This is an automated email from the ASF dual-hosted git repository.
gaborgsomogyi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/flink.git
The following commit(s) were added to refs/heads/master by this push:
new 00e4c8f1169 [FLINK-38986][runtime][test] Update SSL tests with modern
cipher suites
00e4c8f1169 is described below
commit 00e4c8f11694f7f6afaab306c372f051845cec26
Author: balassai <[email protected]>
AuthorDate: Sat Jan 31 18:37:13 2026 +0100
[FLINK-38986][runtime][test] Update SSL tests with modern cipher suites
---
flink-end-to-end-tests/test-scripts/common_ssl.sh | 1 +
.../java/org/apache/flink/runtime/blob/BlobClientSslTest.java | 3 +++
.../flink/runtime/io/network/netty/NettyClientServerSslTest.java | 7 +++++++
.../src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java | 9 +++++++--
.../org/apache/flink/runtime/rest/RestServerSSLAuthITCase.java | 2 +-
.../test/java/org/apache/flink/runtime/rpc/RpcSSLAuthITCase.java | 4 ++--
6 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/flink-end-to-end-tests/test-scripts/common_ssl.sh
b/flink-end-to-end-tests/test-scripts/common_ssl.sh
index 8d4bc50b0a3..87219c68352 100644
--- a/flink-end-to-end-tests/test-scripts/common_ssl.sh
+++ b/flink-end-to-end-tests/test-scripts/common_ssl.sh
@@ -95,6 +95,7 @@ function _set_conf_ssl_helper {
fi
# adapt config
+ set_config_key security.ssl.algorithms
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
set_config_key security.ssl.provider ${provider}
set_config_key security.ssl.${type}.enabled true
set_config_key security.ssl.${type}.keystore ${ssl_dir}/node.keystore
diff --git
a/flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobClientSslTest.java
b/flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobClientSslTest.java
index 8cdce6e95b7..fe5151ed64d 100644
---
a/flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobClientSslTest.java
+++
b/flink-runtime/src/test/java/org/apache/flink/runtime/blob/BlobClientSslTest.java
@@ -52,6 +52,9 @@ class BlobClientSslTest extends BlobClientTest {
Configuration config =
SSLUtilsTest.createInternalSslConfigWithKeyAndTrustStores(
SecurityOptions.SSL_PROVIDER.defaultValue());
+ config.set(
+ SecurityOptions.SSL_ALGORITHMS,
+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
blobSslServer = TestingBlobUtils.createServer(tempDir.resolve("ssl"),
config);
blobSslServer.start();
diff --git
a/flink-runtime/src/test/java/org/apache/flink/runtime/io/network/netty/NettyClientServerSslTest.java
b/flink-runtime/src/test/java/org/apache/flink/runtime/io/network/netty/NettyClientServerSslTest.java
index 661edf986f7..9302151ebff 100644
---
a/flink-runtime/src/test/java/org/apache/flink/runtime/io/network/netty/NettyClientServerSslTest.java
+++
b/flink-runtime/src/test/java/org/apache/flink/runtime/io/network/netty/NettyClientServerSslTest.java
@@ -45,6 +45,7 @@ import java.net.InetAddress;
import java.time.Duration;
import java.util.List;
+import static org.apache.flink.configuration.SecurityOptions.SSL_ALGORITHMS;
import static
org.apache.flink.configuration.SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT;
import static
org.apache.flink.configuration.SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT;
import static
org.apache.flink.configuration.SecurityOptions.SSL_INTERNAL_SESSION_CACHE_SIZE;
@@ -74,6 +75,9 @@ class NettyClientServerSslTest {
void testValidSslConnectionAdvanced() throws Exception {
Configuration sslConfig = createSslConfig();
sslConfig.set(SSL_INTERNAL_SESSION_CACHE_SIZE, 1);
+ sslConfig.set(
+ SSL_ALGORITHMS,
+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
// using different timeouts for each of the configuration parameters
ensures that the right
// config value is used in the right place
@@ -267,6 +271,9 @@ class NettyClientServerSslTest {
Configuration config = createSslConfig();
+ config.set(
+ SSL_ALGORITHMS,
+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
// pin the certificate based on internal cert
config.set(
SecurityOptions.SSL_INTERNAL_CERT_FINGERPRINT,
diff --git
a/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java
b/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java
index 183665fcb6a..de7a5445639 100644
--- a/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java
+++ b/flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java
@@ -367,7 +367,7 @@ public class SSLUtilsTest {
serverConfig.set(SecurityOptions.SSL_PROTOCOL, "TLSv1.1");
serverConfig.set(
SecurityOptions.SSL_ALGORITHMS,
-
"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");
+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
try (ServerSocket socket =
SSLUtils.createSSLServerSocketFactory(serverConfig).createServerSocket(0)) {
@@ -381,7 +381,9 @@ public class SSLUtilsTest {
assertThat(protocols[0]).isEqualTo("TLSv1.1");
assertThat(algorithms).hasSize(2);
assertThat(algorithms)
- .contains("TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256");
+ .contains(
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
}
}
@@ -483,6 +485,9 @@ public class SSLUtilsTest {
public static Configuration
createInternalSslConfigWithKeyAndTrustStores(String sslProvider) {
final Configuration config = new Configuration();
config.set(SecurityOptions.SSL_INTERNAL_ENABLED, true);
+ config.set(
+ SecurityOptions.SSL_ALGORITHMS,
+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
addSslProviderConfig(config, sslProvider);
addInternalKeyStoreConfig(config);
addInternalTrustStoreConfig(config);
diff --git
a/flink-runtime/src/test/java/org/apache/flink/runtime/rest/RestServerSSLAuthITCase.java
b/flink-runtime/src/test/java/org/apache/flink/runtime/rest/RestServerSSLAuthITCase.java
index 571a57b280a..37f96bf8ae9 100644
---
a/flink-runtime/src/test/java/org/apache/flink/runtime/rest/RestServerSSLAuthITCase.java
+++
b/flink-runtime/src/test/java/org/apache/flink/runtime/rest/RestServerSSLAuthITCase.java
@@ -143,7 +143,7 @@ public class RestServerSSLAuthITCase {
baseConfig.set(RestOptions.ADDRESS, "localhost");
baseConfig.set(SecurityOptions.SSL_REST_ENABLED, true);
baseConfig.set(SecurityOptions.SSL_REST_AUTHENTICATION_ENABLED, true);
- baseConfig.set(SecurityOptions.SSL_ALGORITHMS,
"TLS_RSA_WITH_AES_128_CBC_SHA");
+ baseConfig.set(SecurityOptions.SSL_ALGORITHMS,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
Configuration serverConfig = new Configuration(baseConfig);
serverConfig.set(SecurityOptions.SSL_REST_TRUSTSTORE,
TRUST_STORE_FILE);
diff --git
a/flink-runtime/src/test/java/org/apache/flink/runtime/rpc/RpcSSLAuthITCase.java
b/flink-runtime/src/test/java/org/apache/flink/runtime/rpc/RpcSSLAuthITCase.java
index 78f1b5bd397..80d9476eb59 100644
---
a/flink-runtime/src/test/java/org/apache/flink/runtime/rpc/RpcSSLAuthITCase.java
+++
b/flink-runtime/src/test/java/org/apache/flink/runtime/rpc/RpcSSLAuthITCase.java
@@ -63,7 +63,7 @@ class RpcSSLAuthITCase {
sslConfig1.set(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD,
"password");
sslConfig1.set(SecurityOptions.SSL_INTERNAL_KEY_PASSWORD, "password");
sslConfig1.set(SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD,
"password");
- sslConfig1.set(SecurityOptions.SSL_ALGORITHMS,
"TLS_RSA_WITH_AES_128_CBC_SHA");
+ sslConfig1.set(SecurityOptions.SSL_ALGORITHMS,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
// !!! This config has KEY_STORE_FILE / UNTRUSTED_KEY_STORE_FILE !!!
// If this is presented by a client, it will trust the server, but the
server will
@@ -75,7 +75,7 @@ class RpcSSLAuthITCase {
sslConfig2.set(SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD,
"password");
sslConfig2.set(SecurityOptions.SSL_INTERNAL_KEY_PASSWORD, "password");
sslConfig2.set(SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD,
"password");
- sslConfig2.set(SecurityOptions.SSL_ALGORITHMS,
"TLS_RSA_WITH_AES_128_CBC_SHA");
+ sslConfig2.set(SecurityOptions.SSL_ALGORITHMS,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
RpcService rpcService1 = null;
RpcService rpcService2 = null;
