diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java index ee7da6f82506..d1bf6123e4e4 100644 --- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java +++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java @@ -50,6 +50,7 @@ import org.junit.jupiter.api.Test; import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.containsInAnyOrder; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -95,6 +96,39 @@ public void testSLOTH() throws Exception } } + @Test + public void testDumpExcludedProtocols() throws Exception + { + SslContextFactory.Server cf = new SslContextFactory.Server(); + cf.setKeyStorePassword("storepwd"); + cf.setKeyManagerPassword("keypwd"); + cf.setExcludeProtocols("SSL.*", "TLSv1", "TLSv1\\.[01]"); + cf.start(); + + // Confirm behavior in engine + assertThat(cf.newSSLEngine().getEnabledProtocols(), not(arrayContaining("TLSv1.1"))); + + // Confirm output in dump + List dumps = cf.selectionDump(); + + Optional protocolDumpOpt = dumps.stream() + .filter((dump) -> dump.type.contains("Protocol")) + .findFirst(); + + assertTrue(protocolDumpOpt.isPresent(), "Protocol dump section should exist"); + + SslSelectionDump protocolDump = protocolDumpOpt.get(); + + long countTls11Enabled = protocolDump.enabled.stream().filter((t) -> t.contains("TLSv1.1")).count(); + long countTls11Disabled = protocolDump.disabled.stream().filter((t) -> t.contains("TLSv1.1")).count(); + + assertThat("Enabled Protocols TLSv1.1 count", countTls11Enabled, is(0L)); + assertThat("Disabled Protocols TLSv1.1 count", countTls11Disabled, is(1L)); + + // Uncomment to show in console. + // cf.dump(System.out, ""); + } + @Test public void testDumpIncludeTlsRsa() throws Exception {