8144773: Further reduce use of MD5

Reviewed-by: mullan, wetmore, jnimeh, ahgross

8144773: Further reduce use of MD5
Reviewed-by: mullan, wetmore, jnimeh, ahgross
9b8565c8 · igerasim · 6f6cea9d · 9b8565c8 · 9b8565c8 · 9b8565c8
26 changed file
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java
@@ -269,7 +269,7 @@ final class ClientHandshaker extends Handshaker {
                        input, serverKey,
                        clnt_random.random_bytes, svr_random.random_bytes,
                        messageLen,
-                        localSupportedSignAlgs, protocolVersion));
+                        getLocalSupportedSignAlgs(), protocolVersion));
                } catch (GeneralSecurityException e) {
                    throwSSLException("Server key", e);
                }
@@ -281,7 +281,7 @@ final class ClientHandshaker extends Handshaker {
                    this.serverKeyExchange(new ECDH_ServerKeyExchange
                        (input, serverKey, clnt_random.random_bytes,
                        svr_random.random_bytes,
-                        localSupportedSignAlgs, protocolVersion));
+                        getLocalSupportedSignAlgs(), protocolVersion));
                } catch (GeneralSecurityException e) {
                    throwSSLException("Server key", e);
                }
@@ -331,7 +331,7 @@ final class ClientHandshaker extends Handshaker {

                Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
                    SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                            peerSignAlgs);
+                            algorithmConstraints, peerSignAlgs);
                if (supportedPeerSignAlgs.isEmpty()) {
                    throw new SSLHandshakeException(
                        "No supported signature and hash algorithm in common");
@@ -1094,8 +1094,8 @@ final class ClientHandshaker extends Handshaker {
                if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
                    preferableSignatureAlgorithm =
                        SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                            peerSupportedSignAlgs, signingKey.getAlgorithm(),
-                            signingKey);
+                            getPeerSupportedSignAlgs(),
+                            signingKey.getAlgorithm(), signingKey);

                    if (preferableSignatureAlgorithm == null) {
                        throw new SSLHandshakeException(

--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java
+++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java
@@ -1557,7 +1557,7 @@ static final class CertificateVerify extends HandshakeMessage {
    // the signature bytes
    private byte[] signature;

-    // protocol version being established using this ServerKeyExchange message
+    // protocol version being established using this CertificateVerify message
    ProtocolVersion protocolVersion;

    // the preferable signature algorithm used by this CertificateVerify message
@@ -1610,7 +1610,7 @@ static final class CertificateVerify extends HandshakeMessage {
                    preferableSignatureAlgorithm)) {
                throw new SSLHandshakeException(
                        "Unsupported SignatureAndHashAlgorithm in " +
-                        "ServerKeyExchange message");
+                        "CertificateVerify message");
            }
        }


--- a/src/share/classes/sun/security/ssl/Handshaker.java
+++ b/src/share/classes/sun/security/ssl/Handshaker.java
@@ -89,7 +89,7 @@ abstract class Handshaker {
    AlgorithmConstraints algorithmConstraints = null;

    // Local supported signature and algorithms
-    Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
+    private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;

    // Peer supported signature and algorithms
    Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;

--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java
@@ -291,7 +291,7 @@ final class ServerHandshaker extends Handshaker {

            case HandshakeMessage.ht_certificate_verify:
                this.clientCertificateVerify(new CertificateVerify(input,
-                            localSupportedSignAlgs, protocolVersion));
+                            getLocalSupportedSignAlgs(), protocolVersion));
                break;

            case HandshakeMessage.ht_finished:
@@ -700,11 +700,10 @@ final class ServerHandshaker extends Handshaker {
                    Collection<SignatureAndHashAlgorithm>
                        supportedPeerSignAlgs =
                            SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                            peerSignAlgs);
+                                algorithmConstraints, peerSignAlgs);
                    if (supportedPeerSignAlgs.isEmpty()) {
                        throw new SSLHandshakeException(
-                            "No supported signature and hash algorithm " +
-                            "in common");
+                            "No signature and hash algorithm in common");
                    }

                    setPeerSupportedSignAlgs(supportedPeerSignAlgs);
@@ -1134,6 +1133,13 @@ final class ServerHandshaker extends Handshaker {
                    supportedSignAlgs =
                        new ArrayList<SignatureAndHashAlgorithm>(1);
                    supportedSignAlgs.add(algorithm);
+
+                    supportedSignAlgs =
+                            SignatureAndHashAlgorithm.getSupportedAlgorithms(
+                                algorithmConstraints, supportedSignAlgs);
+
+                    // May be no default activated signature algorithm, but
+                    // let the following process make the final decision.
                }

                // Sets the peer supported signature algorithm to use in KM
@@ -1178,6 +1184,11 @@ final class ServerHandshaker extends Handshaker {
                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                        supportedSignAlgs, "RSA", privateKey);
                if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                    return false;
                }
            }
@@ -1196,6 +1207,11 @@ final class ServerHandshaker extends Handshaker {
                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                        supportedSignAlgs, "RSA", privateKey);
                if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                    return false;
                }
            }
@@ -1211,6 +1227,11 @@ final class ServerHandshaker extends Handshaker {
                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                                supportedSignAlgs, "DSA");
                if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                    return false;
                }
            }
@@ -1229,6 +1250,11 @@ final class ServerHandshaker extends Handshaker {
                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                            supportedSignAlgs, "ECDSA");
                if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                    return false;
                }
            }
@@ -1274,7 +1300,8 @@ final class ServerHandshaker extends Handshaker {
            break;
        default:
            // internal error, unknown key exchange
-            throw new RuntimeException("Unrecognized cipherSuite: " + suite);
+            throw new RuntimeException(
+                    "Unrecognized cipherSuite: " + suite);
        }
        setCipherSuite(suite);


--- a/src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java
+++ b/src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java
 /*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -167,10 +167,13 @@ final class SignatureAndHashAlgorithm {

    // Get supported algorithm collection from an untrusted collection
    static Collection<SignatureAndHashAlgorithm> getSupportedAlgorithms(
+            AlgorithmConstraints constraints,
            Collection<SignatureAndHashAlgorithm> algorithms ) {
        Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
        for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM) {
+            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
+                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
+                                sigAlg.algorithm, null)) {
                supported.add(sigAlg);
            }
        }
@@ -237,27 +240,39 @@ final class SignatureAndHashAlgorithm {
            Collection<SignatureAndHashAlgorithm> algorithms,
            String expected, PrivateKey signingKey) {

-        if (expected == null && !algorithms.isEmpty()) {
-            for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-                if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM) {
-                    return sigAlg;
+        int maxDigestLength = getMaxDigestLength(signingKey);
+        for (SignatureAndHashAlgorithm algorithm : algorithms) {
+            int signValue = algorithm.id & 0xFF;
+            if ((expected == null) ||
+                    (expected.equalsIgnoreCase("rsa") &&
+                            signValue == SignatureAlgorithm.RSA.value) ||
+                    (expected.equalsIgnoreCase("dsa") &&
+                            signValue == SignatureAlgorithm.DSA.value) ||
+                    (expected.equalsIgnoreCase("ecdsa") &&
+                            signValue == SignatureAlgorithm.ECDSA.value) ||
+                    (expected.equalsIgnoreCase("ec") &&
+                            signValue == SignatureAlgorithm.ECDSA.value)) {
+
+                if (algorithm.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
+                        algorithm.hash.length <= maxDigestLength) {
+
+                    return algorithm;
                }
            }
-
-            return null;  // no supported algorithm
        }

-        if (expected == null ) {
-            return null;  // no expected algorithm, no supported algorithm
+        return null;
    }

    /*
-         * Need to check RSA key length to match the length of hash value
+     * Need to check key length to match the length of hash value
     */
+    private static int getMaxDigestLength(PrivateKey signingKey) {
        int maxDigestLength = Integer.MAX_VALUE;
+
+        // only need to check RSA algorithm at present.
        if (signingKey != null &&
-                "rsa".equalsIgnoreCase(signingKey.getAlgorithm()) &&
-                expected.equalsIgnoreCase("rsa")) {
+                "rsa".equalsIgnoreCase(signingKey.getAlgorithm())) {
            /*
             * RSA keys of 512 bits have been shown to be practically
             * breakable, it does not make much sense to use the strong
@@ -285,25 +300,7 @@ final class SignatureAndHashAlgorithm {
                // preferable hash algorithm.
        }

-        for (SignatureAndHashAlgorithm algorithm : algorithms) {
-            int signValue = algorithm.id & 0xFF;
-            if (expected.equalsIgnoreCase("rsa") &&
-                    signValue == SignatureAlgorithm.RSA.value) {
-                if (algorithm.hash.length <= maxDigestLength) {
-                    return algorithm;
-                }
-            } else if (
-                    (expected.equalsIgnoreCase("dsa") &&
-                        signValue == SignatureAlgorithm.DSA.value) ||
-                    (expected.equalsIgnoreCase("ecdsa") &&
-                        signValue == SignatureAlgorithm.ECDSA.value) ||
-                    (expected.equalsIgnoreCase("ec") &&
-                        signValue == SignatureAlgorithm.ECDSA.value)) {
-                return algorithm;
-            }
-        }
-
-        return null;
+        return maxDigestLength;
    }

    static enum HashAlgorithm {

--- a/src/share/lib/security/java.security-aix
+++ b/src/share/lib/security/java.security-aix
@@ -509,7 +509,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-linux
+++ b/src/share/lib/security/java.security-linux
@@ -509,7 +509,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-macosx
+++ b/src/share/lib/security/java.security-macosx
@@ -512,7 +512,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-solaris
+++ b/src/share/lib/security/java.security-solaris
@@ -511,7 +511,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/src/share/lib/security/java.security-windows
+++ b/src/share/lib/security/java.security-windows
@@ -512,7 +512,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/MD2InTrustAnchor.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/MD2InTrustAnchor.java
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -287,8 +287,10 @@ public class MD2InTrustAnchor {

    public static void main(String[] args) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -339,8 +339,10 @@ public class TrustTrustedCert {

    public static void main(String[] args) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java
 /*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -57,8 +57,10 @@ public class PreferredKey {

    public static void main(String[] args) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        KeyStore ks;
        KeyManagerFactory kmf;

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -458,8 +458,10 @@ public class BasicConstraints {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -794,8 +794,10 @@ public class PKIXExtendedTM {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java
 /*
- * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -306,8 +306,10 @@ public class SelfIssuedCert {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -796,8 +796,10 @@ public class SunX509ExtendedTM {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java
 /*
- * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -159,8 +159,10 @@ public class CriticalSubjectAltName implements HostnameVerifier {

    public static void main(String[] args) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        String keyFilename =
            System.getProperty("test.src", "./") + "/" + pathToStores +

--- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketSNISensitive.java
+++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketSNISensitive.java
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -433,8 +433,10 @@ public class SSLSocketSNISensitive {

    public static void main(String[] args) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -230,8 +230,10 @@ public class EmptyCertificateAuthorities {

    public static void main(String[] args) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        String keyFilename =
            System.getProperty("test.src", ".") + "/" + pathToStores +

--- a/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -282,6 +282,8 @@ public class ShortRSAKey512 {
        // reset the security property to make sure that the algorithms
        // and keys used in this test are not disabled.
        Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -304,6 +304,8 @@ public class ShortRSAKeyGCM {
        // reset the security property to make sure that the algorithms
        // and keys used in this test are not disabled.
        Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug) {
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -747,8 +747,10 @@ public class DNSIdentities {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -748,8 +748,10 @@ public class IPAddressIPIdentities {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -747,8 +747,10 @@ public class IPIdentities {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -747,8 +747,10 @@ public class Identities {

    public static void main(String args[]) throws Exception {
        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");