diff options
| author | Pete Bentley <prb@google.com> | 2023-07-03 12:36:59 +0100 |
|---|---|---|
| committer | Miguel Aranda <miguelaranda@google.com> | 2024-01-29 11:17:01 +0000 |
| commit | 5dc9cdaf41d6d15ab992ac27a79e556719b0f23e (patch) | |
| tree | 5ea9ff398a6afb850ebb09b95cbd23da45cbed3b | |
| parent | 7b8db415972894e0f8b0495113b7a544cf7a3fd7 (diff) | |
| download | conscrypt-5dc9cdaf41d6d15ab992ac27a79e556719b0f23e.tar.gz | |
Merge: Make tests agnostic about TLS v1.x.
Merged from upstream commit #1150.
Test only change. Ensures tests neither use nor assume anything
about whether TLSv.1 are enabled or supported. As such it is
suitable for backporting to historic Android test suites where
vendors may have disabled TLS v1.x by editing the default arrays.
However by being agnostic it does not enforce that TLS v1.x are
available if expected. A further change will provide an API for
that, but which is not suitable for backporting as it will
require non-test changes.
A lot of the tidy-up is around RenegotiationTest and its
TestUtils methods, which are only tested on OpenJDK builds.
Bug: 288058920
Bug: 288062754
Test: atest MtsLibcoreTestCases (with and without TLS v1.x enabled)
(cherry picked from https://android-review.googlesource.com/q/commit:e0b07ec432c99892fbfb33c6a99666a5a83206a3)
Merged-In: If8c48afcd1a6a417d1410ce4335f16cac3abd191
Change-Id: If8c48afcd1a6a417d1410ce4335f16cac3abd191
16 files changed, 318 insertions, 247 deletions
diff --git a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java index 29682f2a..97ff8051 100644 --- a/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java +++ b/benchmark-base/src/main/java/org/conscrypt/ServerSocketBenchmark.java @@ -16,7 +16,7 @@ package org.conscrypt; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.getCommonProtocolSuites; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; @@ -62,7 +62,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -86,7 +86,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 445ed976..aa603b00 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -425,6 +425,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -456,6 +458,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -1007,6 +1011,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -1046,6 +1052,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java index f10c388e..de30bbfa 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptEngineTest.java @@ -18,7 +18,7 @@ package org.conscrypt; import static org.conscrypt.TestUtils.getConscryptProvider; import static org.conscrypt.TestUtils.getJdkProvider; -import static org.conscrypt.TestUtils.getProtocols; +import static org.conscrypt.TestUtils.highestCommonProtocol; import static org.conscrypt.TestUtils.initSslContext; import static org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -569,7 +569,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java index 84a0ff69..44533ce9 100644 --- a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java +++ b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java @@ -17,7 +17,6 @@ package org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; @@ -25,10 +24,9 @@ import static org.junit.Assert.fail; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; + +import org.conscrypt.java.security.StandardNames; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -52,69 +50,61 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2").build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder() + .defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } + + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3").build(); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); - try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); + context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder() - .defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java index c253da22..c7a8de88 100644 --- a/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java +++ b/openjdk/src/test/java/org/conscrypt/MockSessionBuilder.java @@ -77,7 +77,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java index e4297842..601fceec 100644 --- a/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java +++ b/openjdk/src/test/java/org/conscrypt/RenegotiationTest.java @@ -144,7 +144,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -234,7 +234,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java index f8a80bb6..03a97157 100644 --- a/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java +++ b/repackaged/benchmark-base/src/main/java/com/android/org/conscrypt/ServerSocketBenchmark.java @@ -17,10 +17,11 @@ package com.android.org.conscrypt; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.getCommonProtocolSuites; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertEquals; +import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; import java.io.IOException; import java.io.OutputStream; import java.net.SocketException; @@ -30,7 +31,6 @@ import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicLong; -import com.android.org.conscrypt.ServerEndpoint.MessageProcessor; /** * Benchmark for comparing performance of server socket implementations. @@ -64,7 +64,7 @@ public final class ServerSocketBenchmark { final ChannelType channelType = config.channelType(); server = config.serverFactory().newServer( - channelType, config.messageSize(), getProtocols(), ciphers(config)); + channelType, config.messageSize(), getCommonProtocolSuites(), ciphers(config)); server.setMessageProcessor(new MessageProcessor() { @Override public void processMessage(byte[] inMessage, int numBytes, OutputStream os) { @@ -88,7 +88,7 @@ public final class ServerSocketBenchmark { // Always use the same client for consistency across the benchmarks. client = config.clientFactory().newClient( - ChannelType.CHANNEL, server.port(), getProtocols(), ciphers(config)); + ChannelType.CHANNEL, server.port(), getCommonProtocolSuites(), ciphers(config)); client.start(); // Wait for the initial connection to complete. diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java index 8cabe71e..77b01799 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketTest.java @@ -429,6 +429,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_useLower() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -460,6 +462,8 @@ public class SSLSocketTest { public void test_SSLSocket_noncontiguousProtocols_canNegotiate() throws Exception { TestSSLContext c = TestSSLContext.create(); SSLContext clientContext = c.clientContext; + // Can't test fallback without at least 3 protocol versions enabled. + TestUtils.assumeTlsV11Enabled(clientContext); SSLSocket client = (SSLSocket) clientContext.getSocketFactory().createSocket(c.host, c.port); client.setEnabledProtocols(new String[] {"TLSv1.3", "TLSv1.1"}); @@ -1011,6 +1015,8 @@ public class SSLSocketTest { @Test public void test_SSLSocket_sendsNoTlsFallbackScsv_Fallback_Success() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); @@ -1050,6 +1056,8 @@ public class SSLSocketTest { public void test_SSLSocket_sendsTlsFallbackScsv_InappropriateFallback_Failure() throws Exception { TestSSLContext context = TestSSLContext.create(); + // TLS_FALLBACK_SCSV is only applicable to TLS <= 1.2 + TestUtils.assumeTlsV11Enabled(context.clientContext); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket( context.host, context.port); final SSLSocket server = (SSLSocket) context.serverSocket.accept(); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java index bfe10f9e..e1f4a13a 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptEngineTest.java @@ -19,7 +19,7 @@ package com.android.org.conscrypt; import static com.android.org.conscrypt.TestUtils.getConscryptProvider; import static com.android.org.conscrypt.TestUtils.getJdkProvider; -import static com.android.org.conscrypt.TestUtils.getProtocols; +import static com.android.org.conscrypt.TestUtils.highestCommonProtocol; import static com.android.org.conscrypt.TestUtils.initSslContext; import static com.android.org.conscrypt.TestUtils.newTextMessage; import static org.junit.Assert.assertArrayEquals; @@ -578,7 +578,7 @@ public class ConscryptEngineTest { private static SSLContext newContext(Provider provider, TestKeyStore keyStore) { try { - SSLContext ctx = SSLContext.getInstance(getProtocols()[0], provider); + SSLContext ctx = SSLContext.getInstance(highestCommonProtocol(), provider); return initSslContext(ctx, keyStore); } catch (NoSuchAlgorithmException e) { throw new RuntimeException(e); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java index b40f8353..59cd9d9b 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/ConscryptTest.java @@ -18,17 +18,14 @@ package com.android.org.conscrypt; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import com.android.org.conscrypt.java.security.StandardNames; import java.security.Provider; import java.security.Security; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; import javax.net.ssl.SSLContext; import org.junit.Test; import org.junit.runner.RunWith; @@ -56,70 +53,59 @@ public class ConscryptTest { } @Test - public void testProviderBuilder() throws Exception { - Provider p = Conscrypt.newProviderBuilder() - .setName("test name") - .provideTrustManager(true) - .defaultTlsProtocol("TLSv1.2") - .build(); - - assertEquals("test name", p.getName()); - assertTrue(p.containsKey("TrustManagerFactory.PKIX")); + public void buildTls12WithTrustManager() throws Exception { + buildProvider("TLSv1.2", true); + } + @Test + public void buildTls12WithoutTrustManager() throws Exception { + buildProvider("TLSv1.2", false); + } - try { - Security.insertProviderAt(p, 1); + @Test + public void buildTls13WithTrustManager() throws Exception { + buildProvider("TLSv1.3", true); + } - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + @Test + public void buildTls13WithoutTrustManager() throws Exception { + buildProvider("TLSv1.3", false); + } - context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); - } finally { - Security.removeProvider("test name"); + @Test + public void buildInvalid() { + try { + Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); + fail(); + } catch (IllegalArgumentException e) { + // Expected. } + } - p = Conscrypt.newProviderBuilder() - .setName("test name 2") - .provideTrustManager(false) - .defaultTlsProtocol("TLSv1.3") - .build(); + private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception { + Provider provider = Conscrypt.newProviderBuilder() + .setName("test name") + .provideTrustManager(withTrustManager) + .defaultTlsProtocol(defaultProtocol) + .build(); - assertEquals("test name 2", p.getName()); - assertFalse(p.containsKey("TrustManagerFactory.PKIX")); + assertEquals("test name", provider.getName()); + assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX")); try { - Security.insertProviderAt(p, 1); + Security.insertProviderAt(provider, 1); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); - assertEquals(p, context.getProvider()); - Set<String> expected = - new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - Set<String> found = - new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); context = SSLContext.getInstance("Default"); - assertEquals(p, context.getProvider()); - expected = new HashSet<>(Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")); - found = new HashSet<>(Arrays.asList(context.createSSLEngine().getEnabledProtocols())); - assertEquals(expected, found); + assertEquals(provider, context.getProvider()); + StandardNames.assertSSLContextEnabledProtocols( + defaultProtocol, context.createSSLEngine().getEnabledProtocols()); } finally { - Security.removeProvider("test name 2"); - } - - try { - Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build(); - fail(); - } catch (IllegalArgumentException expected) { + Security.removeProvider("test name"); } } } diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java index 49b7abf0..aafc5951 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/MockSessionBuilder.java @@ -78,7 +78,7 @@ final class MockSessionBuilder { when(session.getId()).thenReturn(id); when(session.isValid()).thenReturn(valid); when(session.isSingleUse()).thenReturn(singleUse); - when(session.getProtocol()).thenReturn(TestUtils.getProtocols()[0]); + when(session.getProtocol()).thenReturn(TestUtils.highestCommonProtocol()); when(session.getPeerHost()).thenReturn(host); when(session.getPeerPort()).thenReturn(port); when(session.getCipherSuite()).thenReturn(cipherSuite); diff --git a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java index bc843dca..e2541cb1 100644 --- a/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java +++ b/repackaged/openjdk/src/test/java/com/android/org/conscrypt/RenegotiationTest.java @@ -149,7 +149,7 @@ public class RenegotiationTest { Conscrypt.setUseEngineSocket(socketFactory, useEngineSocket); socket = (SSLSocket) socketFactory.createSocket( TestUtils.getLoopbackAddress(), port); - socket.setEnabledProtocols(TestUtils.getProtocols()); + socket.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); socket.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); } catch (IOException e) { throw new RuntimeException(e); @@ -239,7 +239,7 @@ public class RenegotiationTest { serverChannel = ServerSocketChannel.open(); serverChannel.socket().bind(new InetSocketAddress(TestUtils.getLoopbackAddress(), 0)); engine = newJdkServerContext().createSSLEngine(); - engine.setEnabledProtocols(TestUtils.getProtocols()); + engine.setEnabledProtocols(TestUtils.getCommonProtocolSuites()); engine.setEnabledCipherSuites(TestUtils.getCommonCipherSuites()); engine.setUseClientMode(false); diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java index 5d4c869e..11b757e0 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java @@ -34,6 +34,7 @@ import java.net.ServerSocket; import java.net.UnknownHostException; import java.nio.ByteBuffer; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -45,10 +46,12 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.function.IntFunction; +import java.util.function.Predicate; + import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -66,27 +69,27 @@ import org.junit.Assume; * @hide This class is not part of the Android public SDK API */ public final class TestUtils { - public static final Charset UTF_8 = Charset.forName("UTF-8"); + public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] {PROTOCOL_TLS_V1_2}; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -94,7 +97,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -275,31 +278,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<String>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[protocols.size()]); - } - - public static SSLSocketFactory getJdkSocketFactory() { - return getSocketFactory(JDK_PROVIDER); - } - - public static SSLServerSocketFactory getJdkServerSocketFactory() { - return getServerSocketFactory(JDK_PROVIDER); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -362,33 +340,79 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<String>(); - supported.addAll(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } - return supported.toArray(new String[supported.size()]); + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + final List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return conscryptProtocols.contains(string) && !string.equals(PROTOCOL_TLS_V1_3); + } + }; + return getSupportedProtocols(jdkContext, predicate); + } + + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + final Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return isTlsCipherSuite(string) && conscryptCiphers.contains(string); + } + }; + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; } - } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(transform); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; + } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(transform); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index 917df975..28256773 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -144,6 +144,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = + new HashSet<>(Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -390,10 +393,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -434,9 +440,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = + new HashSet<>(Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java index b1ccad87..a434b153 100644 --- a/testing/src/main/java/org/conscrypt/TestUtils.java +++ b/testing/src/main/java/org/conscrypt/TestUtils.java @@ -30,6 +30,7 @@ import java.net.ServerSocket; import java.net.UnknownHostException; import java.nio.ByteBuffer; import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -41,10 +42,12 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; -import java.util.Iterator; -import java.util.LinkedHashSet; +import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.function.IntFunction; +import java.util.function.Predicate; + import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -64,27 +67,27 @@ import org.junit.Assume; * Utility methods to support testing. */ public final class TestUtils { - public static final Charset UTF_8 = Charset.forName("UTF-8"); + public static final Charset UTF_8 = StandardCharsets.UTF_8; + private static final String PROTOCOL_TLS_V1_3 = "TLSv1.3"; private static final String PROTOCOL_TLS_V1_2 = "TLSv1.2"; private static final String PROTOCOL_TLS_V1_1 = "TLSv1.1"; - private static final String PROTOCOL_TLS_V1 = "TLSv1"; - private static final String[] DESIRED_PROTOCOLS = - new String[] {PROTOCOL_TLS_V1_2, PROTOCOL_TLS_V1_1, PROTOCOL_TLS_V1}; + // For interop testing we need a JDK Provider that can do TLS 1.2 as 1.x may be disabled + // in Conscrypt and 1.3 does not (yet) handle interoperability with the JDK Provider. + private static final String[] DESIRED_JDK_PROTOCOLS = new String[] { PROTOCOL_TLS_V1_2 }; private static final Provider JDK_PROVIDER = getNonConscryptTlsProvider(); private static final byte[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".getBytes(UTF_8); private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocateDirect(0); - private static final String[] PROTOCOLS = getProtocolsInternal(); static final String TEST_CIPHER = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; private TestUtils() {} private static Provider getNonConscryptTlsProvider() { - for (String protocol : DESIRED_PROTOCOLS) { + for (String protocol : DESIRED_JDK_PROTOCOLS) { for (Provider p : Security.getProviders()) { if (!p.getClass().getPackage().getName().contains("conscrypt") - && hasProtocol(p, protocol)) { + && hasSslContext(p, protocol)) { return p; } } @@ -92,7 +95,7 @@ public final class TestUtils { return new BouncyCastleProvider(); } - private static boolean hasProtocol(Provider p, String protocol) { + private static boolean hasSslContext(Provider p, String protocol) { return p.get("SSLContext." + protocol) != null; } @@ -272,31 +275,6 @@ public final class TestUtils { throw ex; } - /** - * Returns an array containing only {@link #PROTOCOL_TLS_V1_2}. - */ - public static String[] getProtocols() { - return PROTOCOLS; - } - - private static String[] getProtocolsInternal() { - List<String> protocols = new ArrayList<String>(); - for (String protocol : DESIRED_PROTOCOLS) { - if (hasProtocol(getJdkProvider(), protocol)) { - protocols.add(protocol); - } - } - return protocols.toArray(new String[protocols.size()]); - } - - public static SSLSocketFactory getJdkSocketFactory() { - return getSocketFactory(JDK_PROVIDER); - } - - public static SSLServerSocketFactory getJdkServerSocketFactory() { - return getServerSocketFactory(JDK_PROVIDER); - } - static SSLSocketFactory setUseEngineSocket( SSLSocketFactory conscryptFactory, boolean useEngineSocket) { try { @@ -359,33 +337,80 @@ public final class TestUtils { } } - static String[] getCommonCipherSuites() { - SSLContext jdkContext = - TestUtils.initSslContext(newContext(getJdkProvider()), TestKeyStore.getClient()); - SSLContext conscryptContext = TestUtils.initSslContext( - newContext(getConscryptProvider()), TestKeyStore.getClient()); - Set<String> supported = new LinkedHashSet<String>(); - supported.addAll(supportedCiphers(jdkContext)); - supported.retainAll(supportedCiphers(conscryptContext)); - filterCiphers(supported); + public static String highestCommonProtocol() { + String[] common = getCommonProtocolSuites(); + Arrays.sort(common); + return common[common.length - 1]; + } - return supported.toArray(new String[supported.size()]); + public static String[] getCommonProtocolSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + // No point building a Set here due to small list sizes. + final List<String> conscryptProtocols = getSupportedProtocols(conscryptContext); + // TODO(prb): Certificate auth fails when connecting Conscrypt and JDK's TLS 1.3. + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return conscryptProtocols.contains(string) && !string.equals(PROTOCOL_TLS_V1_3); + } + }; + return getSupportedProtocols(jdkContext, predicate); + } + + public static String[] getCommonCipherSuites() { + SSLContext jdkContext = newClientSslContext(getJdkProvider()); + SSLContext conscryptContext = newClientSslContext(getConscryptProvider()); + final Set<String> conscryptCiphers = new HashSet<>(getSupportedCiphers(conscryptContext)); + Predicate<String> predicate = new Predicate<String>() { + @Override + public boolean test(String string) { + return isTlsCipherSuite(string) && conscryptCiphers.contains(string); + } + }; + return getSupportedCiphers(jdkContext, predicate); } - private static List<String> supportedCiphers(SSLContext ctx) { + public static List<String> getSupportedCiphers(SSLContext ctx) { return Arrays.asList(ctx.getDefaultSSLParameters().getCipherSuites()); } - private static void filterCiphers(Iterable<String> ciphers) { - // Filter all non-TLS ciphers. - Iterator<String> iter = ciphers.iterator(); - while (iter.hasNext()) { - String cipher = iter.next(); - if (cipher.startsWith("SSL_") || cipher.startsWith("TLS_EMPTY") - || cipher.contains("_RC4_")) { - iter.remove(); + public static String[] getSupportedCiphers(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; } - } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getCipherSuites()) + .filter(predicate) + .toArray(transform); + } + + public static List<String> getSupportedProtocols(SSLContext ctx) { + return Arrays.asList(ctx.getDefaultSSLParameters().getProtocols()); + } + + public static String[] getSupportedProtocols(SSLContext ctx, Predicate<String> predicate) { + IntFunction<String[]> transform = new IntFunction<String[]>() { + @Override + public String[] apply(int value) { + return new String[value]; + } + }; + return Arrays.stream(ctx.getDefaultSSLParameters().getProtocols()) + .filter(predicate) + .toArray(transform); + } + + private static boolean isTlsCipherSuite(String cipher) { + return !cipher.startsWith("SSL_") + && !cipher.startsWith("TLS_EMPTY") + && !cipher.contains("_RC4_"); + } + + public static void assumeTlsV11Enabled(SSLContext context) { + Assume.assumeTrue(getSupportedProtocols(context).contains(PROTOCOL_TLS_V1_1)); } /** diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index a3d960d7..86c7d484 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -142,6 +142,9 @@ public final class StandardNames { Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); + // Deprecated TLS protocols... May or may not be present or enabled. + public static final Set<String> SSL_CONTEXT_PROTOCOLS_DEPRECATED = new HashSet<>( + Arrays.asList("TLSv1", "TLSv1.1")); public static final Set<String> KEY_TYPES = new HashSet<String>( Arrays.asList("RSA", "DSA", "DH_RSA", "DH_DSA", "EC", "EC_EC", "EC_RSA")); @@ -388,10 +391,13 @@ public final class StandardNames { * assertSupportedProtocols additionally verifies that all * supported protocols where in the input array. */ - private static void assertSupportedProtocols(Set<String> expected, String[] protocols) { - Set<String> remainingProtocols = assertValidProtocols(expected, protocols); + private static void assertSupportedProtocols(Set<String> valid, String[] protocols) { + Set<String> remainingProtocols = assertValidProtocols(valid, protocols); + + // TODO(prb) Temporarily ignore TLSv1.x: See comment for assertSSLContextEnabledProtocols() + remainingProtocols.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + assertEquals("Missing protocols", Collections.EMPTY_SET, remainingProtocols); - assertEquals(expected.size(), protocols.length); } /** @@ -432,9 +438,18 @@ public final class StandardNames { } public static void assertSSLContextEnabledProtocols(String version, String[] protocols) { - assertEquals("For protocol \"" + version + "\"", - Arrays.toString(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version)), - Arrays.toString(protocols)); + Set<String> expected = new HashSet<>( + Arrays.asList(SSL_CONTEXT_PROTOCOLS_ENABLED.get(version))); + Set<String> actual = new HashSet<>(Arrays.asList(protocols)); + + // TODO(prb): Temporary measure - just ignore deprecated protocols. Allows + // testing on source trees where these have been disabled in unknown ways. + // Future work will provide a supported API for disabling protocols, but for + // now we need to work with what's in the field. + expected.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + actual.removeAll(SSL_CONTEXT_PROTOCOLS_DEPRECATED); + + assertEquals("For protocol \"" + version + "\"", expected, actual); } /** |