1 /* 2 * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 4750141 4895631 8217579 27 * @summary Check enabled and supported ciphersuites are correct 28 * @run main CheckCipherSuites default 29 * @run main/othervm CheckCipherSuites limited 30 */ 31 32 import java.util.*; 33 import java.security.Security; 34 import javax.net.ssl.*; 35 36 public class CheckCipherSuites { 37 38 // List of enabled cipher suites when the "crypto.policy" security 39 // property is set to "unlimited" (the default value). 40 private final static String[] ENABLED_DEFAULT = { 41 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 42 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 43 "TLS_RSA_WITH_AES_256_CBC_SHA256", 44 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 45 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 46 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 47 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 48 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 49 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 50 "TLS_RSA_WITH_AES_256_CBC_SHA", 51 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", 52 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", 53 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", 54 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", 55 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 56 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 57 "TLS_RSA_WITH_AES_128_CBC_SHA256", 58 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 59 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 60 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 61 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 62 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 63 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 64 "TLS_RSA_WITH_AES_128_CBC_SHA", 65 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", 66 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 67 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 68 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 69 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 70 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 71 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 72 "TLS_RSA_WITH_AES_256_GCM_SHA384", 73 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", 74 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 75 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", 76 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 77 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 78 "TLS_RSA_WITH_AES_128_GCM_SHA256", 79 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 80 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 81 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 82 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 83 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" 84 }; 85 86 // List of enabled cipher suites when the "crypto.policy" security 87 // property is set to "limited". 88 private final static String[] ENABLED_LIMITED = { 89 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 90 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 91 "TLS_RSA_WITH_AES_128_CBC_SHA256", 92 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 93 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 94 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 95 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 96 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 97 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 98 "TLS_RSA_WITH_AES_128_CBC_SHA", 99 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", 100 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 101 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 102 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 103 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 104 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 105 "TLS_RSA_WITH_AES_128_GCM_SHA256", 106 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 107 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 108 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 109 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 110 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" 111 }; 112 113 // List of supported cipher suites when the "crypto.policy" security 114 // property is set to "unlimited" (the default value). 115 private final static String[] SUPPORTED_DEFAULT = { 116 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 117 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 118 "TLS_RSA_WITH_AES_256_CBC_SHA256", 119 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 120 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", 121 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 122 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 123 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 124 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 125 "TLS_RSA_WITH_AES_256_CBC_SHA", 126 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", 127 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", 128 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", 129 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", 130 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 131 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 132 "TLS_RSA_WITH_AES_128_CBC_SHA256", 133 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 134 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 135 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 136 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 137 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 138 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 139 "TLS_RSA_WITH_AES_128_CBC_SHA", 140 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", 141 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 142 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 143 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 144 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 145 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 146 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 147 "TLS_RSA_WITH_AES_256_GCM_SHA384", 148 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", 149 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 150 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", 151 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 152 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 153 "TLS_RSA_WITH_AES_128_GCM_SHA256", 154 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 155 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 156 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 157 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 158 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" 159 }; 160 161 // List of supported cipher suites when the "crypto.policy" security 162 // property is set to "limited". 163 private final static String[] SUPPORTED_LIMITED = { 164 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 165 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 166 "TLS_RSA_WITH_AES_128_CBC_SHA256", 167 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 168 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", 169 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 170 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", 171 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 172 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 173 "TLS_RSA_WITH_AES_128_CBC_SHA", 174 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", 175 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 176 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 177 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 178 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 179 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 180 "TLS_RSA_WITH_AES_128_GCM_SHA256", 181 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", 182 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 183 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 184 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" 186 }; 187 188 private static void showSuites(String[] suites) { 189 if ((suites == null) || (suites.length == 0)) { 190 System.out.println("<none>"); 191 } 192 for (int i = 0; i < suites.length; i++) { 193 System.out.println(" " + suites[i]); 194 } 195 } 196 197 public static void main(String[] args) throws Exception { 198 long start = System.currentTimeMillis(); 199 200 if (args.length != 1) { 201 throw new Exception("One arg required"); 202 } 203 204 String[] ENABLED; 205 String[] SUPPORTED; 206 if (args[0].equals("default")) { 207 ENABLED = ENABLED_DEFAULT; 208 SUPPORTED = SUPPORTED_DEFAULT; 209 } else if (args[0].equals("limited")) { 210 Security.setProperty("crypto.policy", "limited"); 211 ENABLED = ENABLED_LIMITED; 212 SUPPORTED = SUPPORTED_LIMITED; 213 } else { 214 throw new Exception("Illegal argument"); 215 } 216 217 SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault(); 218 SSLSocket socket = (SSLSocket)factory.createSocket(); 219 String[] enabled = socket.getEnabledCipherSuites(); 220 221 System.out.println("Default enabled ciphersuites:"); 222 showSuites(enabled); 223 224 if (Arrays.equals(ENABLED, enabled) == false) { 225 System.out.println("*** MISMATCH, should be ***"); 226 showSuites(ENABLED); 227 throw new Exception("Enabled ciphersuite mismatch"); 228 } 229 System.out.println("OK"); 230 System.out.println(); 231 232 String[] supported = socket.getSupportedCipherSuites(); 233 System.out.println("Supported ciphersuites:"); 234 showSuites(supported); 235 236 if (Arrays.equals(SUPPORTED, supported) == false) { 237 System.out.println("*** MISMATCH, should be ***"); 238 showSuites(SUPPORTED); 239 throw new Exception("Supported ciphersuite mismatch"); 240 } 241 System.out.println("OK"); 242 243 long end = System.currentTimeMillis(); 244 System.out.println("Done (" + (end - start) + " ms)."); 245 } 246 247 }