1 /*
2 * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 4750141 4895631 8217579
27 * @summary Check enabled and supported ciphersuites are correct
28 * @run main CheckCipherSuites default
29 * @run main/othervm CheckCipherSuites limited
30 */
31
32 import java.util.*;
33 import java.security.Security;
34 import javax.net.ssl.*;
35
36 public class CheckCipherSuites {
37
38 // List of enabled cipher suites when the "crypto.policy" security
39 // property is set to "unlimited" (the default value).
40 private final static String[] ENABLED_DEFAULT = {
41 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
42 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
43 "TLS_RSA_WITH_AES_256_CBC_SHA256",
44 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
45 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
46 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
47 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
48 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
49 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
50 "TLS_RSA_WITH_AES_256_CBC_SHA",
51 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
52 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
53 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
54 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
55 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
56 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
57 "TLS_RSA_WITH_AES_128_CBC_SHA256",
58 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
59 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
60 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
61 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
62 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
63 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
64 "TLS_RSA_WITH_AES_128_CBC_SHA",
65 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
66 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
67 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
68 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
69 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
70 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
71 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
72 "TLS_RSA_WITH_AES_256_GCM_SHA384",
73 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
74 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
75 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
76 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
77 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
78 "TLS_RSA_WITH_AES_128_GCM_SHA256",
79 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
80 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
81 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
82 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
83 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
84 };
85
86 // List of enabled cipher suites when the "crypto.policy" security
87 // property is set to "limited".
88 private final static String[] ENABLED_LIMITED = {
89 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
90 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
91 "TLS_RSA_WITH_AES_128_CBC_SHA256",
92 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
93 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
94 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
95 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
96 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
97 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
98 "TLS_RSA_WITH_AES_128_CBC_SHA",
99 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
100 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
101 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
102 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
103 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
104 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
105 "TLS_RSA_WITH_AES_128_GCM_SHA256",
106 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
107 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
108 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
109 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
110 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
111 };
112
113 // List of supported cipher suites when the "crypto.policy" security
114 // property is set to "unlimited" (the default value).
115 private final static String[] SUPPORTED_DEFAULT = {
116 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
117 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
118 "TLS_RSA_WITH_AES_256_CBC_SHA256",
119 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
120 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
121 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
122 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
123 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
124 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
125 "TLS_RSA_WITH_AES_256_CBC_SHA",
126 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
127 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
128 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
129 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
130 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
131 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
132 "TLS_RSA_WITH_AES_128_CBC_SHA256",
133 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
134 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
135 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
136 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
137 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
138 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
139 "TLS_RSA_WITH_AES_128_CBC_SHA",
140 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
141 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
142 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
143 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
144 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
145 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
146 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
147 "TLS_RSA_WITH_AES_256_GCM_SHA384",
148 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
149 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
150 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
151 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
152 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
153 "TLS_RSA_WITH_AES_128_GCM_SHA256",
154 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
155 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
156 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
157 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
158 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
159 };
160
161 // List of supported cipher suites when the "crypto.policy" security
162 // property is set to "limited".
163 private final static String[] SUPPORTED_LIMITED = {
164 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
165 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
166 "TLS_RSA_WITH_AES_128_CBC_SHA256",
167 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
168 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
169 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
170 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
171 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
172 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
173 "TLS_RSA_WITH_AES_128_CBC_SHA",
174 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
175 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
176 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
177 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
178 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
179 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
180 "TLS_RSA_WITH_AES_128_GCM_SHA256",
181 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
182 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
183 "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
184 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
185 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
186 };
187
188 private static void showSuites(String[] suites) {
189 if ((suites == null) || (suites.length == 0)) {
190 System.out.println("<none>");
191 }
192 for (int i = 0; i < suites.length; i++) {
193 System.out.println(" " + suites[i]);
194 }
195 }
196
197 public static void main(String[] args) throws Exception {
198 long start = System.currentTimeMillis();
199
200 if (args.length != 1) {
201 throw new Exception("One arg required");
202 }
203
204 String[] ENABLED;
205 String[] SUPPORTED;
206 if (args[0].equals("default")) {
207 ENABLED = ENABLED_DEFAULT;
208 SUPPORTED = SUPPORTED_DEFAULT;
209 } else if (args[0].equals("limited")) {
210 Security.setProperty("crypto.policy", "limited");
211 ENABLED = ENABLED_LIMITED;
212 SUPPORTED = SUPPORTED_LIMITED;
213 } else {
214 throw new Exception("Illegal argument");
215 }
216
217 SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
218 SSLSocket socket = (SSLSocket)factory.createSocket();
219 String[] enabled = socket.getEnabledCipherSuites();
220
221 System.out.println("Default enabled ciphersuites:");
222 showSuites(enabled);
223
224 if (Arrays.equals(ENABLED, enabled) == false) {
225 System.out.println("*** MISMATCH, should be ***");
226 showSuites(ENABLED);
227 throw new Exception("Enabled ciphersuite mismatch");
228 }
229 System.out.println("OK");
230 System.out.println();
231
232 String[] supported = socket.getSupportedCipherSuites();
233 System.out.println("Supported ciphersuites:");
234 showSuites(supported);
235
236 if (Arrays.equals(SUPPORTED, supported) == false) {
237 System.out.println("*** MISMATCH, should be ***");
238 showSuites(SUPPORTED);
239 throw new Exception("Supported ciphersuite mismatch");
240 }
241 System.out.println("OK");
242
243 long end = System.currentTimeMillis();
244 System.out.println("Done (" + (end - start) + " ms).");
245 }
246
247 }