From 0d6d2bb1a1a97b385aafda9c8d308154224a44de Mon Sep 17 00:00:00 2001 From: xuelei Date: Fri, 24 Oct 2014 11:49:24 +0000 Subject: [PATCH] 8061210: Issues in TLS Reviewed-by: jnimeh, mullan, wetmore, ahgross, asmotrak --- .../classes/sun/security/ssl/Handshaker.java | 14 +- .../sun/security/ssl/ProtocolVersion.java | 26 +++ .../security/ssl/SSLAlgorithmConstraints.java | 8 + .../sun/security/ssl/SSLContextImpl.java | 201 +++++++++++------- src/share/lib/security/java.security-aix | 11 +- src/share/lib/security/java.security-linux | 11 +- src/share/lib/security/java.security-macosx | 11 +- src/share/lib/security/java.security-solaris | 11 +- src/share/lib/security/java.security-windows | 11 +- test/sun/security/ec/TestEC.java | 4 + .../pkcs11/sslecc/ClientJSSEServerJSSE.java | 4 + .../ssl/ProtocolVersion/HttpsProtocols.java | 5 + .../CustomizedDefaultProtocols.java | 5 + .../DefaultEnabledProtocols.java | 5 + .../SSLContextImpl/NoOldVersionContext.java | 5 + .../DelegatedTaskWrongException.java | 3 + .../net/ssl/NewAPIs/testEnabledProtocols.java | 12 +- .../net/ssl/ServerName/SSLEngineExplorer.java | 5 + .../net/ssl/ServerName/SSLSocketExplorer.java | 5 + .../sanity/interop/ClientJSSEServerJSSE.java | 6 + 20 files changed, 272 insertions(+), 91 deletions(-) diff --git a/src/share/classes/sun/security/ssl/Handshaker.java b/src/share/classes/sun/security/ssl/Handshaker.java index 4d6fc97b5..092c125f8 100644 --- a/src/share/classes/sun/security/ssl/Handshaker.java +++ b/src/share/classes/sun/security/ssl/Handshaker.java @@ -500,7 +500,9 @@ abstract class Handshaker { if (activeProtocols.collection().isEmpty() || activeProtocols.max.v == ProtocolVersion.NONE.v) { - throw new SSLHandshakeException("No appropriate protocol"); + throw new SSLHandshakeException( + "No appropriate protocol (protocol is disabled or " + + "cipher suites are inappropriate)"); } if (activeCipherSuites == null) { @@ -678,6 +680,16 @@ abstract class Handshaker { if (activeProtocols == null) { ArrayList protocols = new ArrayList<>(4); for (ProtocolVersion protocol : enabledProtocols.collection()) { + if (!algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + protocol.name, null)) { + if (debug != null && Debug.isOn("verbose")) { + System.out.println( + "Ignoring disabled protocol: " + protocol); + } + + continue; + } boolean found = false; for (CipherSuite suite : enabledCipherSuites.collection()) { if (suite.isAvailable() && suite.obsoleted > protocol.v && diff --git a/src/share/classes/sun/security/ssl/ProtocolVersion.java b/src/share/classes/sun/security/ssl/ProtocolVersion.java index fb476416a..879d0f004 100644 --- a/src/share/classes/sun/security/ssl/ProtocolVersion.java +++ b/src/share/classes/sun/security/ssl/ProtocolVersion.java @@ -25,6 +25,9 @@ package sun.security.ssl; +import java.util.*; +import java.security.CryptoPrimitive; + /** * Type safe enum for an SSL/TLS protocol version. Instances are obtained * using the static factory methods or by referencing the static members @@ -86,6 +89,11 @@ public final class ProtocolVersion implements Comparable { // Default version for hello messages (SSLv2Hello) final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30; + // Available protocols + // + // Including all supported protocols except the disabled ones. + final static Set availableProtocols; + // version in 16 bit MSB format as it appears in records and // messages, i.e. 0x0301 for TLS 1.0 public final int v; @@ -96,6 +104,24 @@ public final class ProtocolVersion implements Comparable { // name used in JSSE (e.g. TLSv1 for TLS 1.0) final String name; + // Initialize the available protocols. + static { + Set protocols = new HashSet<>(5); + + ProtocolVersion[] pvs = new ProtocolVersion[] { + SSL20Hello, SSL30, TLS10, TLS11, TLS12}; + for (ProtocolVersion p : pvs) { + if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + p.name, null)) { + protocols.add(p); + } + } + + availableProtocols = + Collections.unmodifiableSet(protocols); + } + // private private ProtocolVersion(int v, String name) { this.v = v; diff --git a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java index d62641bf7..1a8a973e8 100644 --- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java +++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java @@ -55,6 +55,14 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints { private boolean enabledX509DisabledAlgConstraints = true; + // the default algorithm constraints + final static AlgorithmConstraints DEFAULT = + new SSLAlgorithmConstraints(null); + + // the default SSL only algorithm constraints + final static AlgorithmConstraints DEFAULT_SSL_ONLY = + new SSLAlgorithmConstraints((SSLSocket)null, false); + SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { userAlgConstraints = algorithmConstraints; } diff --git a/src/share/classes/sun/security/ssl/SSLContextImpl.java b/src/share/classes/sun/security/ssl/SSLContextImpl.java index 8f8fb4d44..b00a26d32 100644 --- a/src/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java @@ -52,10 +52,6 @@ public abstract class SSLContextImpl extends SSLContextSpi { private X509TrustManager trustManager; private SecureRandom secureRandom; - // The default algrithm constraints - private AlgorithmConstraints defaultAlgorithmConstraints = - new SSLAlgorithmConstraints(null); - // supported and default protocols private ProtocolList defaultServerProtocolList; private ProtocolList defaultClientProtocolList; @@ -350,7 +346,7 @@ public abstract class SSLContextImpl extends SSLContextSpi { if (suite.isAvailable() && suite.obsoleted > protocols.min.v && suite.supported <= protocols.max.v) { - if (defaultAlgorithmConstraints.permits( + if (SSLAlgorithmConstraints.DEFAULT.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { suites.add(suite); @@ -431,11 +427,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { */ private abstract static class AbstractSSLContext extends SSLContextImpl { // parameters - private final static SSLParameters defaultServerSSLParams; - private final static SSLParameters supportedSSLParams; + private static final SSLParameters defaultServerSSLParams; + private static final SSLParameters supportedSSLParams; static { + // supported SSL parameters supportedSSLParams = new SSLParameters(); + + // candidates for available protocols + ProtocolVersion[] candidates; + if (SunJSSE.isFIPS()) { supportedSSLParams.setProtocols(new String[] { ProtocolVersion.TLS10.name, @@ -443,7 +444,11 @@ public abstract class SSLContextImpl extends SSLContextSpi { ProtocolVersion.TLS12.name }); - defaultServerSSLParams = supportedSSLParams; + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { supportedSSLParams.setProtocols(new String[] { ProtocolVersion.SSL20Hello.name, @@ -453,8 +458,18 @@ public abstract class SSLContextImpl extends SSLContextSpi { ProtocolVersion.TLS12.name }); - defaultServerSSLParams = supportedSSLParams; + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL20Hello, + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } + + defaultServerSSLParams = new SSLParameters(); + defaultServerSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -466,6 +481,22 @@ public abstract class SSLContextImpl extends SSLContextSpi { SSLParameters getSupportedSSLParams() { return supportedSSLParams; } + + static List getAvailableProtocols( + ProtocolVersion[] protocolCandidates) { + + List availableProtocols = Collections.emptyList(); + if (protocolCandidates != null && protocolCandidates.length != 0) { + availableProtocols = new ArrayList<>(protocolCandidates.length); + for (ProtocolVersion p : protocolCandidates) { + if (ProtocolVersion.availableProtocols.contains(p)) { + availableProtocols.add(p.name); + } + } + } + + return availableProtocols; + } } /* @@ -474,21 +505,25 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ public static final class TLS10Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10 + }; } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -503,23 +538,27 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ public static final class TLS11Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11 + }; } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -534,25 +573,29 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ public static final class TLS12Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } + + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -567,8 +610,8 @@ public abstract class SSLContextImpl extends SSLContextSpi { * @see SSLContext */ private static class CustomizedSSLContext extends AbstractSSLContext { - private final static String PROPERTY_NAME = "jdk.tls.client.protocols"; - private final static SSLParameters defaultClientSSLParams; + private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; + private static final SSLParameters defaultClientSSLParams; private static IllegalArgumentException reservedException = null; // Don't want a java.lang.LinkageError for illegal system property. @@ -578,60 +621,74 @@ public abstract class SSLContextImpl extends SSLContextSpi { // the provider service. Instead, let's handle the initialization // exception in constructor. static { + // candidates for available protocols + ProtocolVersion[] candidates; + String property = AccessController.doPrivileged( new GetPropertyAction(PROPERTY_NAME)); - defaultClientSSLParams = new SSLParameters(); if (property == null || property.length() == 0) { // the default enabled client TLS protocols if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } } else { // remove double quote marks from beginning/end of the property - if (property.charAt(0) == '"' && + if (property.length() > 1 && property.charAt(0) == '"' && property.charAt(property.length() - 1) == '"') { property = property.substring(1, property.length() - 1); } - String[] protocols = property.split(","); + String[] protocols = null; + if (property != null && property.length() != 0) { + protocols = property.split(","); + } else { + reservedException = new IllegalArgumentException( + "No protocol specified in " + + PROPERTY_NAME + " system property"); + protocols = new String[0]; + } + + candidates = new ProtocolVersion[protocols.length]; for (int i = 0; i < protocols.length; i++) { protocols[i] = protocols[i].trim(); // Is it a supported protocol name? try { - ProtocolVersion.valueOf(protocols[i]); + candidates[i] = ProtocolVersion.valueOf(protocols[i]); } catch (IllegalArgumentException iae) { reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocols[i] + - " is not a standard SSL protocol name", iae); + PROPERTY_NAME + ": " + protocols[i] + + " is not a standard SSL/TLS protocol name", iae); + break; } } if ((reservedException == null) && SunJSSE.isFIPS()) { - for (String protocol : protocols) { - if (ProtocolVersion.SSL20Hello.name.equals(protocol) || - ProtocolVersion.SSL30.name.equals(protocol)) { + for (ProtocolVersion protocolVersion : candidates) { + if (ProtocolVersion.SSL20Hello.v == protocolVersion.v || + ProtocolVersion.SSL30.v == protocolVersion.v) { reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocol + + PROPERTY_NAME + ": " + protocolVersion + " is not FIPS compliant"); } } } + } - if (reservedException == null) { - defaultClientSSLParams.setProtocols(protocols); - } + defaultClientSSLParams = new SSLParameters(); + if (reservedException == null) { + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } } diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix index bb71a15a4..81ce1d72f 100644 --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index bb71a15a4..81ce1d72f 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 78eeb8e1d..d72511b81 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index e153e1585..92d0358bf 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -481,8 +481,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -497,4 +501,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index e10b953e9..41907ee67 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3 diff --git a/test/sun/security/ec/TestEC.java b/test/sun/security/ec/TestEC.java index 155e06ab0..1542c7d37 100644 --- a/test/sun/security/ec/TestEC.java +++ b/test/sun/security/ec/TestEC.java @@ -68,6 +68,10 @@ public class TestEC { } public static void main0(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Provider p = Security.getProvider("SunEC"); if (p == null) { diff --git a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java index 2788f03f8..d6d788a31 100644 --- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java +++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java @@ -43,6 +43,10 @@ public class ClientJSSEServerJSSE extends PKCS11Test { private static String[] cmdArgs; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + cmdArgs = args; main(new ClientJSSEServerJSSE()); } diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java index bcdc16d4a..78774f74a 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java @@ -32,6 +32,7 @@ import java.io.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; public class HttpsProtocols implements HostnameVerifier { @@ -177,6 +178,10 @@ public class HttpsProtocols implements HostnameVerifier { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java index 3045064d0..9505b587d 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java @@ -35,6 +35,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class CustomizedDefaultProtocols { static enum ContextVersion { @@ -93,6 +94,10 @@ public class CustomizedDefaultProtocols { } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java index 20381c6b5..3915d223a 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java @@ -34,6 +34,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class DefaultEnabledProtocols { static enum ContextVersion { @@ -92,6 +93,10 @@ public class DefaultEnabledProtocols { } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java index d7b1abdef..dd85c22b6 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java @@ -35,6 +35,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class NoOldVersionContext { static enum ContextVersion { @@ -93,6 +94,10 @@ public class NoOldVersionContext { } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java index 06366eb37..7d57c3fb0 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java @@ -115,6 +115,9 @@ public class DelegatedTaskWrongException { } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); DelegatedTaskWrongException test; diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java index 5774049ba..9aa185986 100644 --- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java @@ -21,6 +21,11 @@ * questions. */ +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + /* * @test * @bug 4416068 4478803 4479736 @@ -31,9 +36,6 @@ * 4701722 protocol mismatch exceptions should be consistent between * SSLv3 and TLSv1 * @run main/othervm testEnabledProtocols - * - * SunJSSE does not support dynamic system properties, no way to re-use - * system properties in samevm/agentvm mode. * @author Ram Marti */ @@ -120,6 +122,10 @@ public class testEnabledProtocols { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java index 2cd463540..f84b15b38 100644 --- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java +++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java @@ -44,6 +44,7 @@ import java.nio.*; import java.net.*; import java.util.*; import java.nio.channels.*; +import java.security.Security; public class SSLEngineExplorer extends SSLEngineService { @@ -231,6 +232,10 @@ public class SSLEngineExplorer extends SSLEngineService { volatile int serverPort = 0; public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (debug) System.setProperty("javax.net.debug", "all"); diff --git a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java index 27e2b6abc..f35cf0dae 100644 --- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java +++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java @@ -45,6 +45,7 @@ import java.nio.channels.*; import java.util.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; public class SSLSocketExplorer { @@ -224,6 +225,10 @@ public class SSLSocketExplorer { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff --git a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java index 953d2ea8e..e83a6b48f 100644 --- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java +++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java @@ -29,9 +29,15 @@ * @run main/othervm/timeout=300 ClientJSSEServerJSSE */ +import java.security.Security; + public class ClientJSSEServerJSSE { public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + CipherTest.main(new JSSEFactory(), args); } -- GitLab