Changes added (#715)

Author: vgavinash

test/container/devconfig_test.go

@@ -120,7 +120,7 @@ func TestDevSecure(t *testing.T) {
 	t.Run("JMS", func(t *testing.T) {
 		// OpenJDK is used for running tests, hence pass "false" for 7th parameter.
 		// Cipher name specified is compliant with non-IBM JRE naming.
-		runJMSTests(t, cli, ID, true, "app", appPassword, "false", "TLS_RSA_WITH_AES_256_CBC_SHA256")
+		runJMSTests(t, cli, ID, true, "app", appPassword, "false", "*TLS12ORHIGHER")
 	})
 	t.Run("REST admin", func(t *testing.T) {
 		testRESTAdmin(t, cli, ID, insecureTLSConfig, "")
@@ -473,7 +473,7 @@ func TestSSLFIPSYES(t *testing.T) {
 
 	t.Run("JMS", func(t *testing.T) {
 		// Run the JMS tests, with no password specified
-		runJMSTests(t, cli, ID, true, "app", appPassword, "false", "TLS_RSA_WITH_AES_256_CBC_SHA256")
+		runJMSTests(t, cli, ID, true, "app", appPassword, "false", "*TLS12ORHIGHER")
 	})
 
 	// Stop the container cleanly
@@ -535,14 +535,14 @@ func TestDevSecureFIPSTrueWeb(t *testing.T) {
 	waitForWebReady(t, cli, ID, createTLSConfig(t, cert, tlsPassPhrase))
 
 	// Create a TLS Config with a cipher to use when connecting over HTTPS
-	var secureTLSConfig *tls.Config = createTLSConfigWithCipher(t, cert, tlsPassPhrase, []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256})
+	var secureTLSConfig *tls.Config = createTLSConfig(t, cert, tlsPassPhrase, withMinTLSVersion(tls.VersionTLS12))
 	// Put a message to queue
 	t.Run("REST messaging", func(t *testing.T) {
 		testRESTMessaging(t, cli, ID, secureTLSConfig, qm, "app", appPassword, "")
 	})
 
 	// Create a TLS Config with a non-FIPS cipher to use when connecting over HTTPS
-	var secureNonFIPSCipherConfig *tls.Config = createTLSConfigWithCipher(t, cert, tlsPassPhrase, []uint16{tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA})
+	var secureNonFIPSCipherConfig *tls.Config = createTLSConfig(t, cert, tlsPassPhrase, withMinTLSVersion(tls.VersionTLS12))
 	// Put a message to queue - the attempt to put message will fail with a EOF return message.
 	t.Run("REST messaging", func(t *testing.T) {
 		testRESTMessaging(t, cli, ID, secureNonFIPSCipherConfig, qm, "app", appPassword, "EOF")
@@ -615,7 +615,7 @@ func TestDevSecureFalseFIPSWeb(t *testing.T) {
 	}
 
 	// Just do a HTTPS GET as well to query installation details.
-	var secureTLSConfig *tls.Config = createTLSConfigWithCipher(t, cert, tlsPassPhrase, []uint16{tls.TLS_RSA_WITH_AES_256_GCM_SHA384})
+	var secureTLSConfig *tls.Config = createTLSConfig(t, cert, tlsPassPhrase, withMinTLSVersion(tls.VersionTLS12))
 	t.Run("REST admin", func(t *testing.T) {
 		testRESTAdmin(t, cli, ID, secureTLSConfig, "")
 	})

test/container/devconfig_test_util.go

@@ -193,7 +193,7 @@ func processJunitLogLine(outputLine string) bool {
 }
 
 // createTLSConfig creates a tls.Config which trusts the specified certificate
-func createTLSConfig(t *testing.T, certFile, password string) *tls.Config {
+func createTLSConfig(t *testing.T, certFile, password string, tlsConfigOptions ...tlsConfigOption) *tls.Config {
 	// Get the SystemCertPool, continue with an empty pool on error
 	certs, err := x509.SystemCertPool()
 	if err != nil {
@@ -210,10 +210,15 @@ func createTLSConfig(t *testing.T, certFile, password string) *tls.Config {
 		t.Fatal("No certs appended")
 	}
 	// Trust the augmented cert pool in our client
-	return &tls.Config{
+	config := &tls.Config{
 		InsecureSkipVerify: false,
 		RootCAs:            certs,
 	}
+	// Apply any additional config options
+	for _, applyOpt := range tlsConfigOptions {
+		applyOpt(config)
+	}
+	return config
 }
 
 func testRESTAdmin(t *testing.T, cli ce.ContainerInterface, ID string, tlsConfig *tls.Config, errorExpected string) {
@@ -330,27 +335,11 @@ func testRESTMessaging(t *testing.T, cli ce.ContainerInterface, ID string, tlsCo
 	}
 }
 
-// createTLSConfig creates a tls.Config which trusts the specified certificate
-func createTLSConfigWithCipher(t *testing.T, certFile, password string, ciphers []uint16) *tls.Config {
-	// Get the SystemCertPool, continue with an empty pool on error
-	certs, err := x509.SystemCertPool()
-	if err != nil {
-		t.Fatal(err)
-	}
-	// Read in the cert file
-	cert, err := os.ReadFile(certFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-	// Append our cert to the system pool
-	ok := certs.AppendCertsFromPEM(cert)
-	if !ok {
-		t.Fatal("No certs appended")
-	}
-	// Trust the augmented cert pool in our client
-	return &tls.Config{
-		InsecureSkipVerify: false,
-		RootCAs:            certs,
-		CipherSuites:       ciphers,
+type tlsConfigOption func(*tls.Config)
+
+// withMinTLSVersion is a functional option to set the minimum version for TLS
+func withMinTLSVersion(version uint16) tlsConfigOption {
+	return func(cfg *tls.Config) {
+		cfg.MinVersion = version
 	}
 }

test/container/mq_native_ha_test.go

@@ -224,7 +224,7 @@ func TestNativeHASecureCipherSpecFIPS(t *testing.T) {
 		nhaPort := basePort + i
 		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
 		// MQ_NATIVE_HA_CIPHERSPEC is set a FIPS compliant cipherspec.
-		containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=TLS_RSA_WITH_AES_128_GCM_SHA256", "MQ_ENABLE_FIPS=true")
+		containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=ANY_TLS12_OR_HIGHER", "MQ_ENABLE_FIPS=true")
 		hostConfig := getNativeHASecureHostConfig(t)
 		hostConfig = populateNativeHAPortBindings([]int{9414}, nhaPort, hostConfig)
 		networkingConfig := getNativeHANetworkConfig("host")