From 8f4ad60ce760052c080111b16da77e4087cdd1ea Mon Sep 17 00:00:00 2001
From: Takuro Ashie <ashie@clear-code.com>
Date: Thu, 18 Feb 2021 11:24:54 +0900
Subject: [PATCH] Drop testing TLS 1.1

Recent distributions disables TLS 1.1 by default due to its
vulnerability so that tests for it is always failed:

2021-02-18T01:09:13.2360942Z Failure: test: can specify multiple TLS versions by min_version/max_version(ServerPluginHelperTest::#server_create_tls::TLS version connection check):
2021-02-18T01:09:13.2362181Z   Exception raised:
2021-02-18T01:09:13.2363101Z   OpenSSL::SSL::SSLError(<SSL_connect returned=1 errno=0 state=error: no protocols available>)
...
2021-02-18T01:09:13.2479586Z /home/runner/work/fluentd/fluentd/test/plugin_helper/test_server.rb:1515:in `block (4 levels) in <class:ServerPluginHelperTest>'
2021-02-18T01:09:13.2480420Z      1512:           end
2021-02-18T01:09:13.2480756Z      1513:         }
2021-02-18T01:09:13.2481333Z      1514:         [:'TLS1_1', :'TLS1_2'].each { |ver|
2021-02-18T01:09:13.2481799Z   => 1515:           assert_nothing_raised {
2021-02-18T01:09:13.2482655Z      1516:             open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, version: ver) do |sock|
2021-02-18T01:09:13.2483202Z      1517:             end
2021-02-18T01:09:13.2483544Z      1518:           }

Signed-off-by: Takuro Ashie <ashie@clear-code.com>
---
 test/plugin_helper/test_server.rb | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/test/plugin_helper/test_server.rb b/test/plugin_helper/test_server.rb
index e24f13a39f..bf6d0c1df0 100644
--- a/test/plugin_helper/test_server.rb
+++ b/test/plugin_helper/test_server.rb
@@ -1495,8 +1495,13 @@ def assert_certificate(cert, expected_extensions)
       test "can't connect with different TLS version" do
         @d.server_create_tls(:s, PORT, tls_options: @tls_options) do |data, conn|
         end
+        if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+          version = :'TLS1_3'
+        else
+          version = :'TLS1_1'
+        end
         assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) {
-          open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, version: :'TLS1_1') do |sock|
+          open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, version: version) do |sock|
           end
         }
       end
@@ -1504,14 +1509,21 @@ def assert_certificate(cert, expected_extensions)
       test "can specify multiple TLS versions by min_version/max_version" do
         omit "min_version=/max_version= is not supported" unless Fluent::TLS::MIN_MAX_AVAILABLE
 
-        opts = @tls_options.merge(min_version: :'TLS1_1', max_version: :'TLSv1_2')
+        min_version = :'TLS1_2'
+        if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+          max_version = :'TLS1_3'
+        else
+          max_version = :'TLS1_2'
+        end
+
+        opts = @tls_options.merge(min_version: min_version, max_version: max_version)
         @d.server_create_tls(:s, PORT, tls_options: opts) do |data, conn|
         end
         assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) {
           open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, version: :'TLS1') do |sock|
           end
         }
-        [:'TLS1_1', :'TLS1_2'].each { |ver|
+        [min_version, max_version].each { |ver|
           assert_nothing_raised {
             open_tls_session('127.0.0.1', PORT, cert_path: @cert_path, version: ver) do |sock|
             end