Issue #5684 - Update TLS tests

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

jetty-client/src/test/java/org/eclipse/jetty/client/HttpClientRedirectTest.java

@@ -14,10 +14,12 @@
 package org.eclipse.jetty.client;
 
 import java.io.IOException;
+import java.net.InetAddress;
 import java.net.URLDecoder;
+import java.net.UnknownHostException;
 import java.nio.ByteBuffer;
-import java.nio.channels.UnresolvedAddressException;
 import java.nio.charset.StandardCharsets;
+import java.util.Random;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -38,9 +40,11 @@
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.toolchain.test.IO;
 import org.hamcrest.Matchers;
-import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Assumptions;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ArgumentsSource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
@@ -52,6 +56,8 @@
 
 public class HttpClientRedirectTest extends AbstractHttpClientServerTest
 {
+    private static final Logger LOG = LoggerFactory.getLogger(HttpClientRedirectTest.class);
+
     @ParameterizedTest
     @ArgumentsSource(ScenarioProvider.class)
     public void test303(Scenario scenario) throws Exception
@@ -287,24 +293,26 @@ protected void service(String target, Request jettyRequest, HttpServletRequest r
 
     @ParameterizedTest
     @ArgumentsSource(ScenarioProvider.class)
-    @Disabled
     public void testRedirectFailed(Scenario scenario) throws Exception
     {
-        // TODO this test is failing with timout after an ISP upgrade??  DNS dependent?
+        // Skip this test if DNS Hijacking is detected
+        Assumptions.assumeFalse(detectDnsHijacking());
+
         start(scenario, new RedirectHandler());
 
-        try
-        {
-            client.newRequest("localhost", connector.getLocalPort())
+        ExecutionException e = assertThrows(ExecutionException.class,
+            () -> client.newRequest("localhost", connector.getLocalPort())
                 .scheme(scenario.getScheme())
                 .path("/303/doesNotExist/done")
                 .timeout(5, TimeUnit.SECONDS)
-                .send();
-        }
-        catch (ExecutionException x)
-        {
-            assertThat(x.getCause(), Matchers.instanceOf(UnresolvedAddressException.class));
-        }
+                .send());
+
+        assertThat("Cause", e.getCause(), Matchers.anyOf(
+            // Exception seen on some updates of OpenJDK 8
+            // Matchers.instanceOf(UnresolvedAddressException.class),
+            // Exception seen on OpenJDK 11+
+            Matchers.instanceOf(UnknownHostException.class))
+        );
     }
 
     @ParameterizedTest
@@ -711,4 +719,48 @@ protected void service(String target, Request jettyRequest, HttpServletRequest r
             }
         }
     }
+
+    public static boolean detectDnsHijacking()
+    {
+        String host1 = randomHostname();
+        String host2 = randomHostname();
+        String addr1 = getInetHostAddress(host1);
+        String addr2 = getInetHostAddress(host2);
+
+        boolean ret = (addr1.equals(addr2));
+
+        if (ret)
+        {
+            LOG.warn("DNS Hijacking detected (these should not return the same host address): host1={} ({}), host2={} ({})",
+                host1, addr1,
+                host2, addr2);
+        }
+
+        return ret;
+    }
+
+    private static String getInetHostAddress(String hostname)
+    {
+        try
+        {
+            InetAddress addr = InetAddress.getByName(hostname);
+            return addr.getHostAddress();
+        }
+        catch (Throwable t)
+        {
+            return "<unknown:" + hostname + ">";
+        }
+    }
+
+    private static String randomHostname()
+    {
+        String digits = "0123456789abcdefghijklmnopqrstuvwxyz";
+        Random random = new Random();
+        char[] host = new char[7 + random.nextInt(8)];
+        for (int i = 0; i < host.length; ++i)
+        {
+            host[i] = digits.charAt(random.nextInt(digits.length()));
+        }
+        return new String(host) + ".tld.";
+    }
 }

jetty-client/src/test/java/org/eclipse/jetty/client/HttpClientTLSTest.java

@@ -23,6 +23,7 @@
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
+import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Executor;
@@ -66,7 +67,6 @@
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.EnabledOnJre;
 import org.junit.jupiter.api.condition.JRE;
@@ -265,10 +265,20 @@ public void handshakeFailed(Event event, Throwable failure)
         assertTrue(clientLatch.await(1, TimeUnit.SECONDS));
     }
 
-    // In JDK 11+, a mismatch on the client does not generate any bytes towards
-    // the server, while in previous JDKs the client sends to the server the close_notify.
-    // @EnabledOnJre({JRE.JAVA_8, JRE.JAVA_9, JRE.JAVA_10})
-    @Disabled("No longer viable, TLS protocol behavior changed in 8u272")
+    /**
+     * This tests the behavior of the Client side when you have an intentional
+     * mismatch of the TLS Protocol and TLS Ciphers on the client and attempt to
+     * initiate a connection.
+     * <p>
+     * In older versions of Java 8 (pre 8u272) the JDK client side logic
+     * would generate bytes and send it to the server along with a close_notify
+     * </p>
+     * <p>
+     * Starting in Java 8 (8u272) and Java 11.0.0, the client logic will not
+     * send any bytes to the server.
+     * </p>
+     */
+    @Test
     public void testMismatchBetweenTLSProtocolAndTLSCiphersOnClient() throws Exception
     {
         SslContextFactory.Server serverTLSFactory = createServerSslContextFactory();
@@ -285,11 +295,18 @@ public void handshakeFailed(Event event, Throwable failure)
         });
 
         SslContextFactory.Client clientTLSFactory = createClientSslContextFactory();
-        // TLS 1.1 protocol, but only TLS 1.2 ciphers.
-        clientTLSFactory.setIncludeProtocols("TLSv1.1");
-        clientTLSFactory.setIncludeCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
+        // Use TLSv1.2 (as TLSv1.1 and older are now disabled in Java 8u292+ and Java 11+)
+        clientTLSFactory.setIncludeProtocols("TLSv1.2");
+        // Use only a cipher suite that exists for TLSv1.3 (this is the mismatch)
+        clientTLSFactory.setIncludeCipherSuites("TLS_AES_256_GCM_SHA384");
         startClient(clientTLSFactory);
 
+        // If this JVM has "TLSv1.3" present, then it's assumed that it also has the new logic
+        // to not send bytes to the server when a protocol and cipher suite mismatch occurs
+        // on the client side configuration.
+        List<String> supportedClientProtocols = Arrays.asList(clientTLSFactory.getSslContext().getSupportedSSLParameters().getProtocols());
+        boolean expectServerFailure = !(supportedClientProtocols.contains("TLSv1.3"));
+
         CountDownLatch clientLatch = new CountDownLatch(1);
         client.addBean(new SslHandshakeListener()
         {
@@ -306,7 +323,8 @@ public void handshakeFailed(Event event, Throwable failure)
                 .timeout(5, TimeUnit.SECONDS)
                 .send());
 
-        assertTrue(serverLatch.await(1, TimeUnit.SECONDS));
+        if (expectServerFailure)
+            assertTrue(serverLatch.await(1, TimeUnit.SECONDS));
         assertTrue(clientLatch.await(1, TimeUnit.SECONDS));
     }