From 5620dcb8c5817e5446aeab04ebfe0e167f63ea57 Mon Sep 17 00:00:00 2001
From: Jake Landis <jake.landis@elastic.co>
Date: Mon, 6 Jan 2025 16:39:15 -0600
Subject: [PATCH] fix SSLErrorMessageCertificateVerificationTests

---
 ...rrorMessageCertificateVerificationTests.java | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java
index fffefe10add20..0b95f649d1790 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLErrorMessageCertificateVerificationTests.java
@@ -39,7 +39,6 @@
 import java.util.regex.Pattern;
 
 import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
@@ -104,6 +103,7 @@ public void testMessageForRestClientHostnameVerificationFailure() throws IOExcep
     }
 
     public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Exception {
+
         final Settings settings = getPemSSLSettings(
             HTTP_SERVER_SSL,
             "not-this-host.crt",
@@ -132,7 +132,7 @@ public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Ex
                     DiagnosticTrustManager.class.getName(),
                     Level.WARN,
                     "failed to establish trust with server at \\["
-                        + Pattern.quote(webServer.getHostName())
+                        + (inFipsJvm() ? "<unknown host>" : Pattern.quote(webServer.getHostName()))
                         + "\\];"
                         + " the server provided a certificate with subject name \\[CN=not-this-host\\],"
                         + " fingerprint \\[[0-9a-f]{40}\\], no keyUsage and no extendedKeyUsage;"
@@ -153,13 +153,12 @@ public void testDiagnosticTrustManagerForHostnameVerificationFailure() throws Ex
             enableHttpsHostnameChecking(clientSocket);
             connect(clientSocket, webServer);
             assertThat(clientSocket.isConnected(), is(true));
-            final SSLHandshakeException handshakeException = expectThrows(
-                SSLHandshakeException.class,
-                () -> clientSocket.getInputStream().read()
-            );
-            assertThat(handshakeException, throwableWithMessage(containsStringIgnoringCase("subject alternative names")));
-            assertThat(handshakeException, throwableWithMessage(containsString(webServer.getHostName())));
-
+            final Exception handshakeException = expectThrows(Exception.class, () -> clientSocket.getInputStream().read());
+            // Bouncy Castle throws a different exception message
+            if (inFipsJvm() == false) {
+                assertThat(handshakeException, throwableWithMessage(containsStringIgnoringCase("subject alternative names")));
+                assertThat(handshakeException, throwableWithMessage(containsString(webServer.getHostName())));
+            }
             // Logging message failures are tricky to debug because you just get a "didn't find match" assertion failure.
             // You should be able to check the log output for the text that was logged and compare to the regex above.
             mockLog.assertAllExpectationsMatched();