This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch 3.9
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/3.9 by this push:
new d665464164d MINOR: Skip testDsaKeyPair when DSA algorithm is not
supported (#20985)
d665464164d is described below
commit d665464164d85e8ac686eb1f51394c4b240c82ae
Author: Jian <[email protected]>
AuthorDate: Wed Nov 26 04:57:05 2025 +0800
MINOR: Skip testDsaKeyPair when DSA algorithm is not supported (#20985)
Create this PR to merge to 3.9 with #20967 due to the cherry pick fail
https://github.com/apache/kafka/pull/20967#issuecomment-3573385487
Fix:
```
javax.net.ssl|ERROR|E1|echoserver|2025-11-24 14:34:37.602
CST|TransportContext.java:375|Fatal (HANDSHAKE_FAILURE): no cipher suites in
common (
"throwable" : {
javax.net.ssl.SSLHandshakeException: (handshake_failure) no cipher suites
in common
at
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:317)
at
java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:459)
at
java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:285)
at
java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:437)
at
java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1110)
at
java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:843)
at
java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:798)
at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:477)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
at
org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:444)
at
org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:533)
at
org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:382)
at
org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:302)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548)
at org.apache.kafka.common.network.Selector.poll(Selector.java:486)
at
org.apache.kafka.common.network.NioEchoServer.run(NioEchoServer.java:221)}
```
Reviewers: PoAn Yang <[email protected]>, Chia-Ping Tsai
<[email protected]>
---
.../common/network/SslTransportLayerTest.java | 36 ++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git
a/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
b/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
index 8ad4dccc4f2..a644b352cf0 100644
---
a/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
@@ -56,6 +56,7 @@ import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
@@ -472,6 +473,8 @@ public class SslTransportLayerTest {
public void testDsaKeyPair(Args args) throws Exception {
// DSA algorithms are not supported for TLSv1.3.
assumeTrue(args.tlsProtocol.equals("TLSv1.2"));
+ // Skip test if DSA is not supported by the JVM
+ assumeTrue(isDsaSupported(), "DSA algorithm is not supported by this
JVM");
args.serverCertStores = certBuilder(true, "server",
args.useInlinePem).keyAlgorithm("DSA").build();
args.clientCertStores = certBuilder(false, "client",
args.useInlinePem).keyAlgorithm("DSA").build();
args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores,
args.clientCertStores);
@@ -480,6 +483,39 @@ public class SslTransportLayerTest {
verifySslConfigs(args);
}
+ /**
+ * Check if DSA algorithm is supported by the JVM and if there are
compatible cipher suites
+ * available for TLSv1.2. This is important because even if DSA
KeyPairGenerator is available,
+ * the SSL handshake may fail if no DSA-compatible cipher suites are
available.
+ * @return true if DSA KeyPairGenerator is available and DSA-compatible
cipher suites exist, false otherwise
+ */
+ private static boolean isDsaSupported() {
+ // First check if DSA KeyPairGenerator is available
+ try {
+ java.security.KeyPairGenerator.getInstance("DSA");
+ } catch (java.security.NoSuchAlgorithmException e) {
+ return false;
+ }
+
+ // Check if there are DSA-compatible cipher suites available for
TLSv1.2
+ // DSA algorithms are not supported for TLSv1.3, so we only check
TLSv1.2
+ try {
+ SSLContext context = SSLContext.getInstance("TLSv1.2");
+ context.init(null, null, null);
+ SSLParameters params = context.getDefaultSSLParameters();
+ String[] cipherSuites = params.getCipherSuites();
+
+ // Check if any cipher suite supports DSA
+ // In TLS standards and JVM implementations, DSA signature cipher
suites use "_DSS_" naming
+ // Common patterns: TLS_DHE_DSS_*, TLS_DH_DSS_*, SSL_DHE_DSS_*,
SSL_DH_DSS_*
+ return Arrays.stream(cipherSuites)
+ .anyMatch(suite -> suite.contains("_DSS_"));
+ } catch (Exception e) {
+ // If we can't check cipher suites, assume DSA is not fully
supported
+ return false;
+ }
+ }
+
/**
* Tests key-pair created using EC.
*/
