# HG changeset patch # User mullan # Date 1605795357 0 # Thu Nov 19 14:15:57 2020 +0000 # Node ID f2f0ceec19fbb141e9a6552ec633e732c6c59b1d # Parent 25ef0910e622a7d4ee22b1338f991d6b109aaecc 8202343: Disable TLS 1.0 and 1.1 Reviewed-by: xuelei, dfuchs, coffeys, sgehwolf diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -680,8 +680,8 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -680,8 +680,8 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -683,8 +683,8 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -681,8 +681,8 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -683,8 +683,8 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/test/javax/net/ssl/SSLEngine/Arrays.java b/test/javax/net/ssl/SSLEngine/Arrays.java --- a/test/javax/net/ssl/SSLEngine/Arrays.java +++ b/test/javax/net/ssl/SSLEngine/Arrays.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ * @test * @bug 5019096 * @summary Add scatter/gather APIs for SSLEngine + * @library /lib/security * @run main/othervm Arrays SSL * @run main/othervm Arrays TLS * @run main/othervm Arrays SSLv3 @@ -182,6 +183,14 @@ private static String contextVersion; public static void main(String args[]) throws Exception { contextVersion = args[0]; + // Re-enable context version if it is disabled. + // If context version is SSLv3, TLSv1 needs to be re-enabled. + if (contextVersion.equals("SSLv3")) { + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); + } else if (contextVersion.equals("TLSv1") || + contextVersion.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(contextVersion); + } Arrays test; diff --git a/test/javax/net/ssl/TLS/TLSClientPropertyTest.java b/test/javax/net/ssl/TLS/TLSClientPropertyTest.java --- a/test/javax/net/ssl/TLS/TLSClientPropertyTest.java +++ b/test/javax/net/ssl/TLS/TLSClientPropertyTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 8049432 8069038 8234723 + * @bug 8049432 8069038 8234723 8202343 * @summary New tests for TLS property jdk.tls.client.protocols * @summary javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be * updated for JDK-8061210 @@ -71,7 +71,7 @@ } contextProtocol = null; expectedDefaultProtos = new String[] { - "TLSv1", "TLSv1.1", "TLSv1.2" + "TLSv1.2" }; break; case "SSLv3": @@ -82,26 +82,24 @@ case "TLSv1": contextProtocol = "TLSv1"; expectedDefaultProtos = new String[] { - "TLSv1" }; break; case "TLSv11": contextProtocol = "TLSv1.1"; expectedDefaultProtos = new String[] { - "TLSv1", "TLSv1.1" }; break; case "TLSv12": case "TLS": contextProtocol = "TLSv1.2"; expectedDefaultProtos = new String[] { - "TLSv1", "TLSv1.1", "TLSv1.2" + "TLSv1.2" }; break; case "TLSv13": contextProtocol = "TLSv1.3"; expectedDefaultProtos = new String[] { - "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" + "TLSv1.2", "TLSv1.3" }; break; case "WrongProperty": diff --git a/test/javax/net/ssl/TLSv11/GenericBlockCipher.java b/test/javax/net/ssl/TLSv11/GenericBlockCipher.java --- a/test/javax/net/ssl/TLSv11/GenericBlockCipher.java +++ b/test/javax/net/ssl/TLSv11/GenericBlockCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,6 +27,7 @@ * @test * @bug 4873188 * @summary Support TLS 1.1 + * @library /lib/security * @run main/othervm GenericBlockCipher * * SunJSSE does not support dynamic system properties, no way to re-use @@ -160,6 +161,9 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // Re-enable TLSv1.1 since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1"); + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java b/test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java --- a/test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java +++ b/test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ * @bug 8234728 * @library /javax/net/ssl/templates * /javax/net/ssl/TLSCommon + * /lib/security * @summary Test TLS ciphersuites order set through System properties * @run main/othervm * -Djdk.tls.client.cipherSuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 @@ -98,6 +99,10 @@ private SystemPropCipherSuitesOrder(String protocol) { this.protocol = protocol; + // Re-enable protocol if disabled. + if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol); + } } // Servers are configured before clients, increment test case after. diff --git a/test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java b/test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java --- a/test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java +++ b/test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ * @bug 8234728 * @library /javax/net/ssl/templates * /javax/net/ssl/TLSCommon + * /lib/security * @summary Test TLS ciphersuites order. * Parameter order: * @run main/othervm TLSCipherSuitesOrder TLSv13 ORDERED default @@ -67,6 +68,10 @@ private TLSCipherSuitesOrder(String protocol, String[] clientcipherSuites, String[] servercipherSuites) { + // Re-enable protocol if it is disabled. + if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol); + } this.protocol = protocol; this.clientcipherSuites = clientcipherSuites; this.servercipherSuites = servercipherSuites; diff --git a/test/lib/security/SecurityUtils.java b/test/lib/security/SecurityUtils.java --- a/test/lib/security/SecurityUtils.java +++ b/test/lib/security/SecurityUtils.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,6 +24,11 @@ import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; +import java.security.Security; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.stream.Collectors; /** * Common library for various security test helper functions. @@ -52,5 +57,25 @@ return ks; } + /** + * Removes the specified protocols from the jdk.tls.disabledAlgorithms + * security property. + */ + public static void removeFromDisabledTlsAlgs(String... protocols) { + List protocolsList = Arrays.asList(protocols); + protocolsList = Collections.unmodifiableList(protocolsList); + removeFromDisabledAlgs("jdk.tls.disabledAlgorithms", + protocolsList); + } + + private static void removeFromDisabledAlgs(String prop, List algs) { + String value = Security.getProperty(prop); + value = Arrays.stream(value.split(",")) + .map(s -> s.trim()) + .filter(s -> !algs.contains(s)) + .collect(Collectors.joining(",")); + Security.setProperty(prop, value); + } + private SecurityUtils() {} } diff --git a/test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java b/test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java --- a/test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java +++ b/test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ * @bug 8044860 * @summary Vectors and fixed length fields should be verified * for allowed sizes. + * @library /lib/security * @run main/othervm LengthCheckTest * @key randomness */ @@ -299,6 +300,9 @@ * Main entry point for this test. */ public static void main(String args[]) throws Exception { + // Re-enable TLSv1 since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); + List ccsTests = new ArrayList<>(); if (debug) { diff --git a/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java b/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java --- a/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java +++ b/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -22,10 +22,13 @@ */ /* - * test + * @test * @bug 7126889 * @summary Incorrect SSLEngine debug output - * + * @library /lib /lib/security + * @run main DebugReportsOneExtraByte + */ +/* * Debug output was reporting n+1 bytes of data was written when it was * really was n. * @@ -75,6 +78,9 @@ import java.security.*; import java.nio.*; +import jdk.test.lib.process.OutputAnalyzer; +import jdk.test.lib.process.ProcessTools; + public class DebugReportsOneExtraByte { /* @@ -82,17 +88,6 @@ */ private static boolean logging = true; - /* - * Enables the JSSE system debugging system property: - * - * -Djavax.net.debug=all - * - * This gives a lot of low-level information about operations underway, - * including specific handshake messages, and might be best examined - * after gaining some familiarity with this application. - */ - private static boolean debug = false; - private SSLContext sslc; private SSLEngine clientEngine; // client Engine @@ -130,14 +125,21 @@ * Main entry point for this test. */ public static void main(String args[]) throws Exception { - if (debug) { - System.setProperty("javax.net.debug", "all"); - } + + if (args.length == 0) { + OutputAnalyzer output = ProcessTools.executeTestJvm( + "-Dtest.src=" + System.getProperty("test.src"), + "-Djavax.net.debug=all", "DebugReportsOneExtraByte", "p"); + output.shouldContain("WRITE: TLS10 application_data, length = 8"); - DebugReportsOneExtraByte test = new DebugReportsOneExtraByte(); - test.runTest(); + System.out.println("Test Passed."); + } else { + // Re-enable TLSv1 since test depends on it + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); - System.out.println("Test Passed."); + DebugReportsOneExtraByte test = new DebugReportsOneExtraByte(); + test.runTest(); + } } /* diff --git a/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.sh b/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.sh deleted file mode 100644 --- a/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.sh +++ /dev/null @@ -1,81 +0,0 @@ -#! /bin/sh - -# -# Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -# @test -# @bug 7126889 -# @summary Incorrect SSLEngine debug output -# -# ${TESTJAVA} is pointing to the JDK under test. -# -# set platform-dependent variables - -OS=`uname -s` -case "$OS" in - SunOS | Linux | Darwin | AIX ) - PS=":" - FS="/" - ;; - CYGWIN* ) - PS=";" - FS="/" - ;; - Windows* ) - PS=";" - FS="\\" - ;; - * ) - echo "Unrecognized system!" - exit 1; - ;; -esac - -${COMPILEJAVA}${FS}bin${FS}javac ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} -d . \ - ${TESTSRC}${FS}DebugReportsOneExtraByte.java - -STRING='WRITE: TLS10 application_data, length = 8' - -echo "Examining debug output for the string:" -echo "${STRING}" -echo "=========" - -${TESTJAVA}${FS}bin${FS}java ${TESTVMOPTS} -Djavax.net.debug=all \ - -Dtest.src=${TESTSRC} \ - DebugReportsOneExtraByte 2>&1 | \ - grep "${STRING}" -RETVAL=$? - -echo "=========" - -if [ ${RETVAL} -ne 0 ]; then - echo "Did NOT see the expected debug output." - exit 1 -else - echo "Received the expected debug output." - exit 0 -fi -else - echo "Received the expected debug output." - exit 0 -fi diff --git a/test/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java b/test/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java --- a/test/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java +++ b/test/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ * Master Secret Extension * @summary Increase the number of clones in the CloneableDigest * @library /javax/net/ssl/templates + * @library /lib/security * @compile DigestBase.java * @run main/othervm -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv3" * HandshakeHashCloneExhaustion TLSv1.3 TLS_AES_128_GCM_SHA256 @@ -79,6 +80,10 @@ protocol = new String [] { args[0] }; ciphersuite = new String[] { args[1] }; + // Re-enable TLSv1.1 when test depends on it. + if (protocol[0].equals("TLSv1.1")) { + SecurityUtils.removeFromDisabledTlsAlgs(protocol[0]); + } (new HandshakeHashCloneExhaustion()).run(); } diff --git a/test/sun/security/ssl/SSLContextImpl/IllegalProtocolProperty.java b/test/sun/security/ssl/SSLContextImpl/IllegalProtocolProperty.java --- a/test/sun/security/ssl/SSLContextImpl/IllegalProtocolProperty.java +++ b/test/sun/security/ssl/SSLContextImpl/IllegalProtocolProperty.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ * @test * @bug 7093640 * @summary Enable TLS 1.1 and TLS 1.2 by default in client side of SunJSSE + * @library /lib/security * @run main/othervm -Djdk.tls.client.protocols="XSLv3,TLSv1" * IllegalProtocolProperty */ @@ -60,6 +61,9 @@ } public static void main(String[] args) throws Exception { + // Re-enable TLSv1 and TLSv1.1 since test depends on them. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1"); + for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/SSLContextImpl/SSLContextDefault.java b/test/sun/security/ssl/SSLContextImpl/SSLContextDefault.java new file mode 100644 --- /dev/null +++ b/test/sun/security/ssl/SSLContextImpl/SSLContextDefault.java @@ -0,0 +1,144 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + +/* + * @test + * @bug 8202343 + * @summary Check that SSLv3, TLSv1 and TLSv1.1 are disabled by default + * @run main/othervm SSLContextDefault + */ + +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import javax.net.ssl.*; + +public class SSLContextDefault { + + private final static String[] protocols = { + "", "SSL", "TLS", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" + }; + + private final static List disabledProtocols = + Collections.unmodifiableList( + Arrays.asList("SSLv3", "TLSv1", "TLSv1.1")); + + public static void main(String[] args) throws Exception { + for (String protocol : protocols) { + System.out.println("//"); + System.out.println("// " + "Testing for SSLContext of " + + (protocol.isEmpty() ? "" : protocol)); + System.out.println("//"); + checkForProtocols(protocol); + System.out.println(); + } + } + + public static void checkForProtocols(String protocol) throws Exception { + SSLContext context; + if (protocol.isEmpty()) { + context = SSLContext.getDefault(); + } else { + context = SSLContext.getInstance(protocol); + context.init(null, null, null); + } + + // check for the presence of supported protocols of SSLContext + SSLParameters parameters = context.getSupportedSSLParameters(); + checkProtocols(parameters.getProtocols(), + "Supported protocols in SSLContext", false); + + + // check for the presence of default protocols of SSLContext + parameters = context.getDefaultSSLParameters(); + checkProtocols(parameters.getProtocols(), + "Enabled protocols in SSLContext", true); + + // check for the presence of supported protocols of SSLEngine + SSLEngine engine = context.createSSLEngine(); + checkProtocols(engine.getSupportedProtocols(), + "Supported protocols in SSLEngine", false); + + // Check for the presence of default protocols of SSLEngine + checkProtocols(engine.getEnabledProtocols(), + "Enabled protocols in SSLEngine", true); + + SSLSocketFactory factory = context.getSocketFactory(); + try (SSLSocket socket = (SSLSocket)factory.createSocket()) { + // check for the presence of supported protocols of SSLSocket + checkProtocols(socket.getSupportedProtocols(), + "Supported cipher suites in SSLSocket", false); + + // Check for the presence of default protocols of SSLSocket + checkProtocols(socket.getEnabledProtocols(), + "Enabled protocols in SSLSocket", true); + } + + SSLServerSocketFactory serverFactory = context.getServerSocketFactory(); + try (SSLServerSocket serverSocket = + (SSLServerSocket)serverFactory.createServerSocket()) { + // check for the presence of supported protocols of SSLServerSocket + checkProtocols(serverSocket.getSupportedProtocols(), + "Supported cipher suites in SSLServerSocket", false); + + // Check for the presence of default protocols of SSLServerSocket + checkProtocols(serverSocket.getEnabledProtocols(), + "Enabled protocols in SSLServerSocket", true); + } + } + + private static void checkProtocols(String[] protocols, + String title, boolean disabled) throws Exception { + showProtocols(protocols, title); + + if (disabled) { + for (String protocol : protocols ) { + if (disabledProtocols.contains(protocol)) { + throw new Exception(protocol + + " should not be enabled by default"); + } + } + } else { + List protocolsList = Collections.unmodifiableList( + Arrays.asList(protocols)); + for (String disabledProtocol : disabledProtocols) { + if (!protocolsList.contains(disabledProtocol)) { + throw new Exception(disabledProtocol + + " should be supported by default"); + } + } + } + } + + private static void showProtocols(String[] protocols, String title) { + System.out.println(title + "[" + protocols.length + "]:"); + for (String protocol : protocols) { + System.out.println(" " + protocol); + } + } +} diff --git a/test/sun/security/ssl/SSLContextImpl/SSLContextVersion.java b/test/sun/security/ssl/SSLContextImpl/SSLContextVersion.java --- a/test/sun/security/ssl/SSLContextImpl/SSLContextVersion.java +++ b/test/sun/security/ssl/SSLContextImpl/SSLContextVersion.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ * @bug 6976117 * @summary SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets * without TLSv1.1 enabled + * @library /lib/security * @run main/othervm SSLContextVersion */ @@ -57,6 +58,9 @@ } public static void main(String[] args) throws Exception { + // Re-enable TLSv1 and TLSv1.1 since test depends on them. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1"); + for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); SSLContext context = SSLContext.getInstance(cv.contextVersion); diff --git a/test/sun/security/ssl/SSLEngineImpl/EmptyExtensionData.java b/test/sun/security/ssl/SSLEngineImpl/EmptyExtensionData.java --- a/test/sun/security/ssl/SSLEngineImpl/EmptyExtensionData.java +++ b/test/sun/security/ssl/SSLEngineImpl/EmptyExtensionData.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ * @test * @bug 6728126 * @summary Parsing Extensions in Client Hello message is done in a wrong way + * @library /lib/security * @run main/othervm EmptyExtensionData */ @@ -154,6 +155,8 @@ } public static void main(String args[]) throws Exception { + // Re-enable TLSv1 since test depends on it. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1"); SSLEngine ssle = createSSLEngine(keyFilename, trustFilename); runTest(ssle); diff --git a/test/sun/security/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java b/test/sun/security/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java --- a/test/sun/security/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java +++ b/test/sun/security/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ * @test * @bug 7031830 * @summary bad_record_mac failure on TLSv1.2 enabled connection with SSLEngine + * @library /lib/security * @run main/othervm SSLEngineBadBufferArrayAccess */ @@ -158,6 +159,9 @@ System.setProperty("javax.net.debug", "all"); } + // Re-enable TLSv1 and TLSv1.1 since test depends on them. + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1"); + String [] protocols = new String [] { "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" };