提交 0d6d2bb1 编写于 作者: X xuelei

8061210: Issues in TLS

Reviewed-by: jnimeh, mullan, wetmore, ahgross, asmotrak
上级 64b69ec2
...@@ -500,7 +500,9 @@ abstract class Handshaker { ...@@ -500,7 +500,9 @@ abstract class Handshaker {
if (activeProtocols.collection().isEmpty() || if (activeProtocols.collection().isEmpty() ||
activeProtocols.max.v == ProtocolVersion.NONE.v) { activeProtocols.max.v == ProtocolVersion.NONE.v) {
throw new SSLHandshakeException("No appropriate protocol"); throw new SSLHandshakeException(
"No appropriate protocol (protocol is disabled or " +
"cipher suites are inappropriate)");
} }
if (activeCipherSuites == null) { if (activeCipherSuites == null) {
...@@ -678,6 +680,16 @@ abstract class Handshaker { ...@@ -678,6 +680,16 @@ abstract class Handshaker {
if (activeProtocols == null) { if (activeProtocols == null) {
ArrayList<ProtocolVersion> protocols = new ArrayList<>(4); ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
for (ProtocolVersion protocol : enabledProtocols.collection()) { for (ProtocolVersion protocol : enabledProtocols.collection()) {
if (!algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
protocol.name, null)) {
if (debug != null && Debug.isOn("verbose")) {
System.out.println(
"Ignoring disabled protocol: " + protocol);
}
continue;
}
boolean found = false; boolean found = false;
for (CipherSuite suite : enabledCipherSuites.collection()) { for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.isAvailable() && suite.obsoleted > protocol.v && if (suite.isAvailable() && suite.obsoleted > protocol.v &&
......
...@@ -25,6 +25,9 @@ ...@@ -25,6 +25,9 @@
package sun.security.ssl; package sun.security.ssl;
import java.util.*;
import java.security.CryptoPrimitive;
/** /**
* Type safe enum for an SSL/TLS protocol version. Instances are obtained * Type safe enum for an SSL/TLS protocol version. Instances are obtained
* using the static factory methods or by referencing the static members * using the static factory methods or by referencing the static members
...@@ -86,6 +89,11 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> { ...@@ -86,6 +89,11 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> {
// Default version for hello messages (SSLv2Hello) // Default version for hello messages (SSLv2Hello)
final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30; final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;
// Available protocols
//
// Including all supported protocols except the disabled ones.
final static Set<ProtocolVersion> availableProtocols;
// version in 16 bit MSB format as it appears in records and // version in 16 bit MSB format as it appears in records and
// messages, i.e. 0x0301 for TLS 1.0 // messages, i.e. 0x0301 for TLS 1.0
public final int v; public final int v;
...@@ -96,6 +104,24 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> { ...@@ -96,6 +104,24 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> {
// name used in JSSE (e.g. TLSv1 for TLS 1.0) // name used in JSSE (e.g. TLSv1 for TLS 1.0)
final String name; final String name;
// Initialize the available protocols.
static {
Set<ProtocolVersion> protocols = new HashSet<>(5);
ProtocolVersion[] pvs = new ProtocolVersion[] {
SSL20Hello, SSL30, TLS10, TLS11, TLS12};
for (ProtocolVersion p : pvs) {
if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
p.name, null)) {
protocols.add(p);
}
}
availableProtocols =
Collections.<ProtocolVersion>unmodifiableSet(protocols);
}
// private // private
private ProtocolVersion(int v, String name) { private ProtocolVersion(int v, String name) {
this.v = v; this.v = v;
......
...@@ -55,6 +55,14 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints { ...@@ -55,6 +55,14 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints {
private boolean enabledX509DisabledAlgConstraints = true; private boolean enabledX509DisabledAlgConstraints = true;
// the default algorithm constraints
final static AlgorithmConstraints DEFAULT =
new SSLAlgorithmConstraints(null);
// the default SSL only algorithm constraints
final static AlgorithmConstraints DEFAULT_SSL_ONLY =
new SSLAlgorithmConstraints((SSLSocket)null, false);
SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
userAlgConstraints = algorithmConstraints; userAlgConstraints = algorithmConstraints;
} }
......
...@@ -52,10 +52,6 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -52,10 +52,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private X509TrustManager trustManager; private X509TrustManager trustManager;
private SecureRandom secureRandom; private SecureRandom secureRandom;
// The default algrithm constraints
private AlgorithmConstraints defaultAlgorithmConstraints =
new SSLAlgorithmConstraints(null);
// supported and default protocols // supported and default protocols
private ProtocolList defaultServerProtocolList; private ProtocolList defaultServerProtocolList;
private ProtocolList defaultClientProtocolList; private ProtocolList defaultClientProtocolList;
...@@ -350,7 +346,7 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -350,7 +346,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
if (suite.isAvailable() && if (suite.isAvailable() &&
suite.obsoleted > protocols.min.v && suite.obsoleted > protocols.min.v &&
suite.supported <= protocols.max.v) { suite.supported <= protocols.max.v) {
if (defaultAlgorithmConstraints.permits( if (SSLAlgorithmConstraints.DEFAULT.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
suite.name, null)) { suite.name, null)) {
suites.add(suite); suites.add(suite);
...@@ -431,11 +427,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -431,11 +427,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
*/ */
private abstract static class AbstractSSLContext extends SSLContextImpl { private abstract static class AbstractSSLContext extends SSLContextImpl {
// parameters // parameters
private final static SSLParameters defaultServerSSLParams; private static final SSLParameters defaultServerSSLParams;
private final static SSLParameters supportedSSLParams; private static final SSLParameters supportedSSLParams;
static { static {
// supported SSL parameters
supportedSSLParams = new SSLParameters(); supportedSSLParams = new SSLParameters();
// candidates for available protocols
ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) { if (SunJSSE.isFIPS()) {
supportedSSLParams.setProtocols(new String[] { supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10.name,
...@@ -443,7 +444,11 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -443,7 +444,11 @@ public abstract class SSLContextImpl extends SSLContextSpi {
ProtocolVersion.TLS12.name ProtocolVersion.TLS12.name
}); });
defaultServerSSLParams = supportedSSLParams; candidates = new ProtocolVersion[] {
ProtocolVersion.TLS10,
ProtocolVersion.TLS11,
ProtocolVersion.TLS12
};
} else { } else {
supportedSSLParams.setProtocols(new String[] { supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name, ProtocolVersion.SSL20Hello.name,
...@@ -453,8 +458,18 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -453,8 +458,18 @@ public abstract class SSLContextImpl extends SSLContextSpi {
ProtocolVersion.TLS12.name ProtocolVersion.TLS12.name
}); });
defaultServerSSLParams = supportedSSLParams; candidates = new ProtocolVersion[] {
ProtocolVersion.SSL20Hello,
ProtocolVersion.SSL30,
ProtocolVersion.TLS10,
ProtocolVersion.TLS11,
ProtocolVersion.TLS12
};
} }
defaultServerSSLParams = new SSLParameters();
defaultServerSSLParams.setProtocols(
getAvailableProtocols(candidates).toArray(new String[0]));
} }
@Override @Override
...@@ -466,6 +481,22 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -466,6 +481,22 @@ public abstract class SSLContextImpl extends SSLContextSpi {
SSLParameters getSupportedSSLParams() { SSLParameters getSupportedSSLParams() {
return supportedSSLParams; return supportedSSLParams;
} }
static List<String> getAvailableProtocols(
ProtocolVersion[] protocolCandidates) {
List<String> availableProtocols = Collections.<String>emptyList();
if (protocolCandidates != null && protocolCandidates.length != 0) {
availableProtocols = new ArrayList<>(protocolCandidates.length);
for (ProtocolVersion p : protocolCandidates) {
if (ProtocolVersion.availableProtocols.contains(p)) {
availableProtocols.add(p.name);
}
}
}
return availableProtocols;
}
} }
/* /*
...@@ -474,21 +505,25 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -474,21 +505,25 @@ public abstract class SSLContextImpl extends SSLContextSpi {
* @see SSLContext * @see SSLContext
*/ */
public static final class TLS10Context extends AbstractSSLContext { public static final class TLS10Context extends AbstractSSLContext {
private final static SSLParameters defaultClientSSLParams; private static final SSLParameters defaultClientSSLParams;
static { static {
defaultClientSSLParams = new SSLParameters(); // candidates for available protocols
ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) { if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.TLS10.name ProtocolVersion.TLS10
}); };
} else { } else {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.SSL30.name, ProtocolVersion.SSL30,
ProtocolVersion.TLS10.name ProtocolVersion.TLS10
}); };
} }
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(
getAvailableProtocols(candidates).toArray(new String[0]));
} }
@Override @Override
...@@ -503,23 +538,27 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -503,23 +538,27 @@ public abstract class SSLContextImpl extends SSLContextSpi {
* @see SSLContext * @see SSLContext
*/ */
public static final class TLS11Context extends AbstractSSLContext { public static final class TLS11Context extends AbstractSSLContext {
private final static SSLParameters defaultClientSSLParams; private static final SSLParameters defaultClientSSLParams;
static { static {
defaultClientSSLParams = new SSLParameters(); // candidates for available protocols
ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) { if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10,
ProtocolVersion.TLS11.name ProtocolVersion.TLS11
}); };
} else { } else {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.SSL30.name, ProtocolVersion.SSL30,
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10,
ProtocolVersion.TLS11.name ProtocolVersion.TLS11
}); };
} }
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(
getAvailableProtocols(candidates).toArray(new String[0]));
} }
@Override @Override
...@@ -534,25 +573,29 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -534,25 +573,29 @@ public abstract class SSLContextImpl extends SSLContextSpi {
* @see SSLContext * @see SSLContext
*/ */
public static final class TLS12Context extends AbstractSSLContext { public static final class TLS12Context extends AbstractSSLContext {
private final static SSLParameters defaultClientSSLParams; private static final SSLParameters defaultClientSSLParams;
static { static {
defaultClientSSLParams = new SSLParameters(); // candidates for available protocols
ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) { if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10,
ProtocolVersion.TLS11.name, ProtocolVersion.TLS11,
ProtocolVersion.TLS12.name ProtocolVersion.TLS12
}); };
} else { } else {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.SSL30.name, ProtocolVersion.SSL30,
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10,
ProtocolVersion.TLS11.name, ProtocolVersion.TLS11,
ProtocolVersion.TLS12.name ProtocolVersion.TLS12
}); };
} }
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(
getAvailableProtocols(candidates).toArray(new String[0]));
} }
@Override @Override
...@@ -567,8 +610,8 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -567,8 +610,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
* @see SSLContext * @see SSLContext
*/ */
private static class CustomizedSSLContext extends AbstractSSLContext { private static class CustomizedSSLContext extends AbstractSSLContext {
private final static String PROPERTY_NAME = "jdk.tls.client.protocols"; private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
private final static SSLParameters defaultClientSSLParams; private static final SSLParameters defaultClientSSLParams;
private static IllegalArgumentException reservedException = null; private static IllegalArgumentException reservedException = null;
// Don't want a java.lang.LinkageError for illegal system property. // Don't want a java.lang.LinkageError for illegal system property.
...@@ -578,60 +621,74 @@ public abstract class SSLContextImpl extends SSLContextSpi { ...@@ -578,60 +621,74 @@ public abstract class SSLContextImpl extends SSLContextSpi {
// the provider service. Instead, let's handle the initialization // the provider service. Instead, let's handle the initialization
// exception in constructor. // exception in constructor.
static { static {
// candidates for available protocols
ProtocolVersion[] candidates;
String property = AccessController.doPrivileged( String property = AccessController.doPrivileged(
new GetPropertyAction(PROPERTY_NAME)); new GetPropertyAction(PROPERTY_NAME));
defaultClientSSLParams = new SSLParameters();
if (property == null || property.length() == 0) { if (property == null || property.length() == 0) {
// the default enabled client TLS protocols // the default enabled client TLS protocols
if (SunJSSE.isFIPS()) { if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10,
ProtocolVersion.TLS11.name, ProtocolVersion.TLS11,
ProtocolVersion.TLS12.name ProtocolVersion.TLS12
}); };
} else { } else {
defaultClientSSLParams.setProtocols(new String[] { candidates = new ProtocolVersion[] {
ProtocolVersion.SSL30.name, ProtocolVersion.SSL30,
ProtocolVersion.TLS10.name, ProtocolVersion.TLS10,
ProtocolVersion.TLS11.name, ProtocolVersion.TLS11,
ProtocolVersion.TLS12.name ProtocolVersion.TLS12
}); };
} }
} else { } else {
// remove double quote marks from beginning/end of the property // remove double quote marks from beginning/end of the property
if (property.charAt(0) == '"' && if (property.length() > 1 && property.charAt(0) == '"' &&
property.charAt(property.length() - 1) == '"') { property.charAt(property.length() - 1) == '"') {
property = property.substring(1, property.length() - 1); property = property.substring(1, property.length() - 1);
} }
String[] protocols = property.split(","); String[] protocols = null;
if (property != null && property.length() != 0) {
protocols = property.split(",");
} else {
reservedException = new IllegalArgumentException(
"No protocol specified in " +
PROPERTY_NAME + " system property");
protocols = new String[0];
}
candidates = new ProtocolVersion[protocols.length];
for (int i = 0; i < protocols.length; i++) { for (int i = 0; i < protocols.length; i++) {
protocols[i] = protocols[i].trim(); protocols[i] = protocols[i].trim();
// Is it a supported protocol name? // Is it a supported protocol name?
try { try {
ProtocolVersion.valueOf(protocols[i]); candidates[i] = ProtocolVersion.valueOf(protocols[i]);
} catch (IllegalArgumentException iae) { } catch (IllegalArgumentException iae) {
reservedException = new IllegalArgumentException( reservedException = new IllegalArgumentException(
PROPERTY_NAME + ": " + protocols[i] + PROPERTY_NAME + ": " + protocols[i] +
" is not a standard SSL protocol name", iae); " is not a standard SSL/TLS protocol name", iae);
break;
} }
} }
if ((reservedException == null) && SunJSSE.isFIPS()) { if ((reservedException == null) && SunJSSE.isFIPS()) {
for (String protocol : protocols) { for (ProtocolVersion protocolVersion : candidates) {
if (ProtocolVersion.SSL20Hello.name.equals(protocol) || if (ProtocolVersion.SSL20Hello.v == protocolVersion.v ||
ProtocolVersion.SSL30.name.equals(protocol)) { ProtocolVersion.SSL30.v == protocolVersion.v) {
reservedException = new IllegalArgumentException( reservedException = new IllegalArgumentException(
PROPERTY_NAME + ": " + protocol + PROPERTY_NAME + ": " + protocolVersion +
" is not FIPS compliant"); " is not FIPS compliant");
} }
} }
} }
}
if (reservedException == null) { defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(protocols); if (reservedException == null) {
} defaultClientSSLParams.setProtocols(
getAvailableProtocols(candidates).toArray(new String[0]));
} }
} }
......
...@@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling # when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher # algorithms during SSL/TLS security parameters negotiation, including
# suites selection, peer authentication and key exchange mechanisms. # protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
# #
# For PKI-based peer authentication and key exchange mechanisms, this list # For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path # of disabled algorithms will also be checked during certification path
...@@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
...@@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -479,8 +479,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling # when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher # algorithms during SSL/TLS security parameters negotiation, including
# suites selection, peer authentication and key exchange mechanisms. # protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
# #
# For PKI-based peer authentication and key exchange mechanisms, this list # For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path # of disabled algorithms will also be checked during certification path
...@@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -495,4 +499,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
...@@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling # when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher # algorithms during SSL/TLS security parameters negotiation, including
# suites selection, peer authentication and key exchange mechanisms. # protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
# #
# For PKI-based peer authentication and key exchange mechanisms, this list # For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path # of disabled algorithms will also be checked during certification path
...@@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
...@@ -481,8 +481,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -481,8 +481,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling # when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher # algorithms during SSL/TLS security parameters negotiation, including
# suites selection, peer authentication and key exchange mechanisms. # protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
# #
# For PKI-based peer authentication and key exchange mechanisms, this list # For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path # of disabled algorithms will also be checked during certification path
...@@ -497,4 +501,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -497,4 +501,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
...@@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -482,8 +482,12 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling # when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher # algorithms during SSL/TLS security parameters negotiation, including
# suites selection, peer authentication and key exchange mechanisms. # protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
# #
# For PKI-based peer authentication and key exchange mechanisms, this list # For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path # of disabled algorithms will also be checked during certification path
...@@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -498,4 +502,5 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3
...@@ -68,6 +68,10 @@ public class TestEC { ...@@ -68,6 +68,10 @@ public class TestEC {
} }
public static void main0(String[] args) throws Exception { public static void main0(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
Provider p = Security.getProvider("SunEC"); Provider p = Security.getProvider("SunEC");
if (p == null) { if (p == null) {
......
...@@ -43,6 +43,10 @@ public class ClientJSSEServerJSSE extends PKCS11Test { ...@@ -43,6 +43,10 @@ public class ClientJSSEServerJSSE extends PKCS11Test {
private static String[] cmdArgs; private static String[] cmdArgs;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
cmdArgs = args; cmdArgs = args;
main(new ClientJSSEServerJSSE()); main(new ClientJSSEServerJSSE());
} }
......
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
import java.io.*; import java.io.*;
import java.net.*; import java.net.*;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.security.Security;
public class HttpsProtocols implements HostnameVerifier { public class HttpsProtocols implements HostnameVerifier {
...@@ -177,6 +178,10 @@ public class HttpsProtocols implements HostnameVerifier { ...@@ -177,6 +178,10 @@ public class HttpsProtocols implements HostnameVerifier {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
String keyFilename = String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores + System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile; "/" + keyStoreFile;
......
...@@ -35,6 +35,7 @@ ...@@ -35,6 +35,7 @@
import javax.net.*; import javax.net.*;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.util.Arrays; import java.util.Arrays;
import java.security.Security;
public class CustomizedDefaultProtocols { public class CustomizedDefaultProtocols {
static enum ContextVersion { static enum ContextVersion {
...@@ -93,6 +94,10 @@ public class CustomizedDefaultProtocols { ...@@ -93,6 +94,10 @@ public class CustomizedDefaultProtocols {
} }
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
boolean failed = false; boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) { for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion); System.out.println("Checking SSLContext of " + cv.contextVersion);
......
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
import javax.net.*; import javax.net.*;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.util.Arrays; import java.util.Arrays;
import java.security.Security;
public class DefaultEnabledProtocols { public class DefaultEnabledProtocols {
static enum ContextVersion { static enum ContextVersion {
...@@ -92,6 +93,10 @@ public class DefaultEnabledProtocols { ...@@ -92,6 +93,10 @@ public class DefaultEnabledProtocols {
} }
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
boolean failed = false; boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) { for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion); System.out.println("Checking SSLContext of " + cv.contextVersion);
......
...@@ -35,6 +35,7 @@ ...@@ -35,6 +35,7 @@
import javax.net.*; import javax.net.*;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.util.Arrays; import java.util.Arrays;
import java.security.Security;
public class NoOldVersionContext { public class NoOldVersionContext {
static enum ContextVersion { static enum ContextVersion {
...@@ -93,6 +94,10 @@ public class NoOldVersionContext { ...@@ -93,6 +94,10 @@ public class NoOldVersionContext {
} }
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
boolean failed = false; boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) { for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion); System.out.println("Checking SSLContext of " + cv.contextVersion);
......
...@@ -115,6 +115,9 @@ public class DelegatedTaskWrongException { ...@@ -115,6 +115,9 @@ public class DelegatedTaskWrongException {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
DelegatedTaskWrongException test; DelegatedTaskWrongException test;
......
...@@ -21,6 +21,11 @@ ...@@ -21,6 +21,11 @@
* questions. * questions.
*/ */
//
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
//
/* /*
* @test * @test
* @bug 4416068 4478803 4479736 * @bug 4416068 4478803 4479736
...@@ -31,9 +36,6 @@ ...@@ -31,9 +36,6 @@
* 4701722 protocol mismatch exceptions should be consistent between * 4701722 protocol mismatch exceptions should be consistent between
* SSLv3 and TLSv1 * SSLv3 and TLSv1
* @run main/othervm testEnabledProtocols * @run main/othervm testEnabledProtocols
*
* SunJSSE does not support dynamic system properties, no way to re-use
* system properties in samevm/agentvm mode.
* @author Ram Marti * @author Ram Marti
*/ */
...@@ -120,6 +122,10 @@ public class testEnabledProtocols { ...@@ -120,6 +122,10 @@ public class testEnabledProtocols {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
String keyFilename = String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores + System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile; "/" + keyStoreFile;
......
...@@ -44,6 +44,7 @@ import java.nio.*; ...@@ -44,6 +44,7 @@ import java.nio.*;
import java.net.*; import java.net.*;
import java.util.*; import java.util.*;
import java.nio.channels.*; import java.nio.channels.*;
import java.security.Security;
public class SSLEngineExplorer extends SSLEngineService { public class SSLEngineExplorer extends SSLEngineService {
...@@ -231,6 +232,10 @@ public class SSLEngineExplorer extends SSLEngineService { ...@@ -231,6 +232,10 @@ public class SSLEngineExplorer extends SSLEngineService {
volatile int serverPort = 0; volatile int serverPort = 0;
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
if (debug) if (debug)
System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.debug", "all");
......
...@@ -45,6 +45,7 @@ import java.nio.channels.*; ...@@ -45,6 +45,7 @@ import java.nio.channels.*;
import java.util.*; import java.util.*;
import java.net.*; import java.net.*;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.security.Security;
public class SSLSocketExplorer { public class SSLSocketExplorer {
...@@ -224,6 +225,10 @@ public class SSLSocketExplorer { ...@@ -224,6 +225,10 @@ public class SSLSocketExplorer {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
String keyFilename = String keyFilename =
System.getProperty("test.src", ".") + "/" + pathToStores + System.getProperty("test.src", ".") + "/" + pathToStores +
"/" + keyStoreFile; "/" + keyStoreFile;
......
...@@ -29,9 +29,15 @@ ...@@ -29,9 +29,15 @@
* @run main/othervm/timeout=300 ClientJSSEServerJSSE * @run main/othervm/timeout=300 ClientJSSEServerJSSE
*/ */
import java.security.Security;
public class ClientJSSEServerJSSE { public class ClientJSSEServerJSSE {
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
CipherTest.main(new JSSEFactory(), args); CipherTest.main(new JSSEFactory(), args);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册