From a3e6e5ad17f95c3578ac70f2ce72d39a84385b99 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Feb 2026 15:42:01 +0100 Subject: [PATCH 1/2] backport TlsSpec from main branch --- .../org/apache/pekko/stream/io/TlsSpec.scala | 39 ++++++++----------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/stream-tests/src/test/scala/org/apache/pekko/stream/io/TlsSpec.scala b/stream-tests/src/test/scala/org/apache/pekko/stream/io/TlsSpec.scala index 1e47f4d198f..def7d4eee95 100644 --- a/stream-tests/src/test/scala/org/apache/pekko/stream/io/TlsSpec.scala +++ b/stream-tests/src/test/scala/org/apache/pekko/stream/io/TlsSpec.scala @@ -42,7 +42,11 @@ object TlsSpec { val rnd = new Random - val TLS12Ciphers: Set[String] = Set("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA") + // Use forward-secrecy enabled cipher suites that are supported in Java 17+ + // TLS_RSA_* cipher suites have been disabled by default in Java 17+ + val TLS12Ciphers: Set[String] = Set( + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") val TLS13Ciphers: Set[String] = Set("TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384") def initWithTrust(trustPath: String, protocol: String): SSLContext = { @@ -378,31 +382,20 @@ class TlsSpec extends StreamSpec(TlsSpec.configOverrides) with WithLogCapturing } } - object SessionRenegotiationFirstOne extends PayloadScenario { - override def flow = logCipherSuite - def inputs = NegotiateNewSession.withCipherSuites("TLS_RSA_WITH_AES_128_CBC_SHA") :: send("hello") :: Nil - def output = ByteString("TLS_RSA_WITH_AES_128_CBC_SHAhello") - } - object SessionRenegotiationFirstTwo extends PayloadScenario { override def flow = logCipherSuite - def inputs = NegotiateNewSession.withCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA") :: send("hello") :: Nil - def output = ByteString("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAhello") + def inputs = NegotiateNewSession.withCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") :: send("hello") :: + Nil + def output = ByteString("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256hello") } val renegotiationScenarios = if (protocol == "TLSv1.2") { - if (JavaVersion.majorVersion <= 21) - Seq( - SessionRenegotiationBySender, - SessionRenegotiationByReceiver, - SessionRenegotiationFirstOne, - SessionRenegotiationFirstTwo) - else - // skip SessionRenegotiationFirstOne as it uses a weak cipher suite and the test will fail - Seq( - SessionRenegotiationBySender, - SessionRenegotiationByReceiver, - SessionRenegotiationFirstTwo) + // skip SessionRenegotiationFirstOne as it uses TLS_RSA_WITH_AES_128_CBC_SHA + // which is a weak cipher suite that is disabled by default in Java 17+ + Seq( + SessionRenegotiationBySender, + SessionRenegotiationByReceiver, + SessionRenegotiationFirstTwo) } else // TLSv1.3 doesn't support renegotiation Nil @@ -448,11 +441,11 @@ class TlsSpec extends StreamSpec(TlsSpec.configOverrides) with WithLogCapturing .collect { case SessionBytes(_, b) => b } .scan(ByteString.empty)(_ ++ _) .filter(_.nonEmpty) - .via(new Timeout(10.seconds)) + .via(new Timeout(15.seconds)) .dropWhile(_.size < scenario.output.size) .runWith(Sink.headOption) - Await.result(output, 12.seconds).getOrElse(ByteString.empty).utf8String should be(scenario.output.utf8String) + Await.result(output, 17.seconds).getOrElse(ByteString.empty).utf8String should be(scenario.output.utf8String) commPattern.cleanup() } From 629ff35bc2d24f23901c5571bd7846812a332fed Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Feb 2026 21:31:37 +0100 Subject: [PATCH 2/2] remove broken SessionRenegotiationFirstOne --- .../pekko/stream/io/DeprecatedTlsSpec.scala | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/stream-tests/src/test/scala/org/apache/pekko/stream/io/DeprecatedTlsSpec.scala b/stream-tests/src/test/scala/org/apache/pekko/stream/io/DeprecatedTlsSpec.scala index 828d371c2a0..8868c4a0726 100644 --- a/stream-tests/src/test/scala/org/apache/pekko/stream/io/DeprecatedTlsSpec.scala +++ b/stream-tests/src/test/scala/org/apache/pekko/stream/io/DeprecatedTlsSpec.scala @@ -345,30 +345,16 @@ class DeprecatedTlsSpec extends StreamSpec(DeprecatedTlsSpec.configOverrides) wi } } - object SessionRenegotiationFirstOne extends PayloadScenario { - override def flow = logCipherSuite - def inputs = NegotiateNewSession.withCipherSuites("TLS_RSA_WITH_AES_128_CBC_SHA") :: send("hello") :: Nil - def output = ByteString("TLS_RSA_WITH_AES_128_CBC_SHAhello") - } - object SessionRenegotiationFirstTwo extends PayloadScenario { override def flow = logCipherSuite def inputs = NegotiateNewSession.withCipherSuites("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA") :: send("hello") :: Nil def output = ByteString("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAhello") } - val renegotiationScenarios = if (JavaVersion.majorVersion <= 21) - Seq( - SessionRenegotiationBySender, - SessionRenegotiationByReceiver, - SessionRenegotiationFirstOne, - SessionRenegotiationFirstTwo) - else - // skip SessionRenegotiationFirstOne as it uses a weak cipher suite and the test will fail - Seq( - SessionRenegotiationBySender, - SessionRenegotiationByReceiver, - SessionRenegotiationFirstTwo) + val renegotiationScenarios = Seq( + SessionRenegotiationBySender, + SessionRenegotiationByReceiver, + SessionRenegotiationFirstTwo) val scenarios = Seq(