--- old/src/share/lib/security/java.security-aix 2015-04-15 10:00:47.949470157 +0300 +++ new/src/share/lib/security/java.security-aix 2015-04-15 10:00:47.001470168 +0300 @@ -500,4 +500,4 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3 +jdk.tls.disabledAlgorithms=SSLv3, RC4 --- old/src/share/lib/security/java.security-linux 2015-04-15 10:00:49.633470138 +0300 +++ new/src/share/lib/security/java.security-linux 2015-04-15 10:00:49.393470141 +0300 @@ -500,4 +500,4 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3 +jdk.tls.disabledAlgorithms=SSLv3, RC4 --- old/src/share/lib/security/java.security-macosx 2015-04-15 10:00:50.421470129 +0300 +++ new/src/share/lib/security/java.security-macosx 2015-04-15 10:00:50.193470132 +0300 @@ -503,4 +503,4 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3 +jdk.tls.disabledAlgorithms=SSLv3, RC4 --- old/src/share/lib/security/java.security-solaris 2015-04-15 10:00:51.205470120 +0300 +++ new/src/share/lib/security/java.security-solaris 2015-04-15 10:00:50.957470123 +0300 @@ -502,4 +502,4 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3 +jdk.tls.disabledAlgorithms=SSLv3, RC4 --- old/src/share/lib/security/java.security-windows 2015-04-15 10:00:51.913470112 +0300 +++ new/src/share/lib/security/java.security-windows 2015-04-15 10:00:51.677470115 +0300 @@ -503,4 +503,4 @@ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3 +jdk.tls.disabledAlgorithms=SSLv3, RC4 --- old/test/sun/security/krb5/auto/SSL.java 2015-04-15 10:00:52.705470103 +0300 +++ new/test/sun/security/krb5/auto/SSL.java 2015-04-15 10:00:52.453470106 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,11 +39,10 @@ * @run main/othervm SSL TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 */ import java.io.*; -import java.net.InetAddress; -import java.security.AccessControlException; import java.security.Permission; import javax.net.ssl.*; import java.security.Principal; +import java.security.Security; import java.util.Date; import java.util.List; import java.util.ArrayList; @@ -82,6 +81,9 @@ } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); krb5Cipher = args[0]; --- old/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2015-04-15 10:00:53.421470095 +0300 +++ new/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java 2015-04-15 10:00:53.225470098 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,7 +34,7 @@ */ import java.io.*; -import java.net.*; +import java.security.Security; import javax.net.ssl.*; public class CipherSuiteOrder { @@ -196,6 +196,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; --- old/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2015-04-15 10:00:54.081470088 +0300 +++ new/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2015-04-15 10:00:53.877470090 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -102,10 +102,10 @@ import java.nio.*; import java.security.KeyStore; import java.security.KeyFactory; +import java.security.Security; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.*; import java.security.interfaces.*; import java.util.Base64; @@ -377,6 +377,10 @@ } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (args.length != 4) { System.out.println( "Usage: java DHEKeySizing cipher-suite " + --- old/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java 2015-04-15 10:00:54.837470079 +0300 +++ new/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java 2015-04-15 10:00:54.609470082 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -622,6 +622,9 @@ } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); CheckStatus cs; --- old/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java 2015-04-15 10:00:55.545470072 +0300 +++ new/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java 2015-04-15 10:00:55.305470074 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,8 @@ * The code could certainly be tightened up a lot. * * @author Brad Wetmore + * + * @run main/othervm ConnectionTest */ import javax.net.ssl.*; @@ -669,6 +671,10 @@ } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + ConnectionTest ct = new ConnectionTest(); ct.test(); } --- old/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java 2015-04-15 10:00:56.337470063 +0300 +++ new/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java 2015-04-15 10:00:56.065470066 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -179,6 +179,9 @@ } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); LargeBufs test; --- old/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java 2015-04-15 10:00:57.069470054 +0300 +++ new/test/sun/security/ssl/javax/net/ssl/SSLParameters/UseCipherSuitesOrder.java 2015-04-15 10:00:56.837470057 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,7 +35,7 @@ */ import java.io.*; -import java.net.*; +import java.security.Security; import javax.net.ssl.*; import java.util.Arrays; @@ -195,6 +195,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + // parse the arguments parseArguments(args); --- old/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java 2015-04-15 10:00:57.905470045 +0300 +++ new/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java 2015-04-15 10:00:57.641470048 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -36,7 +36,7 @@ */ import java.io.*; -import java.net.*; +import java.security.Security; import javax.net.ssl.*; public class GenericStreamCipher { @@ -160,6 +160,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; --- /dev/null 2015-04-13 11:46:40.151340892 +0300 +++ new/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java 2015-04-15 10:00:58.345470040 +0300 @@ -0,0 +1,362 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.BufferedInputStream; +import java.io.BufferedOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.concurrent.TimeUnit; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLHandshakeException; +import javax.net.ssl.SSLServerSocket; +import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +/** + * @test + * @bug 8076221 + * @summary Check if weak cipher suites are disabled + * @run main/othervm DisabledAlgorithms default + * @run main/othervm DisabledAlgorithms empty + */ +public class DisabledAlgorithms { + + private static final String pathToStores = + "../../../../sun/security/ssl/etc"; + private static final String keyStoreFile = "keystore"; + private static final String trustStoreFile = "truststore"; + private static final String passwd = "passphrase"; + + private static final String keyFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + keyStoreFile; + + private static final String trustFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + trustStoreFile; + + // supported RC4 cipher suites + // it does not contain KRB5 cipher suites because they need a KDC + private static final String[] rc4_ciphersuites = new String[] { + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_MD5", + "TLS_ECDH_anon_WITH_RC4_128_SHA", + "SSL_DH_anon_WITH_RC4_128_MD5" + }; + + public static void main(String[] args) throws Exception { + if (args.length < 1) { + throw new RuntimeException("No parameters specified"); + } + + System.setProperty("javax.net.ssl.keyStore", keyFilename); + System.setProperty("javax.net.ssl.keyStorePassword", passwd); + System.setProperty("javax.net.ssl.trustStore", trustFilename); + System.setProperty("javax.net.ssl.trustStorePassword", passwd); + + switch (args[0]) { + case "default": + // use default jdk.tls.disabledAlgorithms + System.out.println("jdk.tls.disabledAlgorithms = " + + Security.getProperty("jdk.tls.disabledAlgorithms")); + + // check if RC4 cipher suites can't be used by default + checkFailure(rc4_ciphersuites); + break; + case "empty": + // reset jdk.tls.disabledAlgorithms + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + System.out.println("jdk.tls.disabledAlgorithms = " + + Security.getProperty("jdk.tls.disabledAlgorithms")); + + // check if RC4 cipher suites can be used + // if jdk.tls.disabledAlgorithms is empty + checkSuccess(rc4_ciphersuites); + break; + default: + throw new RuntimeException("Wrong parameter: " + args[0]); + } + } + + /* + * Checks if that specified cipher suites cannot be used. + */ + private static void checkFailure(String[] ciphersuites) throws Exception { + try (SSLServer server = SSLServer.init(ciphersuites)) { + startNewThread(server); + while (!server.isRunning()) { + sleep(); + } + + int port = server.getPort(); + for (String ciphersuite : ciphersuites) { + try (SSLClient client = SSLClient.init(port, ciphersuite)) { + client.connect(); + throw new RuntimeException("Expected SSLHandshakeException " + + "not thrown"); + } catch (SSLHandshakeException e) { + System.out.println("Expected exception on client side: " + + e); + } + } + + server.stop(); + while (server.isRunning()) { + sleep(); + } + + if (!server.sslError()) { + throw new RuntimeException("Expected SSL exception " + + "not thrown on server side"); + } + } + + } + + /* + * Checks if specified cipher suites can be used. + */ + private static void checkSuccess(String[] ciphersuites) throws Exception { + try (SSLServer server = SSLServer.init(ciphersuites)) { + startNewThread(server); + while (!server.isRunning()) { + sleep(); + } + + int port = server.getPort(); + for (String ciphersuite : ciphersuites) { + try (SSLClient client = SSLClient.init(port, ciphersuite)) { + client.connect(); + String negotiated = client.getNegotiatedCipherSuite(); + System.out.println("Negotiated cipher suite: " + + negotiated); + if (!negotiated.equals(ciphersuite)) { + throw new RuntimeException("Unexpected cipher suite: " + + negotiated); + } + } + } + + server.stop(); + while (server.isRunning()) { + sleep(); + } + + if (server.error()) { + throw new RuntimeException("Unexpected error on server side"); + } + } + + } + + private static Thread startNewThread(SSLServer server) { + Thread serverThread = new Thread(server, "SSL server thread"); + serverThread.setDaemon(true); + serverThread.start(); + return serverThread; + } + + private static void sleep() { + try { + TimeUnit.MILLISECONDS.sleep(50); + } catch (InterruptedException e) { + // do nothing + } + } + + static class SSLServer implements Runnable, AutoCloseable { + + private final SSLServerSocket ssocket; + private volatile boolean stopped = false; + private volatile boolean running = false; + private volatile boolean sslError = false; + private volatile boolean otherError = false; + + private SSLServer(SSLServerSocket ssocket) { + this.ssocket = ssocket; + } + + @Override + public void run() { + System.out.println("Server: started"); + running = true; + while (!stopped) { + try (SSLSocket socket = (SSLSocket) ssocket.accept()) { + System.out.println("Server: accepted client connection"); + InputStream in = socket.getInputStream(); + OutputStream out = socket.getOutputStream(); + int b = in.read(); + if (b < 0) { + throw new IOException("Unexpected EOF"); + } + System.out.println("Server: send data: " + b); + out.write(b); + out.flush(); + socket.getSession().invalidate(); + } catch (SSLHandshakeException e) { + System.out.println("Server: run: " + e); + sslError = true; + } catch (IOException e) { + if (!stopped) { + System.out.println("Server: run: " + e); + e.printStackTrace(); + otherError = true; + } + } + } + + System.out.println("Server: finished"); + running = false; + } + + int getPort() { + return ssocket.getLocalPort(); + } + + String[] getEnabledCiperSuites() { + return ssocket.getEnabledCipherSuites(); + } + + boolean isRunning() { + return running; + } + + boolean sslError() { + return sslError; + } + + boolean error() { + return sslError || otherError; + } + + void stop() { + stopped = true; + if (!ssocket.isClosed()) { + try { + ssocket.close(); + } catch (IOException e) { + System.out.println("Server: close: " + e); + } + } + } + + @Override + public void close() { + stop(); + } + + static SSLServer init(String[] ciphersuites) + throws IOException { + SSLServerSocketFactory ssf = (SSLServerSocketFactory) + SSLServerSocketFactory.getDefault(); + SSLServerSocket ssocket = (SSLServerSocket) + ssf.createServerSocket(0); + + if (ciphersuites != null) { + System.out.println("Server: enable cipher suites: " + + java.util.Arrays.toString(ciphersuites)); + ssocket.setEnabledCipherSuites(ciphersuites); + } + + return new SSLServer(ssocket); + } + } + + static class SSLClient implements AutoCloseable { + + private final SSLSocket socket; + + private SSLClient(SSLSocket socket) { + this.socket = socket; + } + + void connect() throws IOException { + System.out.println("Client: connect to server"); + try ( + BufferedInputStream bis = new BufferedInputStream( + socket.getInputStream()); + BufferedOutputStream bos = new BufferedOutputStream( + socket.getOutputStream())) { + bos.write('x'); + bos.flush(); + + int read = bis.read(); + if (read < 0) { + throw new IOException("Client: couldn't read a response"); + } + socket.getSession().invalidate(); + } + } + + String[] getEnabledCiperSuites() { + return socket.getEnabledCipherSuites(); + } + + String getNegotiatedCipherSuite() { + return socket.getSession().getCipherSuite(); + } + + @Override + public void close() throws Exception { + if (!socket.isClosed()) { + try { + socket.close(); + } catch (IOException e) { + System.out.println("Client: close: " + e); + } + } + } + + static SSLClient init(int port) + throws NoSuchAlgorithmException, IOException { + return init(port, null); + } + + static SSLClient init(int port, String ciphersuite) + throws NoSuchAlgorithmException, IOException { + SSLContext context = SSLContext.getDefault(); + SSLSocketFactory ssf = (SSLSocketFactory) + context.getSocketFactory(); + SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port); + + if (ciphersuite != null) { + System.out.println("Client: enable cipher suite: " + + ciphersuite); + socket.setEnabledCipherSuites(new String[] { ciphersuite }); + } + + return new SSLClient(socket); + } + + } + + +}