archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-19 10:34:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8202343: Disable TLS 1.0 and 1.1

Browse source 
Reviewed-by: xuelei, dfuchs, coffeys
This commit is contained in:
Sean Mullan 2020-11-19 14:15:57 +00:00
parent 342ccf6903
commit 3a4b90f086
21 changed files with 300 additions and 124 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/java.base/share/conf/security/java.security
View file

@ -731,8 +731,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
#
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

4
test/jdk/java/net/httpclient/TlsContextTest.java
View file

@ -42,6 +42,7 @@ import static java.net.http.HttpClient.Version.HTTP_1_1;
import static java.net.http.HttpClient.Version.HTTP_2;
import static java.net.http.HttpResponse.BodyHandlers.ofString;
import static org.testng.Assert.assertEquals;
import jdk.test.lib.security.SecurityUtils;
/*
* @test
@ -72,6 +73,9 @@ public class TlsContextTest implements HttpServerAdapters {
@BeforeTest
public void setUp() throws Exception {
// Re-enable TLSv1 and TLSv1.1 since test depends on them
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
server = SimpleSSLContext.getContext("TLS");
final ExecutorService executor = Executors.newCachedThreadPool();
https2Server = HttpTestServer.of(

13
test/jdk/javax/net/ssl/SSLEngine/Arrays.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2007, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,7 @@
* @test
* @bug 5019096
* @summary Add scatter/gather APIs for SSLEngine
* @library /test/lib
* @run main/othervm Arrays SSL
* @run main/othervm Arrays TLS
* @run main/othervm Arrays SSLv3
@ -41,6 +42,8 @@ import java.io.*;
import java.security.*;
import java.nio.*;
import jdk.test.lib.security.SecurityUtils;
public class Arrays {
private static boolean debug = false;
@ -182,6 +185,14 @@ public class Arrays {
private static String contextVersion;
public static void main(String args[]) throws Exception {
contextVersion = args[0];
// Re-enable context version if it is disabled.
// If context version is SSLv3, TLSv1 needs to be re-enabled.
if (contextVersion.equals("SSLv3")) {
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
} else if (contextVersion.equals("TLSv1") ||
contextVersion.equals("TLSv1.1")) {
SecurityUtils.removeFromDisabledTlsAlgs(contextVersion);
}
Arrays test;

12
test/jdk/javax/net/ssl/TLS/TLSClientPropertyTest.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@
/*
* @test
* @bug 8049432 8069038 8234723
* @bug 8049432 8069038 8234723 8202343
* @summary New tests for TLS property jdk.tls.client.protocols
* @summary javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be
* updated for JDK-8061210
@ -79,7 +79,7 @@ public class TLSClientPropertyTest {
}
contextProtocol = null;
expectedDefaultProtos = new String[] {
"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
"TLSv1.2", "TLSv1.3"
};
break;
case "SSLv3":
@ -90,26 +90,24 @@ public class TLSClientPropertyTest {
case "TLSv1":
contextProtocol = "TLSv1";
expectedDefaultProtos = new String[] {
"TLSv1"
};
break;
case "TLSv11":
contextProtocol = "TLSv1.1";
expectedDefaultProtos = new String[] {
"TLSv1", "TLSv1.1"
};
break;
case "TLSv12":
contextProtocol = "TLSv1.2";
expectedDefaultProtos = new String[] {
"TLSv1", "TLSv1.1", "TLSv1.2"
"TLSv1.2"
};
break;
case "TLSv13":
case "TLS":
contextProtocol = "TLSv1.3";
expectedDefaultProtos = new String[] {
"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
"TLSv1.2", "TLSv1.3"
};
break;
case "WrongProperty":

5
test/jdk/javax/net/ssl/TLSCommon/interop/JdkProcClient.java
View file

@ -27,6 +27,8 @@ import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import jdk.test.lib.security.SecurityUtils;
/*
* A JDK client process.
*/
@ -158,6 +160,9 @@ public class JdkProcClient extends AbstractClient {
String serverNamesStr = System.getProperty(JdkProcUtils.PROP_SERVER_NAMES);
String appProtocolsStr = System.getProperty(JdkProcUtils.PROP_APP_PROTOCOLS);
// Re-enable TLSv1 and TLSv1.1 since client depends on them
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
JdkClient.Builder builder = new JdkClient.Builder();
builder.setCertTuple(JdkProcUtils.createCertTuple(
trustedCertsStr, eeCertsStr));

8
test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,6 +27,7 @@
* @test
* @bug 4873188
* @summary Support TLS 1.1
* @library /test/lib
* @modules java.security.jgss
* java.security.jgss/sun.security.jgss.krb5
* java.security.jgss/sun.security.krb5:+open
@ -50,6 +51,8 @@ import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import jdk.test.lib.security.SecurityUtils;
public class GenericBlockCipher {
/*
@ -171,6 +174,9 @@ public class GenericBlockCipher {
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
// Re-enable TLSv1.1 since test depends on it.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
String keyFilename =
System.getProperty("test.src", ".") + "/" + pathToStores +
"/" + keyStoreFile;

9
test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -24,11 +24,14 @@ import java.util.Arrays;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import jdk.test.lib.security.SecurityUtils;
/*
* @test
* @bug 8234728
* @library /javax/net/ssl/templates
* /javax/net/ssl/TLSCommon
* /test/lib
* @summary Test TLS ciphersuites order set through System properties
* @run main/othervm
* -Djdk.tls.client.cipherSuites=TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
@ -95,6 +98,10 @@ public class SystemPropCipherSuitesOrder extends SSLSocketTemplate {
private SystemPropCipherSuitesOrder(String protocol) {
this.protocol = protocol;
// Re-enable protocol if disabled.
if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
SecurityUtils.removeFromDisabledTlsAlgs(protocol);
}
}
// Servers are configured before clients, increment test case after.

9
test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -24,11 +24,14 @@ import java.util.Arrays;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import jdk.test.lib.security.SecurityUtils;
/*
* @test
* @bug 8234728
* @library /javax/net/ssl/templates
* /javax/net/ssl/TLSCommon
* /test/lib
* @summary Test TLS ciphersuites order.
* Parameter order: <protocol> <client cipher order> <server cipher order>
* @run main/othervm TLSCipherSuitesOrder TLSv13 ORDERED default
@ -67,6 +70,10 @@ public class TLSCipherSuitesOrder extends SSLSocketTemplate {
private TLSCipherSuitesOrder(String protocol, String[] clientcipherSuites,
String[] servercipherSuites) {
// Re-enable protocol if it is disabled.
if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
SecurityUtils.removeFromDisabledTlsAlgs(protocol);
}
this.protocol = protocol;
this.clientcipherSuites = clientcipherSuites;
this.servercipherSuites = servercipherSuites;

7
test/jdk/sun/security/ssl/CipherSuite/DisabledCurve.java
View file

@ -24,7 +24,7 @@
/*
* @test
* @bug 8246330
* @library /javax/net/ssl/templates
* @library /javax/net/ssl/templates /test/lib
* @run main/othervm -Djdk.tls.namedGroups="secp384r1"
DisabledCurve DISABLE_NONE PASS
* @run main/othervm -Djdk.tls.namedGroups="secp384r1"
@ -37,6 +37,8 @@ import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import jdk.test.lib.security.SecurityUtils;
public class DisabledCurve extends SSLSocketTemplate {
private static volatile int index;
@ -97,6 +99,9 @@ public class DisabledCurve extends SSLSocketTemplate {
Security.setProperty("jdk.certpath.disabledAlgorithms", "secp384r1");
}
// Re-enable TLSv1 and TLSv1.1 since test depends on it.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
for (index = 0; index < protocols.length; index++) {
try {
(new DisabledCurve()).run();

6
test/jdk/sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java
View file

@ -25,11 +25,14 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import jdk.test.lib.security.SecurityUtils;
/*
* @test
* @bug 8224650 8242929
* @library /javax/net/ssl/templates
* /javax/net/ssl/TLSCommon
* /test/lib
* @summary Test TLS ciphersuite with each individual supported group
* @run main/othervm NamedGroupsWithCipherSuite x25519
* @run main/othervm NamedGroupsWithCipherSuite X448
@ -145,6 +148,9 @@ public class NamedGroupsWithCipherSuite extends SSLSocketTemplate {
System.setProperty("jdk.tls.namedGroups", namedGroup);
System.out.println("NamedGroup: " + namedGroup);
// Re-enable TLSv1 and TLSv1.1 since test depends on it.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
for (Protocol protocol : PROTOCOLS) {
for (CipherSuite cipherSuite : CIPHER_SUITES) {
// Named group converted to lower case just

8
test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,6 +26,7 @@
* @bug 8044860
* @summary Vectors and fixed length fields should be verified
* for allowed sizes.
* @library /test/lib
* @modules java.base/sun.security.ssl
* @run main/othervm LengthCheckTest
* @key randomness
@ -76,6 +77,8 @@ import java.util.List;
import java.util.ArrayList;
import java.util.Iterator;
import jdk.test.lib.security.SecurityUtils;
public class LengthCheckTest {
/*
@ -300,6 +303,9 @@ public class LengthCheckTest {
* Main entry point for this test.
*/
public static void main(String args[]) throws Exception {
// Re-enable TLSv1 since test depends on it.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
List<LengthCheckTest> ccsTests = new ArrayList<>();
if (debug) {

45
test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -22,10 +22,13 @@
*/
/*
* test
* @test
* @bug 7126889
* @summary Incorrect SSLEngine debug output
*
* @library /test/lib
* @run main DebugReportsOneExtraByte
*/
/*
* Debug output was reporting n+1 bytes of data was written when it was
* really was n.
*
@ -75,6 +78,10 @@ import java.io.*;
import java.security.*;
import java.nio.*;
import jdk.test.lib.process.OutputAnalyzer;
import jdk.test.lib.process.ProcessTools;
import jdk.test.lib.security.SecurityUtils;
public class DebugReportsOneExtraByte {
/*
@ -82,17 +89,6 @@ public class DebugReportsOneExtraByte {
*/
private static boolean logging = true;
/*
* Enables the JSSE system debugging system property:
*
* -Djavax.net.debug=all
*
* This gives a lot of low-level information about operations underway,
* including specific handshake messages, and might be best examined
* after gaining some familiarity with this application.
*/
private static boolean debug = false;
private SSLContext sslc;
private SSLEngine clientEngine; // client Engine
@ -130,14 +126,21 @@ public class DebugReportsOneExtraByte {
* Main entry point for this test.
*/
public static void main(String args[]) throws Exception {
if (debug) {
System.setProperty("javax.net.debug", "all");
if (args.length == 0) {
OutputAnalyzer output = ProcessTools.executeTestJvm(
"-Dtest.src=" + System.getProperty("test.src"),
"-Djavax.net.debug=all", "DebugReportsOneExtraByte", "p");
output.shouldContain("WRITE: TLS10 application_data, length = 8");
System.out.println("Test Passed.");
} else {
// Re-enable TLSv1 since test depends on it
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
DebugReportsOneExtraByte test = new DebugReportsOneExtraByte();
test.runTest();
}
DebugReportsOneExtraByte test = new DebugReportsOneExtraByte();
test.runTest();
System.out.println("Test Passed.");
}
/*

81
test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.sh
View file

@ -1,81 +0,0 @@
#! /bin/sh
#
# Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
# @test
# @bug 7126889
# @summary Incorrect SSLEngine debug output
#
# ${TESTJAVA} is pointing to the JDK under test.
#
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Linux | Darwin | AIX )
PS=":"
FS="/"
;;
CYGWIN* )
PS=";"
FS="/"
;;
Windows* )
PS=";"
FS="\\"
;;
* )
echo "Unrecognized system!"
exit 1;
;;
esac
${COMPILEJAVA}${FS}bin${FS}javac ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} -d . \
${TESTSRC}${FS}DebugReportsOneExtraByte.java
STRING='WRITE: TLS10 application_data, length = 8'
echo "Examining debug output for the string:"
echo "${STRING}"
echo "========="
${TESTJAVA}${FS}bin${FS}java ${TESTVMOPTS} -Djavax.net.debug=all \
-Dtest.src=${TESTSRC} \
DebugReportsOneExtraByte 2>&1 | \
grep "${STRING}"
RETVAL=$?
echo "========="
if [ ${RETVAL} -ne 0 ]; then
echo "Did NOT see the expected debug output."
exit 1
else
echo "Received the expected debug output."
exit 0
fi
else
echo "Received the expected debug output."
exit 0
fi

9
test/jdk/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -33,6 +33,7 @@
* Master Secret Extension
* @summary Increase the number of clones in the CloneableDigest
* @library /javax/net/ssl/templates
* @library /test/lib
* @compile DigestBase.java
* @run main/othervm HandshakeHashCloneExhaustion
* TLSv1.3 TLS_AES_128_GCM_SHA256
@ -48,6 +49,8 @@ import java.security.MessageDigest;
import java.security.Security;
import javax.net.ssl.SSLSocket;
import jdk.test.lib.security.SecurityUtils;
public class HandshakeHashCloneExhaustion extends SSLSocketTemplate {
private static String[] protocol;
@ -79,6 +82,10 @@ public class HandshakeHashCloneExhaustion extends SSLSocketTemplate {
protocol = new String [] { args[0] };
ciphersuite = new String[] { args[1] };
// Re-enable TLSv1.1 when test depends on it.
if (protocol[0].equals("TLSv1.1")) {
SecurityUtils.removeFromDisabledTlsAlgs(protocol[0]);
}
(new HandshakeHashCloneExhaustion()).run();
}

8
test/jdk/sun/security/ssl/SSLContextImpl/IllegalProtocolProperty.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,6 +28,7 @@
* @test
* @bug 7093640 8234725
* @summary Enable TLS 1.1 and TLS 1.2 by default in client side of SunJSSE
* @library /test/lib
* @run main/othervm -Djdk.tls.client.protocols="XSLv3,TLSv1"
* IllegalProtocolProperty
*/
@ -35,6 +36,8 @@
import javax.net.ssl.*;
import java.security.NoSuchAlgorithmException;
import jdk.test.lib.security.SecurityUtils;
public class IllegalProtocolProperty {
static enum ContextVersion {
TLS_CV_01("SSL", "TLSv1", "TLSv1.2", true),
@ -61,6 +64,9 @@ public class IllegalProtocolProperty {
}
public static void main(String[] args) throws Exception {
// Re-enable TLSv1 and TLSv1.1 since test depends on them.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);

140
test/jdk/sun/security/ssl/SSLContextImpl/SSLContextDefault.java Normal file
View file

@ -0,0 +1,140 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
//
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
//
/*
* @test
* @bug 8202343
* @summary Check that SSLv3, TLSv1 and TLSv1.1 are disabled by default
* @run main/othervm SSLContextDefault
*/
import java.util.List;
import javax.net.ssl.*;
public class SSLContextDefault {
private final static String[] protocols = {
"", "SSL", "TLS", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
};
private final static List<String> disabledProtocols = List.<String>of(
"SSLv3", "TLSv1", "TLSv1.1"
);
public static void main(String[] args) throws Exception {
for (String protocol : protocols) {
System.out.println("//");
System.out.println("// " + "Testing for SSLContext of " +
(protocol.isEmpty() ? "<default>" : protocol));
System.out.println("//");
checkForProtocols(protocol);
System.out.println();
}
}
public static void checkForProtocols(String protocol) throws Exception {
SSLContext context;
if (protocol.isEmpty()) {
context = SSLContext.getDefault();
} else {
context = SSLContext.getInstance(protocol);
context.init(null, null, null);
}
// check for the presence of supported protocols of SSLContext
SSLParameters parameters = context.getSupportedSSLParameters();
checkProtocols(parameters.getProtocols(),
"Supported protocols in SSLContext", false);
// check for the presence of default protocols of SSLContext
parameters = context.getDefaultSSLParameters();
checkProtocols(parameters.getProtocols(),
"Enabled protocols in SSLContext", true);
// check for the presence of supported protocols of SSLEngine
SSLEngine engine = context.createSSLEngine();
checkProtocols(engine.getSupportedProtocols(),
"Supported protocols in SSLEngine", false);
// Check for the presence of default protocols of SSLEngine
checkProtocols(engine.getEnabledProtocols(),
"Enabled protocols in SSLEngine", true);
SSLSocketFactory factory = context.getSocketFactory();
try (SSLSocket socket = (SSLSocket)factory.createSocket()) {
// check for the presence of supported protocols of SSLSocket
checkProtocols(socket.getSupportedProtocols(),
"Supported cipher suites in SSLSocket", false);
// Check for the presence of default protocols of SSLSocket
checkProtocols(socket.getEnabledProtocols(),
"Enabled protocols in SSLSocket", true);
}
SSLServerSocketFactory serverFactory = context.getServerSocketFactory();
try (SSLServerSocket serverSocket =
(SSLServerSocket)serverFactory.createServerSocket()) {
// check for the presence of supported protocols of SSLServerSocket
checkProtocols(serverSocket.getSupportedProtocols(),
"Supported cipher suites in SSLServerSocket", false);
// Check for the presence of default protocols of SSLServerSocket
checkProtocols(serverSocket.getEnabledProtocols(),
"Enabled protocols in SSLServerSocket", true);
}
}
private static void checkProtocols(String[] protocols,
String title, boolean disabled) throws Exception {
showProtocols(protocols, title);
if (disabled) {
for (String protocol : protocols ) {
if (disabledProtocols.contains(protocol)) {
throw new Exception(protocol +
" should not be enabled by default");
}
}
} else {
for (String disabledProtocol : disabledProtocols) {
if (!List.of(protocols).contains(disabledProtocol)) {
throw new Exception(disabledProtocol +
" should be supported by default");
}
}
}
}
private static void showProtocols(String[] protocols, String title) {
System.out.println(title + "[" + protocols.length + "]:");
for (String protocol : protocols) {
System.out.println(" " + protocol);
}
}
}

8
test/jdk/sun/security/ssl/SSLContextImpl/SSLContextVersion.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -29,11 +29,14 @@
* @bug 6976117 8234725
* @summary SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets
* without TLSv1.1 enabled
* @library /test/lib
* @run main/othervm SSLContextVersion
*/
import javax.net.ssl.*;
import jdk.test.lib.security.SecurityUtils;
public class SSLContextVersion {
static enum ContextVersion {
TLS_CV_01("SSL", "TLSv1.2", "TLSv1.2"),
@ -60,6 +63,9 @@ public class SSLContextVersion {
}
public static void main(String[] args) throws Exception {
// Re-enable TLSv1 and TLSv1.1 since test depends on them.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
SSLContext context = SSLContext.getInstance(cv.contextVersion);

7
test/jdk/sun/security/ssl/SSLEngineImpl/EmptyExtensionData.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2008, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,6 +30,7 @@
* @test
* @bug 6728126
* @summary Parsing Extensions in Client Hello message is done in a wrong way
* @library /test/lib
* @run main/othervm EmptyExtensionData
*/
@ -39,6 +40,8 @@ import java.io.*;
import java.security.*;
import java.nio.*;
import jdk.test.lib.security.SecurityUtils;
public class EmptyExtensionData {
private static boolean debug = false;
@ -154,6 +157,8 @@ public class EmptyExtensionData {
}
public static void main(String args[]) throws Exception {
// Re-enable TLSv1 since test depends on it.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
SSLEngine ssle = createSSLEngine(keyFilename, trustFilename);
runTest(ssle);

8
test/jdk/sun/security/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,6 +30,7 @@
* @test
* @bug 7031830
* @summary bad_record_mac failure on TLSv1.2 enabled connection with SSLEngine
* @library /test/lib
* @run main/othervm SSLEngineBadBufferArrayAccess
*/
@ -86,6 +87,8 @@ import java.nio.*;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import jdk.test.lib.security.SecurityUtils;
public class SSLEngineBadBufferArrayAccess {
/*
@ -158,6 +161,9 @@ public class SSLEngineBadBufferArrayAccess {
System.setProperty("javax.net.debug", "all");
}
// Re-enable TLSv1 and TLSv1.1 since test depends on them.
SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
String [] protocols = new String [] {
"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" };

9
test/jdk/sun/security/util/HostnameMatcher/NullHostnameCheck.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -35,6 +35,7 @@ import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import jdk.test.lib.security.KeyStoreUtils;
import jdk.test.lib.security.SecurityUtils;
import jdk.test.lib.security.SSLContextBuilder;
/*
@ -54,6 +55,12 @@ public final class NullHostnameCheck {
public static void main(String[] args) throws Exception {
String protocol = args[0];
String password = "123456";
// Re-enable TLSv1 or TLSv1.1 when test depends on it.
if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
SecurityUtils.removeFromDisabledTlsAlgs(protocol);
}
SSLContext serverCtx = SSLContextBuilder.builder()
.keyStore(KeyStoreUtils.loadKeyStoreBase64(
keystoreB64, password))

24
test/lib/jdk/test/lib/security/SecurityUtils.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,6 +25,10 @@ package jdk.test.lib.security;
import java.io.File;
import java.security.KeyStore;
import java.security.Security;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
/**
* Common library for various security test helper functions.
@ -48,5 +52,23 @@ public final class SecurityUtils {
return KeyStore.getInstance(file, (char[])null);
}
/**
* Removes the specified protocols from the jdk.tls.disabledAlgorithms
* security property.
*/
public static void removeFromDisabledTlsAlgs(String... protocols) {
removeFromDisabledAlgs("jdk.tls.disabledAlgorithms",
List.<String>of(protocols));
}
private static void removeFromDisabledAlgs(String prop, List<String> algs) {
String value = Security.getProperty(prop);
value = Arrays.stream(value.split(","))
.map(s -> s.trim())
.filter(s -> !algs.contains(s))
.collect(Collectors.joining(","));
Security.setProperty(prop, value);
}
private SecurityUtils() {}
}