Fix for tests failing due to expecting unsupported TLS versions.

Change-Id: I24f8ad9fa2228277509c572cc835466d125007f5

src/test/java/testsuite/BaseTestCase.java

@@ -52,6 +52,7 @@
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
@@ -61,6 +62,8 @@
 import java.util.StringJoiner;
 import java.util.concurrent.Callable;
 
+import javax.net.ssl.SSLContext;
+
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.TestInfo;
@@ -1294,6 +1297,30 @@ protected boolean supportsTLSv1_2(ServerVersion version) throws Exception {
                 || version.meetsMinimum(new ServerVersion(5, 6, 0)) && Util.isEnterpriseEdition(version.toString());
     }
 
+    protected String getHighestCommonTlsVersion() throws Exception {
+        // Find out which TLS protocol versions are supported by this JVM.
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, null, null);
+        List<String> jvmSupportedProtocols = Arrays.asList(sslContext.createSSLEngine().getSupportedProtocols());
+
+        this.rs = this.stmt.executeQuery("SHOW GLOBAL VARIABLES LIKE 'tls_version'");
+        assertTrue(this.rs.next());
+        String value = this.rs.getString(2);
+
+        List<String> serverSupportedProtocols = Arrays.asList(value.trim().split("\\s*,\\s*"));
+        String highestCommonTlsVersion = "";
+        for (String p : new String[] { "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1" }) {
+            if (jvmSupportedProtocols.contains(p) && serverSupportedProtocols.contains(p)) {
+                highestCommonTlsVersion = p;
+                break;
+            }
+        }
+        System.out.println("Server supports TLS protocols: " + serverSupportedProtocols);
+        System.out.println("Highest common TLS protocol: " + highestCommonTlsVersion);
+
+        return highestCommonTlsVersion;
+    }
+
     protected void assertSessionStatusEquals(Statement st, String statusVariable, String expected) throws Exception {
         ResultSet rs1 = st.executeQuery("SHOW SESSION STATUS LIKE '" + statusVariable + "'");
         assertTrue(rs1.next());

src/test/java/testsuite/simple/ConnectionTest.java

@@ -2267,13 +2267,12 @@ public void testTLSVersionRemoval() throws Exception {
         assumeTrue(supportsTestCertificates(this.stmt),
                 "This test requires the server configured with SSL certificates from ConnectorJ/src/test/config/ssl-test-certs");
 
-        String testCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // IANA Cipher name
-        String expectedCipher = "ECDHE-RSA-AES128-GCM-SHA256"; // OpenSSL Cipher name
-        String testTlsVersion = "TLSv1.2";
-        if (versionMeetsMinimum(8, 2)) {
-            testCipher = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            expectedCipher = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            testTlsVersion = "TLSv1.3";
+        String testCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // TLSv1.2 IANA Cipher name.
+        String expectedCipher = "ECDHE-RSA-AES128-GCM-SHA256"; // TLSv1.2 OpenSSL Cipher name.
+        String testTlsVersion = getHighestCommonTlsVersion(); // At least TLSv1.2 is expected to be supported.
+        if ("TLSv1.3".equalsIgnoreCase(testTlsVersion)) {
+            testCipher = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
+            expectedCipher = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
         }
 
         Connection con = null;

src/test/java/testsuite/x/devapi/SecureSessionTest.java

@@ -804,21 +804,26 @@ private String getHighestCommonTlsVersion(Session sess) throws Exception {
 
     /**
      * Tests fix for Bug#25494338, ENABLEDSSLCIPHERSUITES PARAMETER NOT WORKING AS EXPECTED WITH X-PLUGIN.
+     *
+     * @throws Exception
      */
     @Test
-    public void testBug25494338() {
+    public void testBug25494338() throws Exception {
         assumeTrue(supportsTestCertificates(this.session),
                 "This test requires the server configured with SSL certificates from ConnectorJ/src/test/config/ssl-test-certs");
 
-        String testCipher1 = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // IANA Cipher name
-        String expectedCipher1 = "ECDHE-RSA-AES128-GCM-SHA256"; // OpenSSL Cipher name
-        String testCipher2 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; // IANA Cipher name
-        String expectedCipher2 = "ECDHE-RSA-AES256-GCM-SHA384"; // OpenSSL Cipher name
-        if (mysqlVersionMeetsMinimum(ServerVersion.parseVersion("8.2.0"))) {
-            testCipher1 = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            expectedCipher1 = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            testCipher2 = "TLS_AES_128_GCM_SHA256"; // IANA Cipher name
-            expectedCipher2 = "TLS_AES_128_GCM_SHA256"; // IANA Cipher name
+        String testCipher1 = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // TLSv1.2 IANA Cipher name.
+        String expectedCipher1 = "ECDHE-RSA-AES128-GCM-SHA256"; // TLSv1.2 OpenSSL Cipher name.
+        String testCipher2 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; // TLSv1.2 IANA Cipher name.
+        String expectedCipher2 = "ECDHE-RSA-AES256-GCM-SHA384"; // TLSv1.2 OpenSSL Cipher name.
+        Session sess = this.fact.getSession(this.baseUrl);
+        String testTlsVersion = getHighestCommonTlsVersion(sess); // At least TLSv1.2 is expected to be supported.
+        sess.close();
+        if ("TLSv1.3".equalsIgnoreCase(testTlsVersion)) {
+            testCipher1 = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
+            expectedCipher1 = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
+            testCipher2 = "TLS_AES_128_GCM_SHA256"; // TLSv1.3 IANA Cipher name.
+            expectedCipher2 = "TLS_AES_128_GCM_SHA256"; // TLSv1.3 IANA Cipher name.
         }
 
         Session testSession = null;
@@ -838,7 +843,7 @@ public void testBug25494338() {
 
             // 1. Allow only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256/TLS_AES_256_GCM_SHA384 cipher
             props.setProperty(PropertyKey.tlsCiphersuites.getKeyName(), testCipher1);
-            Session sess = this.fact.getSession(props);
+            sess = this.fact.getSession(props);
             assertSessionStatusEquals(sess, "mysqlx_ssl_cipher", expectedCipher1);
             sess.close();
 
@@ -949,22 +954,18 @@ public void testXdevapiTlsVersionsAndCiphersuites() throws Exception {
                 "This test requires the server configured with SSL certificates from ConnectorJ/src/test/config/ssl-test-certs");
         assumeTrue(supportsTestCertificates(this.session), "This test requires the server with RSA support.");
 
-        String testCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // IANA Cipher name
-        String expectedCipher = "ECDHE-RSA-AES128-GCM-SHA256"; // OpenSSL Cipher name
-        String testTlsVersion = "TLSv1.2";
+        String testCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // TLSv1.2 IANA Cipher name.
+        String expectedCipher = "ECDHE-RSA-AES128-GCM-SHA256"; // TLSv1.2 OpenSSL Cipher name.
+        Session sess = this.fact.getSession(this.baseUrl);
+        String testTlsVersion = getHighestCommonTlsVersion(sess); // At least TLSv1.2 is expected to be supported.
         String testCipher2 = "DHE-RSA-AES128-GCM-SHA256";
-        if (mysqlVersionMeetsMinimum(ServerVersion.parseVersion("8.2.0"))) {
-            testCipher = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            expectedCipher = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            testTlsVersion = "TLSv1.3";
+        sess.close();
+        if ("TLSv1.3".equalsIgnoreCase(testTlsVersion)) {
+            testCipher = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
+            expectedCipher = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
             testCipher2 = "TLS_AES_128_GCM_SHA256";
         }
 
-        // newer GPL servers, like 8.0.4+, are using OpenSSL and can use RSA encryption, while old ones compiled with yaSSL cannot
-        Session sess = this.fact.getSession(this.sslFreeBaseUrl);
-        String highestCommonTlsVersion = getHighestCommonTlsVersion(sess);
-        sess.close();
-
         Properties props = new Properties(this.sslFreeTestProperties);
         props.setProperty(PropertyKey.xdevapiSslMode.getKeyName(), PropertyDefinitions.XdevapiSslMode.VERIFY_CA.toString());
         props.setProperty(PropertyKey.xdevapiSslTrustStoreUrl.getKeyName(), this.trustStoreUrl);
@@ -1189,7 +1190,7 @@ public void testXdevapiTlsVersionsAndCiphersuites() throws Exception {
         //            Assess that the session is created successfully and the connection properties are initialized with the expected values.
         testSession = this.fact.getSession(this.sslFreeBaseUrl);
         assertSecureSession(testSession);
-        assertTlsVersion(testSession, highestCommonTlsVersion);
+        assertTlsVersion(testSession, testTlsVersion);
         testSession.close();
 
         // TS.FR.5_2. Create an X DevAPI session using a connection string with the connection property xdevapi.tls-versions but without
@@ -1216,7 +1217,7 @@ public void testXdevapiTlsVersionsAndCiphersuites() throws Exception {
         props.remove(PropertyKey.xdevapiTlsCiphersuites.getKeyName());
         testSession = this.fact.getSession(props);
         assertSecureSession(testSession);
-        assertTlsVersion(testSession, highestCommonTlsVersion);
+        assertTlsVersion(testSession, testTlsVersion);
         testSession.close();
 
         // TS.FR.5_5. Create an X DevAPI session using a connection properties map with the connection property xdevapi.tls-versions but without
@@ -1243,7 +1244,7 @@ public void testXdevapiTlsVersionsAndCiphersuites() throws Exception {
         cli = cf.getClient(this.sslFreeBaseUrl, "{\"pooling\": {\"enabled\": true}}");
         testSession = cli.getSession();
         assertSecureSession(testSession);
-        assertTlsVersion(testSession, highestCommonTlsVersion);
+        assertTlsVersion(testSession, testTlsVersion);
         cli.close();
 
         cli = cf.getClient(this.sslFreeBaseUrl + makeParam(PropertyKey.xdevapiTlsVersions, testTlsVersion), "{\"pooling\": {\"enabled\": true}}");
@@ -1734,16 +1735,16 @@ public void testTLSVersionRemoval() throws Exception {
         assumeTrue(supportsTestCertificates(this.session),
                 "This test requires the server configured with SSL certificates from ConnectorJ/src/test/config/ssl-test-certs");
 
-        String testCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // IANA Cipher name
-        String expectedCipher = "ECDHE-RSA-AES128-GCM-SHA256"; // OpenSSL Cipher name
-        String testTlsVersion = "TLSv1.2";
-        if (mysqlVersionMeetsMinimum(ServerVersion.parseVersion("8.2.0"))) {
-            testCipher = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            expectedCipher = "TLS_AES_256_GCM_SHA384"; // IANA Cipher name
-            testTlsVersion = "TLSv1.3";
+        String testCipher = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; // TLSv1.2 IANA Cipher name.
+        String expectedCipher = "ECDHE-RSA-AES128-GCM-SHA256"; // TLSv1.2 OpenSSL Cipher name.
+        Session sess = this.fact.getSession(this.baseUrl);
+        String testTlsVersion = getHighestCommonTlsVersion(sess); // At least TLSv1.2 is expected to be supported.
+        sess.close();
+        if ("TLSv1.3".equalsIgnoreCase(testTlsVersion)) {
+            testCipher = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
+            expectedCipher = "TLS_AES_256_GCM_SHA384"; // TLSv1.3 IANA Cipher name.
         }
 
-        Session sess = null;
         Properties props = new Properties(this.sslFreeTestProperties);
         props.setProperty(PropertyKey.sslMode.getKeyName(), SslMode.REQUIRED.name());
         props.setProperty(PropertyKey.allowPublicKeyRetrieval.getKeyName(), "true");