Skip to content

Replace deprecated TLS cipher suite in SSLCertificateTest #1121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chrjohn merged 4 commits into from
Jan 21, 2026
Merged

Replace deprecated TLS cipher suite in SSLCertificateTest #1121

chrjohn merged 4 commits into from
Jan 21, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 21, 2026
edited
Loading

SSLCertificateTest fails on newer JDKs because TLS_RSA_WITH_AES_128_CBC_SHA is deprecated per IETF draft-ietf-tls-deprecate-obsolete-kex.

Changes

  • Replaced TLS_RSA_WITH_AES_128_CBC_SHA with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 in parameterized test configuration
  • Removed TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA from CERTIFICATE_REQUIRED_CIPHER_SUITES constant

The replacement cipher suite provides forward secrecy via ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchange and modern AES-GCM authenticated encryption while maintaining TLSv1.2 compatibility. This addresses the IETF deprecation of ALL cipher suites using static RSA key exchange (all TLS_RSA_* suites), not just CBC mode.

[!WARNING]

Original prompt

This section details on the original issue you should resolve

<filter_complete></filter_complete>

<issue_title>SSLCertificateTest fails with newer JDKs</issue_title>
<issue_description>This is most probably due to the deprecation of cipher suite TLS_RSA_WITH_AES_128_CBC_SHA which is used in this test.

See https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/

We should use an alternative cipher suite which is not deprecated.
</issue_description>

Comments on the Issue (you are @copilot in this section)

Original prompt

This section details on the original issue you should resolve

<issue_title>SSLCertificateTest fails with newer JDKs</issue_title>
<issue_description>This is most probably due to the deprecation of cipher suite TLS_RSA_WITH_AES_128_CBC_SHA which is used in this test.

See https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/

We should use an alternative cipher suite which is not deprecated.
</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@chrjohn chrjohn added this to the QFJ 3.0.0 milestone Jan 21, 2026
Copilot AI and others added 2 commits January 21, 2026 15:50
@chrjohn
Replace deprecated TLS_RSA_WITH_AES_128_CBC_SHA with TLS_RSA_WITH_AES…
a6d4adf 
…_128_GCM_SHA256

Co-authored-by: chrjohn <6644028+chrjohn@users.noreply.github.com>
@chrjohn
Remove deprecated cipher suites from CERTIFICATE_REQUIRED_CIPHER_SUIT…
c9031e3 
…ES constant

Co-authored-by: chrjohn <6644028+chrjohn@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix SSLCertificateTest to use non-deprecated cipher suite Replace deprecated TLS cipher suite in SSLCertificateTest Jan 21, 2026
Copilot AI requested a review from chrjohn January 21, 2026 16:05
@chrjohn chrjohn marked this pull request as ready for review January 21, 2026 16:41
@chrjohn chrjohn changed the title Replace deprecated TLS cipher suite in SSLCertificateTest Replace deprecated TLS cipher suite in SSLCertificateTest Jan 21, 2026
@chrjohn
Copy link
Member

chrjohn commented Jan 21, 2026

@copilot this does not look good, errors are the same. Please have a look.

@chrjohn
Use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 instead of TLS_RSA_* suites
2f524f9 
Co-authored-by: chrjohn <6644028+chrjohn@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 21, 2026
edited
Loading

@copilot this does not look good, errors are the same. Please have a look.

Fixed in commit 2f524f9. The issue was that ALL TLS_RSA_* cipher suites (including the GCM variant I initially used) are deprecated due to static RSA key exchange. The correct solution is to use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 which provides forward secrecy via ECDHE key exchange. Tests now pass successfully.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • datatracker.ietf.org
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • https://api.github.com/repos/quickfix-j/quickfixj/actions/runs
    • Triggering command: /usr/bin/curl curl -s -H Accept: application/vnd.github&#43;json REDACTED (http block)
  • localhost-quickfixj
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx2g -Djava.net.preferIPv4Stack=true --add-opens java.base/java.lang=ALL-UNNAMED -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire/surefirebooter-20260121174540627_3.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire 2026-01-21T17-45-39_717-jvmRun1 surefire-20260121174540627_1tmp surefire_0-20260121174540627_2tmp (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx2g -Djava.net.preferIPv4Stack=true --add-opens java.base/java.lang=ALL-UNNAMED -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire/surefirebooter-20260121174837517_3.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire 2026-01-21T17-48-37_452-jvmRun1 surefire-20260121174837517_1tmp surefire_0-20260121174837517_2tmp (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Xmx2g -Djava.net.preferIPv4Stack=true --add-opens java.base/java.lang=ALL-UNNAMED -jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire/surefirebooter-20260121175256043_3.jar /home/REDACTED/work/quickfixj/quickfixj/quickfixj-core/target/surefire 2026-01-21T17-52-55_972-jvmRun1 surefire-20260121175256043_1tmp surefire_0-20260121175256043_2tmp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@chrjohn chrjohn merged commit 2b1a850 into master Jan 21, 2026
21 checks passed
@chrjohn chrjohn deleted the copilot/fix-ssl-certificate-test branch January 21, 2026 19:45
@the-thing the-thing mentioned this pull request Jan 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrjohn chrjohn Awaiting requested review from chrjohn

Assignees

@chrjohn chrjohn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

QFJ 3.0.0

Development

Successfully merging this pull request may close these issues.

SSLCertificateTest fails with newer JDKs

2 participants

@chrjohn