[TESTS] Pin MockWebServer to TLS1.2 (elastic#33127)

jkakavas · web-flow · commit 214652d4af81 · 2018-08-30T09:13:28.000+03:00
Ensure that the SSLConfigurationReloaderTests can run with JDK 11 by pinning the Server TLS version to TLS1.2. This can be revisited while tackling the effort to full support TLSv1.3 in elastic#32276 Resolves elastic#32124
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java
@@ -78,7 +78,6 @@ public void cleanup() throws Exception {
     /**
      * Tests reloading a keystore that is used in the KeyManager of SSLContext
      */
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/32124")
     public void testReloadingKeyStore() throws Exception {
         assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
         final Path tempDir = createTempDir();
@@ -192,7 +191,6 @@ public void testPEMKeyConfigReloading() throws Exception {
      * Tests the reloading of SSLContext when the trust store is modified. The same store is used as a TrustStore (for the
      * reloadable SSLContext used in the HTTPClient) and as a KeyStore for the MockWebServer
      */
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/32124")
     public void testReloadingTrustStore() throws Exception {
         assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
         Path tempDir = createTempDir();
@@ -479,7 +477,9 @@ private static MockWebServer getSslServer(Path keyStorePath, String keyStorePass
         try (InputStream is = Files.newInputStream(keyStorePath)) {
             keyStore.load(is, keyStorePass.toCharArray());
         }
-        final SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(keyStore, keyStorePass.toCharArray())
+        // TODO Revisit TLS1.2 pinning when TLS1.3 is fully supported
+        // https://github.com/elastic/elasticsearch/issues/32276
+        final SSLContext sslContext = new SSLContextBuilder().useProtocol("TLSv1.2").loadKeyMaterial(keyStore, keyStorePass.toCharArray())
             .build();
         MockWebServer server = new MockWebServer(sslContext, false);
         server.enqueue(new MockResponse().setResponseCode(200).setBody("body"));
@@ -493,7 +493,9 @@ private static MockWebServer getSslServer(Path keyPath, Path certPath, String pa
         keyStore.load(null, password.toCharArray());
         keyStore.setKeyEntry("testnode_ec", PemUtils.readPrivateKey(keyPath, password::toCharArray), password.toCharArray(),
             CertParsingUtils.readCertificates(Collections.singletonList(certPath)));
-        final SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(keyStore, password.toCharArray())
+        // TODO Revisit TLS1.2 pinning when TLS1.3 is fully supported
+        // https://github.com/elastic/elasticsearch/issues/32276
+        final SSLContext sslContext = new SSLContextBuilder().useProtocol("TLSv1.2").loadKeyMaterial(keyStore, password.toCharArray())
             .build();
         MockWebServer server = new MockWebServer(sslContext, false);
         server.enqueue(new MockResponse().setResponseCode(200).setBody("body"));
