersion() throws Exception {
         server.verifyAuthenticationMetrics(0, 1);
     }
 
+    /**
+     * Tests that connections fails if TLSv1.3 enabled but cipher suite 
suitable only for TLSv1.2 used.
+     */
+    @Test
+    public void testCiphersSuiteForTLSv1_2_FailsForTLSv1_3() throws Exception {
+        if (!Java.IS_JAVA11_COMPATIBLE)
+            return;
+
+        SSLContext context = SSLContext.getInstance(tlsProtocol);
+        context.init(null, null, null);
+
+        //Note, that only some ciphers works out of the box. Others requires 
additional configuration.
+        String cipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+
+        sslServerConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.3");
+        sslServerConfigs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, 
Arrays.asList("TLSv1.3"));
+        sslServerConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Arrays.asList(cipherSuite));
+        server = createEchoServer(SecurityProtocol.SSL);
+
+        sslClientConfigs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, 
Arrays.asList("TLSv1.3"));
+        sslClientConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Arrays.asList(cipherSuite));
+
+        checkAuthentiationFailed("0", "TLSv1.3");
+        server.verifyAuthenticationMetrics(0, 1);
+    }
+
+    /**
+     * Tests that connections can be made with TLSv1.2 and custom cipher suite.
+     */
+    @Test
+    public void testCiphersSuiteFailForServerTLSv1_2_ClientTLSv1_3() throws 
Exception {
+        if (!Java.IS_JAVA11_COMPATIBLE)
+            return;
+
+        String cipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+
+        sslServerConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2");
+        sslServerConfigs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, 
Arrays.asList("TLSv1.2"));
+        sslServerConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Arrays.asList(cipherSuite));
+        server = createEchoServer(SecurityProtocol.SSL);
+
+        sslClientConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.3");
+        sslClientConfigs.put(SslConfigs.SSL_CIPHER_SUITES_CONFIG, 
Arrays.asList(cipherSuite));
+
+        checkAuthentiationFailed("0", "TLSv1.3");
+    }
+
+    /**
+     * Tests that connections can be made with TLSv1.2 and custom cipher suite.
+     */
+    @Test
+    public void testCiphersSuiteForTLSv1_2() throws Exception {

Review comment:
       Done.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to