ZOOKEEPER-5045: Fall back to TLSv1.2 default in FIPS mode

[PDavid]

No description provided.

[anmolnar]

@PDavid Thanks for the patch. Overall lgtm. Just a few comments.

[PDavid]

Hmm, X509UtilTest.testCreateSSLContext* tests failed in the PR build. I'll have a look.

[anmolnar]

How about the following?
No static field needed.

    private final AtomicReference<String> defaultProtocol = new AtomicReference<>();

    /**
     * Return TLSv1.2 when FIPS mode is enabled.
     * Otherwise, returns TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
     * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
     */
    public String defaultTlsProtocol(ZKConfig config) {
        String proto = defaultProtocol.get();
        if (proto != null) {
            return proto;
        }
        String protocol = TLS_1_2;
        if (!getFipsMode(config)) {
            List<String> supported = new ArrayList<>();
            try {
                supported = Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
                LOG.info("Supported TLS protocols are {}", supported);
                if (supported.contains(TLS_1_3)) {
                    protocol = TLS_1_3;
                }
            } catch (NoSuchAlgorithmException e) {
                // Ignore.
            }
        }
        if (defaultProtocol.compareAndSet(null, protocol)) {
            LOG.info("Default TLS protocol is {}", protocol);
        } else {
            protocol = defaultProtocol.get();
        }
        return protocol;
    }

[anmolnar]

@meszibalu Actually it could be static/singleton, we don't need to calculate it for every single instance, do we?

[anmolnar]

I don't think we can implement a test like this. SSLContext.getDefault() will cache the problem and subsequent tests will fail even if the properties are reverted.

[meszibalu]

According to the javadoc:

If a default context was set using the SSLContext.setDefault() method, it is returned. Otherwise, the first call of this method triggers the call SSLContext.getInstance("Default").

And the code in java 25:

public static SSLContext getDefault() throws NoSuchAlgorithmException {
    SSLContext temporaryContext = defaultContext;
    if (temporaryContext == null) {
        temporaryContext = SSLContext.getInstance("Default");
        if (!VH_DEFAULT_CONTEXT.compareAndSet(null, temporaryContext)) {
            temporaryContext = defaultContext;
        }
    }

    return temporaryContext;
}

Which means we can call SSLContext.getInstance("Default") and it will NOT cache.

[PDavid]

Just a question: So if SSLContext.getDefault() will cache and not create a new SSL context, do we need our own complex caching solution to avoid calling SSLContext.getDefault() on every method call? Or can we just use the original solution which was without the field (e.g. the first commit)? 🤔

[PDavid]

OK, I tried to use SSLContext.getInstance("Default") instead of SSLContext.getDefault() but was not able to make the tests work.

[PDavid]

I was not able to make this test work, not even with SSLContext.setDefault.

So I removed it. 🤷‍♂️

[anmolnar]

Me neither. I spent a few hours yesterday with this, but I'm unable to "reset" the property values. All tests are green if run without the new test or alone, but not with it. There's some state change in the background which I couldn't find.

[anmolnar]

Just one more thing.

[anmolnar]

Make it static, because we shouldn't calculate it for every instance.

[PDavid]

org.apache.zookeeper.server.admin.SnapshotAndRestoreCommandTest.testSnapshotAndRestoreCommand_streaming failed in the Jenkins PR build. I think it is unrelated.

[anmolnar]

Merged to master branch. Thanks @PDavid and @meszibalu !
Please create separate pull request for branch-3.9

[PDavid]

Many thanks for the reviews @anmolnar and @meszibalu! 👍