archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-20 11:04:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8211883: Disable anon and NULL cipher suites

Browse source 
Reviewed-by: jnimeh
This commit is contained in:
Sean Mullan 2018-10-25 13:55:28 -04:00
parent fb3ab945a6
commit 7727e4ca2f
4 changed files with 57 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/java.base/share/conf/security/java.security
View file

@ -676,7 +676,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC EC keySize < 224, 3DES_EDE_CBC, anon, NULL
# #
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

7
test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -37,6 +37,7 @@
import java.io.*; import java.io.*;
import java.net.*; import java.net.*;
import java.security.Security;
import javax.net.ssl.*; import javax.net.ssl.*;
public class JSSERenegotiate { public class JSSERenegotiate {
@ -190,6 +191,10 @@ public class JSSERenegotiate {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the cipher suites
// used in this test are not disabled
Security.setProperty("jdk.tls.disabledAlgorithms", "");
String keyFilename = String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores + System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile; "/" + keyStoreFile;

43
test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@
/* /*
* @test * @test
* @bug 8076221 * @bug 8076221 8211883
* @summary Check if weak cipher suites are disabled * @summary Check if weak cipher suites are disabled
* @modules jdk.crypto.ec * @modules jdk.crypto.ec
* @run main/othervm DisabledAlgorithms default * @run main/othervm DisabledAlgorithms default
@ -60,9 +60,9 @@ public class DisabledAlgorithms {
System.getProperty("test.src", "./") + "/" + pathToStores + System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile; "/" + trustStoreFile;
// supported RC4 cipher suites // supported RC4, NULL, and anon cipher suites
// it does not contain KRB5 cipher suites because they need a KDC // it does not contain KRB5 cipher suites because they need a KDC
private static final String[] rc4_ciphersuites = new String[] { private static final String[] rc4_null_anon_ciphersuites = new String[] {
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_SHA",
@ -70,7 +70,31 @@ public class DisabledAlgorithms {
"TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA", "TLS_ECDH_anon_WITH_RC4_128_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5" "SSL_DH_anon_WITH_RC4_128_MD5",
"SSL_RSA_WITH_NULL_MD5",
"SSL_RSA_WITH_NULL_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
"SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_anon_WITH_DES_CBC_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_RC4_128_SHA"
}; };
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
@ -89,8 +113,9 @@ public class DisabledAlgorithms {
System.out.println("jdk.tls.disabledAlgorithms = " System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms")); + Security.getProperty("jdk.tls.disabledAlgorithms"));
// check if RC4 cipher suites can't be used by default // check if RC4, NULL, and anon cipher suites
checkFailure(rc4_ciphersuites); // can't be used by default
checkFailure(rc4_null_anon_ciphersuites);
break; break;
case "empty": case "empty":
// reset jdk.tls.disabledAlgorithms // reset jdk.tls.disabledAlgorithms
@ -98,9 +123,9 @@ public class DisabledAlgorithms {
System.out.println("jdk.tls.disabledAlgorithms = " System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms")); + Security.getProperty("jdk.tls.disabledAlgorithms"));
// check if RC4 cipher suites can be used // check if RC4, NULL, and anon cipher suites can be used
// if jdk.tls.disabledAlgorithms is empty // if jdk.tls.disabledAlgorithms is empty
checkSuccess(rc4_ciphersuites); checkSuccess(rc4_null_anon_ciphersuites);
break; break;
default: default:
throw new RuntimeException("Wrong parameter: " + args[0]); throw new RuntimeException("Wrong parameter: " + args[0]);

27
test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java
View file

@ -74,6 +74,7 @@
* TLS_ECDH_anon_WITH_AES_128_CBC_SHA * TLS_ECDH_anon_WITH_AES_128_CBC_SHA
*/ */
import java.security.Security;
import javax.net.ssl.*; import javax.net.ssl.*;
/** /**
@ -90,14 +91,18 @@ public class CustomizedCipherSuites {
private static boolean isClientMode; private static boolean isClientMode;
private static String enabledCipherSuite; private static String enabledCipherSuite;
private static String disabledCipherSuite; private static String notEnabledCipherSuite;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure the cipher suites
// used in this test are not disabled
Security.setProperty("jdk.tls.disabledAlgorithms", "");
contextProtocol = trimQuotes(args[0]); contextProtocol = trimQuotes(args[0]);
isClientMode = Boolean.parseBoolean(args[1]); isClientMode = Boolean.parseBoolean(args[1]);
enabledCipherSuite = trimQuotes(args[2]); enabledCipherSuite = trimQuotes(args[2]);
disabledCipherSuite = trimQuotes(args[3]); notEnabledCipherSuite = trimQuotes(args[3]);
// //
// Create instance of SSLContext with the specified protocol. // Create instance of SSLContext with the specified protocol.
@ -206,8 +211,8 @@ public class CustomizedCipherSuites {
isMatch = true; isMatch = true;
} }
if (!disabledCipherSuite.isEmpty() && if (!notEnabledCipherSuite.isEmpty() &&
cipher.equals(disabledCipherSuite)) { cipher.equals(notEnabledCipherSuite)) {
isBroken = true; isBroken = true;
} }
} }
@ -219,7 +224,7 @@ public class CustomizedCipherSuites {
if (isBroken) { if (isBroken) {
throw new Exception( throw new Exception(
"Cipher suite " + disabledCipherSuite + " should be disabled"); "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
} }
} }
@ -231,7 +236,7 @@ public class CustomizedCipherSuites {
} }
boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty(); boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty();
boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty(); boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty();
for (String cipher : ciphers) { for (String cipher : ciphers) {
System.out.println("\tsupported cipher suite " + cipher); System.out.println("\tsupported cipher suite " + cipher);
if (!enabledCipherSuite.isEmpty() && if (!enabledCipherSuite.isEmpty() &&
@ -239,9 +244,9 @@ public class CustomizedCipherSuites {
hasEnabledCipherSuite = true; hasEnabledCipherSuite = true;
} }
if (!disabledCipherSuite.isEmpty() && if (!notEnabledCipherSuite.isEmpty() &&
cipher.equals(disabledCipherSuite)) { cipher.equals(notEnabledCipherSuite)) {
hasDisabledCipherSuite = true; hasNotEnabledCipherSuite = true;
} }
} }
@ -250,9 +255,9 @@ public class CustomizedCipherSuites {
"Cipher suite " + enabledCipherSuite + " should be supported"); "Cipher suite " + enabledCipherSuite + " should be supported");
} }
if (!hasDisabledCipherSuite) { if (!hasNotEnabledCipherSuite) {
throw new Exception( throw new Exception(
"Cipher suite " + disabledCipherSuite + " should be supported"); "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
} }
} }