Fixed failing GremlinServerSslIntegrateTest.shouldEnableSslAndFailIfC…

…iphersDontMatch by reinstating the previous WebSocket channelizer logic that waited for the handshake to complete after the channel connects. If the handshake fails then a ConnectionException is thrown. (apache#2753)
Bit-Quill · Sep 12, 2024 · 25db065 · 25db065
1 parent f01eefc
commit 25db065
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Channelizer.java b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Channelizer.java
@@ -27,6 +27,7 @@
 import io.netty.handler.codec.http.HttpResponseStatus;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
+import org.apache.tinkerpop.gremlin.driver.exception.ConnectionException;
 import org.apache.tinkerpop.gremlin.driver.handler.GremlinResponseHandler;
 import org.apache.tinkerpop.gremlin.driver.handler.HttpContentDecompressionHandler;
 import org.apache.tinkerpop.gremlin.driver.handler.HttpGremlinRequestEncoder;
@@ -87,6 +88,7 @@ default String getScheme(final boolean sslEnabled) {
     abstract class AbstractChannelizer extends ChannelInitializer<SocketChannel> implements Channelizer {
         protected Connection connection;
         protected Cluster cluster;
+        protected SslHandler sslHandler;
         private AtomicReference<ResultQueue> pending;
 
         protected static final String PIPELINE_GREMLIN_HANDLER = "gremlin-handler";
@@ -96,6 +98,10 @@ abstract class AbstractChannelizer extends ChannelInitializer<SocketChannel> imp
         protected static final String PIPELINE_HTTP_ENCODER = "gremlin-encoder";
         protected static final String PIPELINE_HTTP_DECODER = "gremlin-decoder";
         protected static final String PIPELINE_HTTP_DECOMPRESSION_HANDLER = "http-decompression-handler";
+
+        private static final String HANDSHAKE_ERROR = "Could not complete connection setup to the server. Ensure that SSL is correctly " +
+                "configured at both the client and the server. Ensure that client http handshake " +
+                "protocol matches the server. Ensure that the server is still reachable.";
 
         private static final SslCheckHandler sslCheckHandler = new SslCheckHandler();
 
@@ -136,7 +142,7 @@ protected void initChannel(final SocketChannel socketChannel) {
             }
 
             if (sslCtx.isPresent()) {
-                final SslHandler sslHandler = sslCtx.get().newHandler(socketChannel.alloc(), connection.getUri().getHost(), connection.getUri().getPort());
+                sslHandler = sslCtx.get().newHandler(socketChannel.alloc(), connection.getUri().getHost(), connection.getUri().getPort());
                 // TINKERPOP-2814. Remove the SSL handshake timeout so that handshakes that take longer than 10000ms
                 // (Netty default) but less than connectionSetupTimeoutMillis can succeed. This means the SSL handshake
                 // will instead be capped by connectionSetupTimeoutMillis.
@@ -149,6 +155,18 @@ protected void initChannel(final SocketChannel socketChannel) {
             configure(pipeline);
             pipeline.addLast(PIPELINE_GREMLIN_HANDLER, new GremlinResponseHandler(pending));
         }
+
+        @Override
+        public void connected() {
+            if (supportsSsl()) {
+                try {
+                    // Block until the handshake is complete either successfully or with an error.
+                    sslHandler.handshakeFuture().sync();
+                } catch (Exception ex) {
+                    throw new ConnectionException(connection.getUri(), HANDSHAKE_ERROR, ex);
+                }
+            }
+        }
     }
 
     /**

diff --git a/...rver/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerSslIntegrateTest.java b/...rver/src/test/java/org/apache/tinkerpop/gremlin/server/GremlinServerSslIntegrateTest.java
@@ -30,7 +30,6 @@
 import org.apache.tinkerpop.gremlin.driver.simple.SimpleClient;
 import org.apache.tinkerpop.gremlin.util.ExceptionHelper;
 import org.apache.tinkerpop.gremlin.util.message.RequestMessage;
-import org.junit.Ignore;
 import org.junit.Test;
 
 import javax.net.ssl.SSLException;
@@ -302,8 +301,6 @@ public void shouldEnableSslAndFailIfProtocolsDontMatch() {
         }
     }
 
-    // TODO: Add client-side SSL checking.
-    @Ignore("No client side SSL checking")
     @Test
     public void shouldEnableSslAndFailIfCiphersDontMatch() {
         final Cluster cluster = TestClientFactory.build().enableSsl(true).keyStore(JKS_SERVER_KEY).keyStorePassword(KEY_PASS)