ZOOKEEPER-5045: Fall back to TLSv1.2 default in FIPS mode#2380
Open
PDavid wants to merge 4 commits intoapache:masterfrom
Open
ZOOKEEPER-5045: Fall back to TLSv1.2 default in FIPS mode#2380PDavid wants to merge 4 commits intoapache:masterfrom
PDavid wants to merge 4 commits intoapache:masterfrom
Conversation
PDavid
force-pushed
the
ZOOKEEPER-5045
branch
2 times, most recently
from
bb72473 to
72ddee6
Compare
anmolnar
requested changes
May 4, 2026
| public static String defaultTlsProtocol(ZKConfig config) { | ||
| if (getFipsMode(config)) { | ||
| LOG.info("FIPS mode is enabled. Fall back to TLSv1.2 as the default protocol."); | ||
| return TLS_1_2; |
Contributor
There was a problem hiding this comment.
I'm still not sure about whether this should be 1.3 or 1.2
meszibalu
reviewed
May 5, 2026
Tests when the default truststore of the JVM (javax.net.ssl.trustStore) points to a nonexistent file.
Contributor
Author
|
Hmm, X509UtilTest.testCreateSSLContext* tests failed in the PR build. I'll have a look. |
Contributor
|
How about the following? private final AtomicReference<String> defaultProtocol = new AtomicReference<>();
/**
* Return TLSv1.2 when FIPS mode is enabled.
* Otherwise, returns TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
* TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
*/
public String defaultTlsProtocol(ZKConfig config) {
String proto = defaultProtocol.get();
if (proto != null) {
return proto;
}
String protocol = TLS_1_2;
if (!getFipsMode(config)) {
List<String> supported = new ArrayList<>();
try {
supported = Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
LOG.info("Supported TLS protocols are {}", supported);
if (supported.contains(TLS_1_3)) {
protocol = TLS_1_3;
}
} catch (NoSuchAlgorithmException e) {
// Ignore.
}
}
if (defaultProtocol.compareAndSet(null, protocol)) {
LOG.info("Default TLS protocol is {}", protocol);
} else {
protocol = defaultProtocol.get();
}
return protocol;
} |
Contributor
|
@meszibalu Actually it could be static/singleton, we don't need to calculate it for every single instance, do we? |
anmolnar
reviewed
May 5, 2026
Comment on lines
+911
to
+913
| System.clearProperty("javax.net.ssl.trustStore"); | ||
| System.clearProperty("javax.net.ssl.trustStorePassword"); | ||
| System.clearProperty("javax.net.ssl.trustStoreType"); |
Contributor
There was a problem hiding this comment.
I don't think we can implement a test like this. SSLContext.getDefault() will cache the problem and subsequent tests will fail even if the properties are reverted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.