diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix index ac6b586226c13bf431d6d367828203de9ff4d43b..13abdd6c491d14ab69a04fdec0cd1cf63c1d236c 100644 --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC + EC keySize < 224, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index 9b2691944a16c5db55857c622cc79d6b73ed5f95..c730d500cf09719215753501055678a00264c812 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC + EC keySize < 224, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 205b13a5f09b02d2db509d5c5c6757614cf13cc2..2ac463791b41df09f2cb071ef27a31331b935afd 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC + EC keySize < 224, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index 1fb4c0e2bdbee2e9b039f63eba3f46325f60dc09..a5c4d86596618eaccf81424ef69f27acf23b66d4 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -622,7 +622,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC + EC keySize < 224, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index 3d80302870f1465cabd22db88d404465dfaffe70..a0ce655dcc32e2eff38137a1123c7071099c4454 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC + EC keySize < 224, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. diff --git a/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index faada15a3073a6455f88c924115bb6c26bb7ec3a..b2c62681c694675df8009e58f5d802aaae54fbbf 100644 --- a/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,7 +38,7 @@ import javax.net.ssl.SSLSocketFactory; /** * @test - * @bug 8076221 8157035 + * @bug 8076221 8157035 8211883 * @summary Check if weak cipher suites are disabled * @run main/othervm DisabledAlgorithms default * @run main/othervm DisabledAlgorithms empty @@ -59,9 +59,9 @@ public class DisabledAlgorithms { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - // supported RC4 cipher suites + // supported RC4, NULL, and anon cipher suites // it does not contain KRB5 cipher suites because they need a KDC - private static final String[] rc4_ciphersuites = new String[] { + private static final String[] rc4_null_anon_ciphersuites = new String[] { "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_SHA", @@ -69,7 +69,31 @@ public class DisabledAlgorithms { "TLS_ECDH_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", "TLS_ECDH_anon_WITH_RC4_128_SHA", - "SSL_DH_anon_WITH_RC4_128_MD5" + "SSL_DH_anon_WITH_RC4_128_MD5", + "SSL_RSA_WITH_NULL_MD5", + "SSL_RSA_WITH_NULL_SHA", + "TLS_RSA_WITH_NULL_SHA256", + "TLS_ECDH_ECDSA_WITH_NULL_SHA", + "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "TLS_ECDH_RSA_WITH_NULL_SHA", + "TLS_ECDHE_RSA_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", + "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", + "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", + "SSL_DH_anon_WITH_DES_CBC_SHA", + "SSL_DH_anon_WITH_RC4_128_MD5", + "TLS_DH_anon_WITH_AES_128_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", + "TLS_DH_anon_WITH_AES_256_CBC_SHA", + "TLS_DH_anon_WITH_AES_256_CBC_SHA256", + "TLS_DH_anon_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_RC4_128_SHA" }; public static void main(String[] args) throws Exception { @@ -88,8 +112,9 @@ public class DisabledAlgorithms { System.out.println("jdk.tls.disabledAlgorithms = " + Security.getProperty("jdk.tls.disabledAlgorithms")); - // check if RC4 cipher suites can't be used by default - checkFailure(rc4_ciphersuites); + // check if RC4, NULL, and anon cipher suites + // can't be used by default + checkFailure(rc4_null_anon_ciphersuites); break; case "empty": // reset jdk.tls.disabledAlgorithms @@ -97,9 +122,9 @@ public class DisabledAlgorithms { System.out.println("jdk.tls.disabledAlgorithms = " + Security.getProperty("jdk.tls.disabledAlgorithms")); - // check if RC4 cipher suites can be used + // check if RC4, NULL, and anon cipher suites can be used // if jdk.tls.disabledAlgorithms is empty - checkSuccess(rc4_ciphersuites); + checkSuccess(rc4_null_anon_ciphersuites); break; default: throw new RuntimeException("Wrong parameter: " + args[0]); diff --git a/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java b/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java index 00860054877a2b306af787463a40b04fec387a9f..71785027b094214c8906bee34c898fadaa10ce45 100644 --- a/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java +++ b/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java @@ -74,6 +74,7 @@ * TLS_ECDH_anon_WITH_AES_128_CBC_SHA */ +import java.security.Security; import javax.net.ssl.*; /** @@ -90,14 +91,18 @@ public class CustomizedCipherSuites { private static boolean isClientMode; private static String enabledCipherSuite; - private static String disabledCipherSuite; + private static String notEnabledCipherSuite; public static void main(String[] args) throws Exception { + // reset the security property to make sure the cipher suites + // used in this test are not disabled + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + contextProtocol = trimQuotes(args[0]); isClientMode = Boolean.parseBoolean(args[1]); enabledCipherSuite = trimQuotes(args[2]); - disabledCipherSuite = trimQuotes(args[3]); + notEnabledCipherSuite = trimQuotes(args[3]); // // Create instance of SSLContext with the specified protocol. @@ -206,8 +211,8 @@ public class CustomizedCipherSuites { isMatch = true; } - if (!disabledCipherSuite.isEmpty() && - cipher.equals(disabledCipherSuite)) { + if (!notEnabledCipherSuite.isEmpty() && + cipher.equals(notEnabledCipherSuite)) { isBroken = true; } } @@ -219,7 +224,7 @@ public class CustomizedCipherSuites { if (isBroken) { throw new Exception( - "Cipher suite " + disabledCipherSuite + " should be disabled"); + "Cipher suite " + notEnabledCipherSuite + " should not be enabled"); } } @@ -231,7 +236,7 @@ public class CustomizedCipherSuites { } boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty(); - boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty(); + boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty(); for (String cipher : ciphers) { System.out.println("\tsupported cipher suite " + cipher); if (!enabledCipherSuite.isEmpty() && @@ -239,9 +244,9 @@ public class CustomizedCipherSuites { hasEnabledCipherSuite = true; } - if (!disabledCipherSuite.isEmpty() && - cipher.equals(disabledCipherSuite)) { - hasDisabledCipherSuite = true; + if (!notEnabledCipherSuite.isEmpty() && + cipher.equals(notEnabledCipherSuite)) { + hasNotEnabledCipherSuite = true; } } @@ -250,9 +255,9 @@ public class CustomizedCipherSuites { "Cipher suite " + enabledCipherSuite + " should be supported"); } - if (!hasDisabledCipherSuite) { + if (!hasNotEnabledCipherSuite) { throw new Exception( - "Cipher suite " + disabledCipherSuite + " should be supported"); + "Cipher suite " + notEnabledCipherSuite + " should not be enabled"); } } diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java index 748b5fed6d4157e750cdb7593c880203a4e02e5d..2d8ca9a1281109fa1aec7e15ff0d22edb9177aa9 100644 --- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,7 @@ import java.io.*; import java.net.*; +import java.security.Security; import javax.net.ssl.*; public class JSSERenegotiate { @@ -190,6 +191,10 @@ public class JSSERenegotiate { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the cipher suites + // used in this test are not disabled + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile;