apache · aweisberg · Nov 6, 2023
diff --git a/test/distributed/org/apache/cassandra/distributed/test/AbstractEncryptionOptionsImpl.java b/test/distributed/org/apache/cassandra/distributed/test/AbstractEncryptionOptionsImpl.java
@@ -18,17 +18,22 @@
 
 package org.apache.cassandra.distributed.test;
 
+import java.net.InetAddress;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
-
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLSession;
 
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import org.apache.cassandra.utils.concurrent.Condition;
+import com.google.common.collect.ImmutableSet;
 import org.junit.Assert;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,11 +57,15 @@
 import org.apache.cassandra.exceptions.ConfigurationException;
 import org.apache.cassandra.security.ISslContextFactory;
 import org.apache.cassandra.security.SSLFactory;
+import org.apache.cassandra.utils.concurrent.Condition;
 
+import static com.google.common.collect.ImmutableList.toImmutableList;
 import static java.util.concurrent.TimeUnit.SECONDS;
 import static org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl.ConnectResult.CONNECTING;
 import static org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl.ConnectResult.UNINITIALIZED;
 import static org.apache.cassandra.utils.concurrent.Condition.newOneTimeCondition;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 public class AbstractEncryptionOptionsImpl extends TestBaseImpl
 {
@@ -358,4 +367,48 @@ void assertCannotStartDueToConfigurationException(Cluster cluster)
             Assert.assertEquals(ConfigurationException.class.getName(), tr.getClass().getName());
         }
     }
+
+    protected static List<String> getAcceptedProtocolsForNegotationTest()
+    {
+        Set<String> supportedProtocols = null;
+        try
+        {
+            supportedProtocols = ImmutableSet.copyOf(Arrays.asList(SSLContext.getDefault().createSSLEngine().getEnabledProtocols()));
+        }
+        catch (NoSuchAlgorithmException e)
+        {
+            throw new RuntimeException(e);
+        }
+        List<String> maybeAcceptedProtocolVersions = ImmutableList.of("TLSv1.2", "TLSv1.3");
+        return maybeAcceptedProtocolVersions.stream().filter(supportedProtocols::contains).collect(toImmutableList());
+    }
+
+    protected void testProtocolNegotation(Cluster cluster, int port) throws Throwable
+    {
+        Set<String> supportedProtocolVersions = ImmutableSet.copyOf(Arrays.asList(SSLContext.getDefault().createSSLEngine().getEnabledProtocols()));
+        List<String> deprecatedProtocolVersions = ImmutableList.of("TLSv1", "TLSv1.1");
+        List<String> mandatoryProtocolVersions = ImmutableList.of("TLSv1.2", "TLSv1.3");
+        List<String> acceptedProtocolVersions = getAcceptedProtocolsForNegotationTest();
+        assertTrue("Not all mandatory protocol versions are supported, mandatory " + mandatoryProtocolVersions + " accepted " + acceptedProtocolVersions,
+                   acceptedProtocolVersions.containsAll(mandatoryProtocolVersions));
+        assertFalse("Accepted protocol versions contains deprecated protocol versions, deprecated " + deprecatedProtocolVersions + " accepted " + supportedProtocolVersions,
+                    acceptedProtocolVersions.stream().anyMatch(deprecatedProtocolVersions::contains));
+        InetAddress address = cluster.get(1).config().broadcastAddress().getAddress();
+
+        for (String deprecatedProtocolVersion : deprecatedProtocolVersions)
+        {
+            TlsConnection tlsConnection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList(deprecatedProtocolVersion));
+            Assert.assertEquals("Should not be possible to establish a " + deprecatedProtocolVersion + " connection",
+                                ConnectResult.FAILED_TO_NEGOTIATE, tlsConnection.connect());
+            tlsConnection.assertReceivedHandshakeException();
+        }
+
+        for (String protocolVersion : acceptedProtocolVersions)
+        {
+            TlsConnection tlsConnection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList(protocolVersion));
+            Assert.assertEquals("Should be possible to establish a TLSv1.1 connection",
+                                ConnectResult.NEGOTIATED, tlsConnection.connect());
+            Assert.assertEquals(protocolVersion, tlsConnection.lastProtocol());
+        }
+    }
 }
diff --git a/test/distributed/org/apache/cassandra/distributed/test/InternodeEncryptionOptionsTest.java b/test/distributed/org/apache/cassandra/distributed/test/InternodeEncryptionOptionsTest.java
@@ -21,14 +21,15 @@
 import java.net.InetAddress;
 import java.util.Collections;
 
-import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import org.junit.Assert;
 import org.junit.Test;
 
 import org.apache.cassandra.distributed.Cluster;
 import org.apache.cassandra.distributed.api.Feature;
 
+import static org.junit.Assert.assertTrue;
+
 public class InternodeEncryptionOptionsTest extends AbstractEncryptionOptionsImpl
 {
     @Test
@@ -213,7 +214,7 @@ public void allInternodeEncryptionEstablishedTest() throws Throwable
                 Object[][] result = cluster.get(i).executeInternal("SELECT successful_connection_attempts, address, port FROM system_views.internode_outbound");
                 Assert.assertEquals(1, result.length);
                 long successfulConnectionAttempts = (long) result[0][0];
-                Assert.assertTrue("At least one connection: " + successfulConnectionAttempts, successfulConnectionAttempts > 0);
+                assertTrue("At least one connection: " + successfulConnectionAttempts, successfulConnectionAttempts > 0);
             }
         }
     }
@@ -236,33 +237,12 @@ public void negotiatedProtocolMustBeAcceptedProtocolTest() throws Throwable
             c.set("server_encryption_options",
                   ImmutableMap.builder().putAll(validKeystore)
                               .put("internode_encryption", "all")
-                              .put("accepted_protocols", ImmutableList.of("TLSv1.1", "TLSv1.2", "TLSv1.3"))
+                              .put("accepted_protocols", getAcceptedProtocolsForNegotationTest())
                               .build());
         }).start())
         {
-            InetAddress address = cluster.get(1).config().broadcastAddress().getAddress();
             int port = cluster.get(1).config().broadcastAddress().getPort();
-
-            // deprecated
-            TlsConnection tls10Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1"));
-            Assert.assertEquals("Should not be possible to establish a TLSv1 connection",
-                                ConnectResult.FAILED_TO_NEGOTIATE, tls10Connection.connect());
-            tls10Connection.assertReceivedHandshakeException();
-
-            TlsConnection tls11Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.1"));
-            Assert.assertEquals("Should be possible to establish a TLSv1.1 connection",
-                                ConnectResult.NEGOTIATED, tls11Connection.connect());
-            Assert.assertEquals("TLSv1.1", tls11Connection.lastProtocol());
-
-            TlsConnection tls12Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.2"));
-            Assert.assertEquals("Should be possible to establish a TLSv1.2 connection",
-                                ConnectResult.NEGOTIATED, tls12Connection.connect());
-            Assert.assertEquals("TLSv1.2", tls12Connection.lastProtocol());
-
-            TlsConnection tls13Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.3"));
-            Assert.assertEquals("Should be possible to establish a TLSv1.3 connection",
-                                ConnectResult.NEGOTIATED, tls13Connection.connect());
-            Assert.assertEquals("TLSv1.3", tls13Connection.lastProtocol());
+            testProtocolNegotation(cluster, port);
         }
     }
 

diff --git a/...stributed/org/apache/cassandra/distributed/test/NativeTransportEncryptionOptionsTest.java b/...stributed/org/apache/cassandra/distributed/test/NativeTransportEncryptionOptionsTest.java
@@ -23,11 +23,9 @@
 import java.net.InetAddress;
 import java.security.KeyStore;
 import java.util.Collections;
-
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
 
-import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import org.junit.Assert;
 import org.junit.Rule;
@@ -170,32 +168,12 @@ public void negotiatedProtocolMustBeAcceptedProtocolTest() throws Throwable
             c.set("client_encryption_options",
                   ImmutableMap.builder().putAll(validKeystore)
                               .put("enabled", true)
-                              .put("accepted_protocols", ImmutableList.of("TLSv1.1", "TLSv1.2", "TLSv1.3"))
+                              .put("accepted_protocols", getAcceptedProtocolsForNegotationTest())
                               .build());
         }).start())
         {
-            InetAddress address = cluster.get(1).config().broadcastAddress().getAddress();
             int port = (int) cluster.get(1).config().get("native_transport_port");
-
-            TlsConnection tls10Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1"));
-            Assert.assertEquals("Should not be possible to establish a TLSv1 connection",
-                                ConnectResult.FAILED_TO_NEGOTIATE, tls10Connection.connect());
-            tls10Connection.assertReceivedHandshakeException();
-
-            TlsConnection tls11Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.1"));
-            Assert.assertEquals("Should be possible to establish a TLSv1.1 connection",
-                                ConnectResult.NEGOTIATED, tls11Connection.connect());
-            Assert.assertEquals("TLSv1.1", tls11Connection.lastProtocol());
-
-            TlsConnection tls12Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.2"));
-            Assert.assertEquals("Should be possible to establish a TLSv1.2 connection",
-                                ConnectResult.NEGOTIATED, tls12Connection.connect());
-            Assert.assertEquals("TLSv1.2", tls12Connection.lastProtocol());
-
-            TlsConnection tls13Connection = new TlsConnection(address.getHostAddress(), port, Collections.singletonList("TLSv1.3"));
-            Assert.assertEquals("Should be possible to establish a TLSv1.3 connection",
-                                ConnectResult.NEGOTIATED, tls13Connection.connect());
-            Assert.assertEquals("TLSv1.3", tls13Connection.lastProtocol());
+            testProtocolNegotation(cluster, port);
         }
     }