Limitations of customSSLSocketFactory and disableSSLAuthentication

[ricellis]

Checklist

• [x] Tick to sign-off your agreement to the Developer Certificate of Origin (DCO) 1.1
• [x] Added tests for code changes or test/build only changes
• [x] Updated the change log file (CHANGES.md|CHANGELOG.md) or test/build only changes
• [x] Completed the PR template below:

Description

Document the limitations of the options customSSLSocketFactory and disableSSLAuthentication when using the optional OkHttp dependency and Java 8_252 or newer and ignore certain tests in that environment.

1. Steps to reproduce and the simplest code sample possible to demonstrate the issue

Run com.cloudant.tests.SslAuthenticationTest#localSslAuthenticationDisabled

2. What you expected to happen

Test to pass.

3. What actually happened

Test (and 9 similar) failed with:

com.cloudant.tests.SslAuthenticationTest > localSslAuthenticationDisabled()[2] FAILED
    java.lang.UnsupportedOperationException: clientBuilder.sslSocketFactory(SSLSocketFactory) not supported on JDK 9+
        at okhttp3.internal.platform.Jdk9Platform.trustManager(Jdk9Platform.java:81)
        at okhttp3.internal.platform.Platform.buildCertificateChainCleaner(Platform.java:176)
        at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.java:768)
        at okhttp3.internal.huc.OkHttpsURLConnection.setSSLSocketFactory(OkHttpsURLConnection.java:66)
        at com.cloudant.http.internal.interceptors.SSLCustomizerInterceptor.interceptRequest(SSLCustomizerInterceptor.java:71)
        at com.cloudant.http.HttpConnection.execute(HttpConnection.java:291)
        at com.cloudant.client.org.lightcouch.CouchDbClient.execute(CouchDbClient.java:552)
        at com.cloudant.client.org.lightcouch.CouchDbClient.executeToInputStream(CouchDbClient.java:648)
        at com.cloudant.client.org.lightcouch.CouchDbClient.get(CouchDbClient.java:389)
        at com.cloudant.client.org.lightcouch.CouchDbClient.getAllDbs(CouchDbClient.java:243)
        at com.cloudant.client.api.CloudantClient.getAllDbs(CloudantClient.java:292)
        at com.cloudant.tests.SslAuthenticationTest.localSslAuthenticationDisabled(SslAuthenticationTest.java:149)

Approach

As per https://github.com/square/okhttp/issues/5970 OkHttp platform detection for 9+ versions was confused by the back-porting of some content to 8_252. The platform detection was fixed in OkHttp 3.12.12 for some paths, but not for deprecated methods. This blocks the route we currently use to supply custom SslSocketFactory via the deprecated OkHttp OkUrlFactory path via Ok's implementation of javax.net.ssl.HttpsURLConnection#setSSLSocketFactory(javax.net.ssl.SSLSocketFactory).

The workaround if using newer Java versions and requiring to set customSSLSocketFactory or disableSSLAuthentication options is to not use the optional OkHttp dependency.

Schema & API Changes

• Document limitation of customSSLSocketFactory and disableSSLAuthentication options with combination of OkHttp and Java 8_252 or newer.

Security and Privacy

• "No change"

Testing

Modified existing tests as follows:

• For parameterized tests that run using both OkHttp and the default then skip tests that need disableSSLAuthentication or customSSLSocketFactory options when using OkHttp and Java 8_252 or newer:
  • com.cloudant.tests.SslAuthenticationTest#localSslAuthenticationDisabled
  • com.cloudant.tests.SslAuthenticationTest#localSSLAuthenticationDisabledWithCookieAuth
  • com.cloudant.tests.HttpProxyTest
• Make com.cloudant.tests.CloudFoundryServiceTest run without using OkHttp

Monitoring and Logging

• "No change"

[ricellis]

I'll add a note, but just to be clear it isn't just related to 2.19.1 it's only that we're aware of it now. I'll move the description from the CHANGES.md to the README.md so that isn't confusing.