MLE-16818 Defaulting protocol to "TLS"

Learned that this will allow Java to use the highest TLS protocol supported by the server.

Author: rjrudin

marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/fastfunctest/TestDatabaseClientConnection.java

@@ -30,16 +30,14 @@
 import javax.xml.transform.TransformerException;
 import java.io.*;
 import java.security.KeyManagementException;
-import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.text.DecimalFormat;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.TreeMap;
 
+import static junit.framework.Assert.assertFalse;
 import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -88,49 +86,36 @@ public void testDatabaseClientConnectionExist() throws KeyManagementException, N
     client.release();
   }
 
-  // To test getters of SecurityContext
-  @Test
-  public void testDatabaseClientGetters() throws KeyManagementException, NoSuchAlgorithmException, IOException
-  {
-    System.out.println("Running testDatabaseClientGetters");
-
-    DatabaseClient client = null;
-	SSLContext sslcontext = null;
-	SecurityContext secContext = newSecurityContext("rest-reader", "x");
-
-		try {
-			sslcontext = getSslContext();
-		} catch (UnrecoverableKeyException | KeyStoreException | CertificateException e) {
-			e.printStackTrace();
-		}
+	@Test
+	public void testDatabaseClientGetters() throws Exception {
+		SecurityContext secContext = newSecurityContext("rest-reader", "x");
+		SSLContext sslcontext = getSslContext();
 
 		secContext.withSSLContext(sslcontext, new X509TrustManager() {
-			public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-				// nothing to do
-			}
-
-			public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-				// nothing to do
-			}
-
-			public X509Certificate[] getAcceptedIssuers() {
-				return new X509Certificate[0];
-			}
-		})
-		.withSSLHostnameVerifier(SSLHostnameVerifier.ANY);
-
-		client = newDatabaseClientBuilder().withSecurityContext(secContext).build();
-	SecurityContext readSecContext = client.getSecurityContext();
-	String verifier = readSecContext.getSSLHostnameVerifier().toString();
-	String protocol = readSecContext.getSSLContext().getProtocol();
-	boolean needClient = readSecContext.getSSLContext().getSupportedSSLParameters().getNeedClientAuth();
-
-    assertTrue(verifier.contains("Builtin"));
-    assertTrue(protocol.contains("TLSv1.2"));
-    assertTrue(needClient == false);
-    // release client
-    client.release();
-  }
+				public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
+					// nothing to do
+				}
+
+				public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {
+					// nothing to do
+				}
+
+				public X509Certificate[] getAcceptedIssuers() {
+					return new X509Certificate[0];
+				}
+			})
+			.withSSLHostnameVerifier(SSLHostnameVerifier.ANY);
+
+		try (DatabaseClient client = newDatabaseClientBuilder().withSecurityContext(secContext).build()) {
+			SecurityContext readSecContext = client.getSecurityContext();
+			String verifier = readSecContext.getSSLHostnameVerifier().toString();
+			String protocol = readSecContext.getSSLContext().getProtocol();
+			boolean needClient = readSecContext.getSSLContext().getSupportedSSLParameters().getNeedClientAuth();
+			assertTrue(verifier.contains("Builtin"));
+			assertTrue(protocol.contains("TLS"));
+			assertFalse(needClient);
+		}
+	}
 
 
 	@Test

marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/functionaltest/ConnectedRESTQA.java

@@ -14,6 +14,7 @@
 import com.marklogic.client.DatabaseClientBuilder;
 import com.marklogic.client.DatabaseClientFactory;
 import com.marklogic.client.admin.ServerConfigurationManager;
+import com.marklogic.client.impl.SSLUtil;
 import com.marklogic.client.io.DocumentMetadataHandle;
 import com.marklogic.client.io.DocumentMetadataHandle.Capability;
 import com.marklogic.client.query.QueryManager;
@@ -800,7 +801,7 @@ public X509Certificate[] getAcceptedIssuers() {
 		KeyManager[] keyMgr = keyManagerFactory.getKeyManagers();
 
 		// create an SSL context
-		SSLContext mlsslContext = SSLContext.getInstance("TLSv1.2");
+		SSLContext mlsslContext = SSLContext.getInstance(SSLUtil.DEFAULT_PROTOCOL);
 		mlsslContext.init(keyMgr, new TrustManager[] { tm }, null);
 
 		return mlsslContext;

marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientFactory.java

@@ -969,7 +969,6 @@ public Map<String, String> toOptions() {
   }
 
   public static class CertificateAuthContext extends AuthContext {
-	  private static final String DEFAULT_SSL_PROTOCOL = "TLSv1.2";
 	  String certFile;
 	  String certPassword;
 
@@ -1087,7 +1086,7 @@ public CertificateAuthContext(String certFile, String certPassword, X509TrustMan
         this.certFile = certFile;
         this.certPassword = certPassword;
         this.trustManager = trustManager;
-        this.sslContext = createSSLContext(DEFAULT_SSL_PROTOCOL);
+        this.sslContext = createSSLContext(SSLUtil.DEFAULT_PROTOCOL);
 	}
 
 	  /**
@@ -1148,11 +1147,9 @@ private SSLContext createSSLContext(String sslProtocol)
         }
         keyManagerFactory.init(keyStore, certPassword.toCharArray());
         keyMgr = keyManagerFactory.getKeyManagers();
-		if (sslProtocol == null) {
-			sslContext = SSLContext.getInstance(DEFAULT_SSL_PROTOCOL);
-		} else {
-			sslContext = SSLContext.getInstance(sslProtocol);
-		}
+		sslContext = sslProtocol == null ?
+			SSLContext.getInstance(SSLUtil.DEFAULT_PROTOCOL) :
+			SSLContext.getInstance(sslProtocol);
       } catch (NoSuchAlgorithmException | KeyStoreException e) {
 		  SSLUtil.logSecurityRelatedException(e);
         throw new IllegalStateException("The certificate algorithm used or the Key store "

marklogic-client-api/src/main/java/com/marklogic/client/impl/DatabaseClientPropertySource.java

@@ -411,7 +411,7 @@ private SSLUtil.SSLInputs useKeyStoreForTwoWaySSL(String keyStorePath, X509Trust
 		final String keyStoreType = getNullableStringValue("ssl.keystore.type", "JKS");
 		final String algorithm = getNullableStringValue("ssl.keystore.algorithm", "SunX509");
 		final char[] charPassword = password != null ? password.toCharArray() : null;
-		final String sslProtocol = getNullableStringValue("sslProtocol", "TLSv1.2");
+		final String sslProtocol = getNullableStringValue("sslProtocol", SSLUtil.DEFAULT_PROTOCOL);
 		return SSLUtil.createSSLContextFromKeyStore(keyStorePath, charPassword, keyStoreType, algorithm, sslProtocol, userTrustManager);
 	}
 

marklogic-client-api/src/main/java/com/marklogic/client/impl/SSLUtil.java

@@ -22,6 +22,10 @@ public abstract class SSLUtil {
 
 	private final static Logger LOGGER = LoggerFactory.getLogger("com.marklogic.client.security");
 
+	// Added in 7.2.0 so that clients using MarkLogic 12 will default to TLSv1.3, while clients using MarkLogic 11
+	// or older will default to TLSv1.2.
+	public static final String DEFAULT_PROTOCOL = "TLS";
+
 	/**
 	 * Included to satisfy Polaris, which requires that security-related exceptions be logged, in addition to being
 	 * thrown. This is logged at the debug level to avoid cluttering logs in an application that is likely already

marklogic-client-api/src/test/java/com/marklogic/client/test/DatabaseClientBuilderTest.java

@@ -4,6 +4,7 @@
 import com.marklogic.client.DatabaseClientBuilder;
 import com.marklogic.client.DatabaseClientFactory;
 import com.marklogic.client.ext.modulesloader.ssl.SimpleX509TrustManager;
+import com.marklogic.client.impl.SSLUtil;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
@@ -343,7 +344,7 @@ void defaultSslContext() throws Exception {
 	@Test
 	void sslProtocol() {
 		bean = Common.newClientBuilder()
-			.withSSLProtocol("TLSv1.2")
+			.withSSLProtocol(SSLUtil.DEFAULT_PROTOCOL)
 			.buildBean();
 
 		assertNotNull(bean.getSecurityContext().getSSLContext());
@@ -390,7 +391,7 @@ void invalidSslProtocol() {
 	@Test
 	void sslProtocolAndTrustManager() {
 		bean = Common.newClientBuilder()
-			.withSSLProtocol("TLSv1.2")
+			.withSSLProtocol(SSLUtil.DEFAULT_PROTOCOL)
 			.withTrustManager(Common.TRUST_ALL_MANAGER)
 			.buildBean();
 
@@ -409,7 +410,7 @@ void sslProtocolAndTrustManager() {
 	@Test
 	void sslProtocolAndTrustManagerAndHostnameVerifier() {
 		bean = Common.newClientBuilder()
-			.withSSLProtocol("TLSv1.2")
+			.withSSLProtocol(SSLUtil.DEFAULT_PROTOCOL)
 			.withSSLHostnameVerifier(DatabaseClientFactory.SSLHostnameVerifier.COMMON)
 			.withTrustManager(Common.TRUST_ALL_MANAGER)
 			.buildBean();

marklogic-client-api/src/test/java/com/marklogic/client/test/ssl/OneWaySSLTest.java

@@ -4,6 +4,7 @@
 import com.marklogic.client.DatabaseClientFactory;
 import com.marklogic.client.ForbiddenUserException;
 import com.marklogic.client.MarkLogicIOException;
+import com.marklogic.client.impl.SSLUtil;
 import com.marklogic.client.test.Common;
 import com.marklogic.client.test.MarkLogicVersion;
 import com.marklogic.client.test.junit5.DisabledWhenUsingReverseProxyServer;
@@ -65,7 +66,7 @@ private static void setAppServerMinimumTLSVersion(String minTLSVersion) {
 	 */
 	@Test
 	void trustAllManager() throws Exception {
-		SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+		SSLContext sslContext = SSLContext.getInstance(SSLUtil.DEFAULT_PROTOCOL);
 		sslContext.init(null, new TrustManager[]{Common.TRUST_ALL_MANAGER}, null);
 
 		DatabaseClient client = Common.newClientBuilder()
@@ -87,7 +88,7 @@ void trustAllManager() throws Exception {
 	@Test
 	void trustManagerThatOnlyTrustsTheCertificateFromTheCertificateTemplate() {
 		DatabaseClient client = Common.newClientBuilder()
-			.withSSLProtocol("TLSv1.2")
+			.withSSLProtocol(SSLUtil.DEFAULT_PROTOCOL)
 			.withTrustManager(RequireSSLExtension.newSecureTrustManager())
 			.withSSLHostnameVerifier(DatabaseClientFactory.SSLHostnameVerifier.ANY)
 			.build();
@@ -113,7 +114,7 @@ void defaultSslContext() throws Exception {
 
 	@ExtendWith(RequiresML11OrLower.class)
 	@Test
-	void noSslContext() throws Exception {
+	void noSslContext() {
 		DatabaseClient client = Common.newClientBuilder().build();
 
 		DatabaseClient.ConnectionResult result = client.checkConnection();
@@ -132,22 +133,21 @@ void noSslContext() throws Exception {
 		);
 	}
 
-	// The TLS tests are failing on Java 8, because TLSv1.3 is disabled with our version of Java 8.
-	// There may be a way to configure Java 8 to use TLSv1.3, but it is not currently working.
-	@DisabledOnJre(JRE.JAVA_8)
 	@Test
-	void tLS13ClientWithTLS12Server() throws Exception {
-		DatabaseClient client = buildTrustAllClientWithSSLProtocol("TLSv1.3");
+	void tLS13ClientWithTLS12Server() {
+		DatabaseClient client = buildTrustAllClientWithSSLProtocol(SSLUtil.DEFAULT_PROTOCOL);
 		DatabaseClient.ConnectionResult result = client.checkConnection();
 		assertEquals(0, result.getStatusCode(), "A value of zero implies that a connection was successfully made, " +
 			"which should happen since a 'trust all' manager is being used");
 		assertNull(result.getErrorMessage());
 	}
 
 	@ExtendWith(RequiresML12.class)
+	// The TLSv1.3 tests are failing on Java 8, because TLSv1.3 is disabled with our version of Java 8.
+	// There may be a way to configure Java 8 to use TLSv1.3, but it is not currently working.
 	@DisabledOnJre(JRE.JAVA_8)
 	@Test
-	void tLS13ClientWithTLS13Server() throws Exception {
+	void tLS13ClientWithTLS13Server() {
 		setAppServerMinimumTLSVersion("TLSv1.3");
 
 		DatabaseClient client = buildTrustAllClientWithSSLProtocol("TLSv1.3");
@@ -160,7 +160,7 @@ void tLS13ClientWithTLS13Server() throws Exception {
 	@ExtendWith(RequiresML12.class)
 	@DisabledOnJre(JRE.JAVA_8)
 	@Test
-	void tLS12ClientWithTLS13ServerShouldFail() throws Exception {
+	void tLS12ClientWithTLS13ServerShouldFail() {
 		setAppServerMinimumTLSVersion("TLSv1.3");
 
 		DatabaseClient client = buildTrustAllClientWithSSLProtocol("TLSv1.2");

marklogic-client-api/src/test/java/com/marklogic/client/test/ssl/TwoWaySSLTest.java

@@ -7,6 +7,7 @@
 import com.marklogic.client.MarkLogicIOException;
 import com.marklogic.client.document.DocumentDescriptor;
 import com.marklogic.client.eval.EvalResultIterator;
+import com.marklogic.client.impl.SSLUtil;
 import com.marklogic.client.io.StringHandle;
 import com.marklogic.client.test.Common;
 import com.marklogic.client.test.junit5.DisabledWhenUsingReverseProxyServer;
@@ -42,7 +43,7 @@
 	DisabledWhenUsingReverseProxyServer.class,
 	RequireSSLExtension.class
 })
-public class TwoWaySSLTest {
+class TwoWaySSLTest {
 
 	private static final String TEST_DOCUMENT_URI = "/optic/test/musician1.json";
 	private static final String KEYSTORE_PASSWORD = "password";
@@ -64,7 +65,7 @@ public static void setup() throws Exception {
 		// talks to the Security database.
 		securityClient = Common.newClientBuilder()
 			.withUsername(Common.SERVER_ADMIN_USER).withPassword(Common.SERVER_ADMIN_PASS)
-			.withSSLProtocol("TLSv1.2")
+			.withSSLProtocol(SSLUtil.DEFAULT_PROTOCOL)
 			.withTrustManager(Common.TRUST_ALL_MANAGER)
 			.withSSLHostnameVerifier(DatabaseClientFactory.SSLHostnameVerifier.ANY)
 			.withDatabase("Security").build();
@@ -101,7 +102,7 @@ public static void teardown() {
 	 */
 	@ExtendWith(RequiresML11OrLower.class)
 	@Test
-	void digestAuthentication() throws NoSuchAlgorithmException, KeyManagementException {
+	void digestAuthentication() {
 		// This client uses our Java KeyStore file with a client certificate in it, so it should work.
 		DatabaseClient clientWithCert = Common.newClientBuilder()
 			.withKeyStorePath(keyStoreFile.getAbsolutePath())
@@ -122,7 +123,7 @@ void digestAuthentication() throws NoSuchAlgorithmException, KeyManagementExcept
 		// This client uses a new SSL context without the client certificate, so it should fail.
 		DatabaseClient clientWithoutCert = Common.newClientBuilder()
 			.withSSLHostnameVerifier(DatabaseClientFactory.SSLHostnameVerifier.ANY)
-			.withSSLProtocol("TLSv1.2")
+			.withSSLProtocol(SSLUtil.DEFAULT_PROTOCOL)
 			.withTrustManager(RequireSSLExtension.newSecureTrustManager())
 			.build();
 
@@ -261,7 +262,7 @@ private SSLContext createSSLContextWithClientCertificate(File keystoreFile) thro
 		keyStore.load(new FileInputStream(keystoreFile), KEYSTORE_PASSWORD.toCharArray());
 		KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
 		keyManagerFactory.init(keyStore, KEYSTORE_PASSWORD.toCharArray());
-		SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+		SSLContext sslContext = SSLContext.getInstance(SSLUtil.DEFAULT_PROTOCOL);
 		sslContext.init(
 			keyManagerFactory.getKeyManagers(),
 			new X509TrustManager[]{RequireSSLExtension.newSecureTrustManager()},

test-app/src/main/java/com/marklogic/client/test/ReverseProxyServer.java

@@ -205,7 +205,8 @@ private SSLContext buildSSLContext() throws Exception {
 		}
 		kmf.init(keyStore, keyStorePassword.toCharArray());
 
-		SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+		// Using TLS to support MarkLogic 12
+		SSLContext sslContext = SSLContext.getInstance("TLS");
 		// Use a "trust-everything" approach for now; the client doesn't have to do this, but we don't have a use case
 		// yet for having our reverse proxy server validate certificates.
 		sslContext.init(kmf.getKeyManagers(), new TrustManager[]{new SimpleX509TrustManager()}, null);