提交 2e1a0035 编写于 作者: X xuelei

8076221: Disable RC4 cipher suites

Reviewed-by: xuelei, wetmore
上级 c0abf2b0
...@@ -500,4 +500,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -500,4 +500,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3 jdk.tls.disabledAlgorithms=SSLv3, RC4
...@@ -500,4 +500,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -500,4 +500,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3 jdk.tls.disabledAlgorithms=SSLv3, RC4
...@@ -503,4 +503,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -503,4 +503,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3 jdk.tls.disabledAlgorithms=SSLv3, RC4
...@@ -502,4 +502,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -502,4 +502,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3 jdk.tls.disabledAlgorithms=SSLv3, RC4
...@@ -503,4 +503,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 ...@@ -503,4 +503,4 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# #
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3 jdk.tls.disabledAlgorithms=SSLv3, RC4
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
/**
* @test
* @bug 8076221
* @summary Check if weak cipher suites are disabled
* @run main/othervm DisabledAlgorithms default
* @run main/othervm DisabledAlgorithms empty
*/
public class DisabledAlgorithms {
private static final String pathToStores =
"../../../../sun/security/ssl/etc";
private static final String keyStoreFile = "keystore";
private static final String trustStoreFile = "truststore";
private static final String passwd = "passphrase";
private static final String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;
private static final String trustFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;
// supported RC4 cipher suites
// it does not contain KRB5 cipher suites because they need a KDC
private static final String[] rc4_ciphersuites = new String[] {
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"SSL_DH_anon_WITH_RC4_128_MD5"
};
public static void main(String[] args) throws Exception {
if (args.length < 1) {
throw new RuntimeException("No parameters specified");
}
System.setProperty("javax.net.ssl.keyStore", keyFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
System.setProperty("javax.net.ssl.trustStore", trustFilename);
System.setProperty("javax.net.ssl.trustStorePassword", passwd);
switch (args[0]) {
case "default":
// use default jdk.tls.disabledAlgorithms
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));
// check if RC4 cipher suites can't be used by default
checkFailure(rc4_ciphersuites);
break;
case "empty":
// reset jdk.tls.disabledAlgorithms
Security.setProperty("jdk.tls.disabledAlgorithms", "");
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));
// check if RC4 cipher suites can be used
// if jdk.tls.disabledAlgorithms is empty
checkSuccess(rc4_ciphersuites);
break;
default:
throw new RuntimeException("Wrong parameter: " + args[0]);
}
}
/*
* Checks if that specified cipher suites cannot be used.
*/
private static void checkFailure(String[] ciphersuites) throws Exception {
try (SSLServer server = SSLServer.init(ciphersuites)) {
startNewThread(server);
while (!server.isRunning()) {
sleep();
}
int port = server.getPort();
for (String ciphersuite : ciphersuites) {
try (SSLClient client = SSLClient.init(port, ciphersuite)) {
client.connect();
throw new RuntimeException("Expected SSLHandshakeException "
+ "not thrown");
} catch (SSLHandshakeException e) {
System.out.println("Expected exception on client side: "
+ e);
}
}
server.stop();
while (server.isRunning()) {
sleep();
}
if (!server.sslError()) {
throw new RuntimeException("Expected SSL exception "
+ "not thrown on server side");
}
}
}
/*
* Checks if specified cipher suites can be used.
*/
private static void checkSuccess(String[] ciphersuites) throws Exception {
try (SSLServer server = SSLServer.init(ciphersuites)) {
startNewThread(server);
while (!server.isRunning()) {
sleep();
}
int port = server.getPort();
for (String ciphersuite : ciphersuites) {
try (SSLClient client = SSLClient.init(port, ciphersuite)) {
client.connect();
String negotiated = client.getNegotiatedCipherSuite();
System.out.println("Negotiated cipher suite: "
+ negotiated);
if (!negotiated.equals(ciphersuite)) {
throw new RuntimeException("Unexpected cipher suite: "
+ negotiated);
}
}
}
server.stop();
while (server.isRunning()) {
sleep();
}
if (server.error()) {
throw new RuntimeException("Unexpected error on server side");
}
}
}
private static Thread startNewThread(SSLServer server) {
Thread serverThread = new Thread(server, "SSL server thread");
serverThread.setDaemon(true);
serverThread.start();
return serverThread;
}
private static void sleep() {
try {
TimeUnit.MILLISECONDS.sleep(50);
} catch (InterruptedException e) {
// do nothing
}
}
static class SSLServer implements Runnable, AutoCloseable {
private final SSLServerSocket ssocket;
private volatile boolean stopped = false;
private volatile boolean running = false;
private volatile boolean sslError = false;
private volatile boolean otherError = false;
private SSLServer(SSLServerSocket ssocket) {
this.ssocket = ssocket;
}
@Override
public void run() {
System.out.println("Server: started");
running = true;
while (!stopped) {
try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
System.out.println("Server: accepted client connection");
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
int b = in.read();
if (b < 0) {
throw new IOException("Unexpected EOF");
}
System.out.println("Server: send data: " + b);
out.write(b);
out.flush();
socket.getSession().invalidate();
} catch (SSLHandshakeException e) {
System.out.println("Server: run: " + e);
sslError = true;
} catch (IOException e) {
if (!stopped) {
System.out.println("Server: run: " + e);
e.printStackTrace();
otherError = true;
}
}
}
System.out.println("Server: finished");
running = false;
}
int getPort() {
return ssocket.getLocalPort();
}
String[] getEnabledCiperSuites() {
return ssocket.getEnabledCipherSuites();
}
boolean isRunning() {
return running;
}
boolean sslError() {
return sslError;
}
boolean error() {
return sslError || otherError;
}
void stop() {
stopped = true;
if (!ssocket.isClosed()) {
try {
ssocket.close();
} catch (IOException e) {
System.out.println("Server: close: " + e);
}
}
}
@Override
public void close() {
stop();
}
static SSLServer init(String[] ciphersuites)
throws IOException {
SSLServerSocketFactory ssf = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
SSLServerSocket ssocket = (SSLServerSocket)
ssf.createServerSocket(0);
if (ciphersuites != null) {
System.out.println("Server: enable cipher suites: "
+ java.util.Arrays.toString(ciphersuites));
ssocket.setEnabledCipherSuites(ciphersuites);
}
return new SSLServer(ssocket);
}
}
static class SSLClient implements AutoCloseable {
private final SSLSocket socket;
private SSLClient(SSLSocket socket) {
this.socket = socket;
}
void connect() throws IOException {
System.out.println("Client: connect to server");
try (
BufferedInputStream bis = new BufferedInputStream(
socket.getInputStream());
BufferedOutputStream bos = new BufferedOutputStream(
socket.getOutputStream())) {
bos.write('x');
bos.flush();
int read = bis.read();
if (read < 0) {
throw new IOException("Client: couldn't read a response");
}
socket.getSession().invalidate();
}
}
String[] getEnabledCiperSuites() {
return socket.getEnabledCipherSuites();
}
String getNegotiatedCipherSuite() {
return socket.getSession().getCipherSuite();
}
@Override
public void close() throws Exception {
if (!socket.isClosed()) {
try {
socket.close();
} catch (IOException e) {
System.out.println("Client: close: " + e);
}
}
}
static SSLClient init(int port)
throws NoSuchAlgorithmException, IOException {
return init(port, null);
}
static SSLClient init(int port, String ciphersuite)
throws NoSuchAlgorithmException, IOException {
SSLContext context = SSLContext.getDefault();
SSLSocketFactory ssf = (SSLSocketFactory)
context.getSocketFactory();
SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);
if (ciphersuite != null) {
System.out.println("Client: enable cipher suite: "
+ ciphersuite);
socket.setEnabledCipherSuites(new String[] { ciphersuite });
}
return new SSLClient(socket);
}
}
}
/* /*
* Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -39,11 +39,10 @@ ...@@ -39,11 +39,10 @@
* @run main/othervm SSL TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 * @run main/othervm SSL TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
*/ */
import java.io.*; import java.io.*;
import java.net.InetAddress;
import java.security.AccessControlException;
import java.security.Permission; import java.security.Permission;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.security.Principal; import java.security.Principal;
import java.security.Security;
import java.util.Date; import java.util.Date;
import java.util.List; import java.util.List;
import java.util.ArrayList; import java.util.ArrayList;
...@@ -82,6 +81,9 @@ public class SSL extends SecurityManager { ...@@ -82,6 +81,9 @@ public class SSL extends SecurityManager {
} }
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
krb5Cipher = args[0]; krb5Cipher = args[0];
......
/* /*
* Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -34,7 +34,7 @@ ...@@ -34,7 +34,7 @@
*/ */
import java.io.*; import java.io.*;
import java.net.*; import java.security.Security;
import javax.net.ssl.*; import javax.net.ssl.*;
public class CipherSuiteOrder { public class CipherSuiteOrder {
...@@ -196,6 +196,10 @@ public class CipherSuiteOrder { ...@@ -196,6 +196,10 @@ public class CipherSuiteOrder {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
String keyFilename = String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores + System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile; "/" + keyStoreFile;
......
/* /*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -102,10 +102,10 @@ import java.io.*; ...@@ -102,10 +102,10 @@ import java.io.*;
import java.nio.*; import java.nio.*;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.KeyFactory; import java.security.KeyFactory;
import java.security.Security;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.CertificateFactory; import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.*;
import java.security.interfaces.*; import java.security.interfaces.*;
import java.util.Base64; import java.util.Base64;
...@@ -377,6 +377,10 @@ public class DHEKeySizing { ...@@ -377,6 +377,10 @@ public class DHEKeySizing {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
if (args.length != 4) { if (args.length != 4) {
System.out.println( System.out.println(
"Usage: java DHEKeySizing cipher-suite " + "Usage: java DHEKeySizing cipher-suite " +
......
/* /*
* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -622,6 +622,9 @@ public class CheckStatus { ...@@ -622,6 +622,9 @@ public class CheckStatus {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
CheckStatus cs; CheckStatus cs;
......
/* /*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -33,6 +33,8 @@ ...@@ -33,6 +33,8 @@
* The code could certainly be tightened up a lot. * The code could certainly be tightened up a lot.
* *
* @author Brad Wetmore * @author Brad Wetmore
*
* @run main/othervm ConnectionTest
*/ */
import javax.net.ssl.*; import javax.net.ssl.*;
...@@ -669,6 +671,10 @@ public class ConnectionTest { ...@@ -669,6 +671,10 @@ public class ConnectionTest {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
ConnectionTest ct = new ConnectionTest(); ConnectionTest ct = new ConnectionTest();
ct.test(); ct.test();
} }
......
/* /*
* Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -179,6 +179,9 @@ public class LargeBufs { ...@@ -179,6 +179,9 @@ public class LargeBufs {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
LargeBufs test; LargeBufs test;
......
/* /*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -35,7 +35,7 @@ ...@@ -35,7 +35,7 @@
*/ */
import java.io.*; import java.io.*;
import java.net.*; import java.security.Security;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.util.Arrays; import java.util.Arrays;
...@@ -195,6 +195,10 @@ public class UseCipherSuitesOrder { ...@@ -195,6 +195,10 @@ public class UseCipherSuitesOrder {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
// parse the arguments // parse the arguments
parseArguments(args); parseArguments(args);
......
/* /*
* Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -36,7 +36,7 @@ ...@@ -36,7 +36,7 @@
*/ */
import java.io.*; import java.io.*;
import java.net.*; import java.security.Security;
import javax.net.ssl.*; import javax.net.ssl.*;
public class GenericStreamCipher { public class GenericStreamCipher {
...@@ -160,6 +160,10 @@ public class GenericStreamCipher { ...@@ -160,6 +160,10 @@ public class GenericStreamCipher {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.tls.disabledAlgorithms", "");
String keyFilename = String keyFilename =
System.getProperty("test.src", ".") + "/" + pathToStores + System.getProperty("test.src", ".") + "/" + pathToStores +
"/" + keyStoreFile; "/" + keyStoreFile;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册