Workaround JDK-8213202 in SSLClientAuthTests

jaymode · jaymode · commit f8f459253163 · 2019-09-12T11:23:46.000-06:00
This change works around JDK-8213202, which is a bug related to TLSv1.3 session resumption before JDK 11.0.3 that occurs when there are multiple concurrent sessions being established. Nodes connecting to each other will trigger this bug when client authentication is disabled, which is the case for SSLClientAuthTests. Closes elastic#46230
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java
@@ -88,6 +88,10 @@ protected Settings nodeSettings(int nodeOrdinal) {
         return builder
                 // invert the require auth settings
                 .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
+                // Due to the TLSv1.3 bug with session resumption when client authentication is not
+                // used, we need to set the protocols since we disabled client auth for transport
+                // to avoid failures on pre 11.0.3 JDKs. See #getProtocols
+                .putList("xpack.security.transport.ssl.supported_protocols", getProtocols())
                 .put("xpack.security.http.ssl.enabled", true)
                 .put("xpack.security.http.ssl.client_authentication", SSLClientAuth.REQUIRED)
                 .build();
@@ -98,7 +102,6 @@ protected boolean transportSSLEnabled() {
         return true;
     }
 
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/46230")
     public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
         SSLIOSessionStrategy sessionStrategy = new SSLIOSessionStrategy(SSLContexts.createDefault(), NoopHostnameVerifier.INSTANCE);
         try (RestClient restClient = createRestClient(httpClientBuilder -> httpClientBuilder.setSSLStrategy(sessionStrategy), "https")) {
@@ -115,7 +118,6 @@ public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
         }
     }
 
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/46230")
     public void testThatHttpWorksWithSslClientAuth() throws IOException {
         SSLIOSessionStrategy sessionStrategy = new SSLIOSessionStrategy(getSSLContext(), NoopHostnameVerifier.INSTANCE);
         try (RestClient restClient = createRestClient(httpClientBuilder -> httpClientBuilder.setSSLStrategy(sessionStrategy), "https")) {
