Blob Blame History Raw
# HG changeset patch
# User Andrew John Hughes <gnu.andrew@redhat.com>
# Date 1453759602 0
#      Mon Jan 25 22:06:42 2016 +0000
# Node ID 412e3ce4141e2ddb01c8fb099fc0823d783e7b3d
# Parent  33e9441c53fc29f1aa1f496eedda845b6e405473
S8076221, PR2808: Disable RC4 cipher suites

2016-01-25  Andrew John Hughes  <gnu.andrew@redhat.com>

	* Makefile.am:
	(ICEDTEA_PATCHES): Add new patches.
	* NEWS: Updated.
	* patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch:
	Backport of 8076221 to OpenJDK 6 b38.
	* patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch:
	Improve reliability of DisabledAlgorithms test.
	* patches/pr2808-fix_disabled_algorithms_test.patch:
	Remove Java 7 features from new DisabledAlgorithms test.

diff -r 33e9441c53fc -r 412e3ce4141e patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/8076221-pr2808-disable_rc4_cipher_suites.patch	Mon Jan 25 22:06:42 2016 +0000
@@ -0,0 +1,553 @@
+# HG changeset patch
+# User xuelei
+# Date 1429096621 0
+#      Wed Apr 15 11:17:01 2015 +0000
+# Node ID 6a24fc5e32a359335538bfa453040fc2d9ba13e9
+# Parent  fe93a8cd20a56dc59e5f2464d7e6bd0d52b807b3
+8076221: Disable RC4 cipher suites
+Reviewed-by: xuelei, wetmore
+
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
+--- openjdk.orig/jdk/src/share/lib/security/java.security-linux	2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-linux	2016-01-25 20:25:35.722972332 +0000
+@@ -451,7 +451,7 @@
+ #
+ # Example:
+ #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+ 
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris
+--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris	2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-solaris	2016-01-25 20:24:27.088115212 +0000
+@@ -411,7 +411,7 @@
+ #
+ # Example:
+ #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+ 
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows
+--- openjdk.orig/jdk/src/share/lib/security/java.security-windows	2016-01-20 01:47:58.000000000 +0000
++++ openjdk/jdk/src/share/lib/security/java.security-windows	2016-01-25 20:23:50.300727758 +0000
+@@ -428,7 +428,7 @@
+ #
+ # Example:
+ #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
++jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+ 
+ # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
+ # processing in JSSE implementation.
+diff -Nru openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
+--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	1970-01-01 01:00:00.000000000 +0100
++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	2016-01-25 20:17:49.902742622 +0000
+@@ -0,0 +1,362 @@
++/*
++ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.io.BufferedInputStream;
++import java.io.BufferedOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.security.NoSuchAlgorithmException;
++import java.security.Security;
++import java.util.concurrent.TimeUnit;
++import javax.net.ssl.SSLContext;
++import javax.net.ssl.SSLHandshakeException;
++import javax.net.ssl.SSLServerSocket;
++import javax.net.ssl.SSLServerSocketFactory;
++import javax.net.ssl.SSLSocket;
++import javax.net.ssl.SSLSocketFactory;
++
++/**
++ * @test
++ * @bug 8076221
++ * @summary Check if weak cipher suites are disabled
++ * @run main/othervm DisabledAlgorithms default
++ * @run main/othervm DisabledAlgorithms empty
++ */
++public class DisabledAlgorithms {
++
++    private static final String pathToStores =
++            "../../../../sun/security/ssl/etc";
++    private static final String keyStoreFile = "keystore";
++    private static final String trustStoreFile = "truststore";
++    private static final String passwd = "passphrase";
++
++    private static final String keyFilename =
++            System.getProperty("test.src", "./") + "/" + pathToStores +
++                "/" + keyStoreFile;
++
++    private static final String trustFilename =
++            System.getProperty("test.src", "./") + "/" + pathToStores +
++                "/" + trustStoreFile;
++
++    // supported RC4 cipher suites
++    // it does not contain KRB5 cipher suites because they need a KDC
++    private static final String[] rc4_ciphersuites = new String[] {
++        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
++        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
++        "SSL_RSA_WITH_RC4_128_SHA",
++        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
++        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
++        "SSL_RSA_WITH_RC4_128_MD5",
++        "TLS_ECDH_anon_WITH_RC4_128_SHA",
++        "SSL_DH_anon_WITH_RC4_128_MD5"
++    };
++
++    public static void main(String[] args) throws Exception {
++        if (args.length < 1) {
++            throw new RuntimeException("No parameters specified");
++        }
++
++        System.setProperty("javax.net.ssl.keyStore", keyFilename);
++        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
++        System.setProperty("javax.net.ssl.trustStore", trustFilename);
++        System.setProperty("javax.net.ssl.trustStorePassword", passwd);
++
++        switch (args[0]) {
++            case "default":
++                // use default jdk.tls.disabledAlgorithms
++                System.out.println("jdk.tls.disabledAlgorithms = "
++                        + Security.getProperty("jdk.tls.disabledAlgorithms"));
++
++                // check if RC4 cipher suites can't be used by default
++                checkFailure(rc4_ciphersuites);
++                break;
++            case "empty":
++                // reset jdk.tls.disabledAlgorithms
++                Security.setProperty("jdk.tls.disabledAlgorithms", "");
++                System.out.println("jdk.tls.disabledAlgorithms = "
++                        + Security.getProperty("jdk.tls.disabledAlgorithms"));
++
++                // check if RC4 cipher suites can be used
++                // if jdk.tls.disabledAlgorithms is empty
++                checkSuccess(rc4_ciphersuites);
++                break;
++            default:
++                throw new RuntimeException("Wrong parameter: " + args[0]);
++        }
++    }
++
++    /*
++     * Checks if that specified cipher suites cannot be used.
++     */
++    private static void checkFailure(String[] ciphersuites) throws Exception {
++        try (SSLServer server = SSLServer.init(ciphersuites)) {
++            startNewThread(server);
++            while (!server.isRunning()) {
++                sleep();
++            }
++
++            int port = server.getPort();
++            for (String ciphersuite : ciphersuites) {
++                try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++                    client.connect();
++                    throw new RuntimeException("Expected SSLHandshakeException "
++                            + "not thrown");
++                } catch (SSLHandshakeException e) {
++                    System.out.println("Expected exception on client side: "
++                            + e);
++                }
++            }
++
++            server.stop();
++            while (server.isRunning()) {
++                sleep();
++            }
++
++            if (!server.sslError()) {
++                throw new RuntimeException("Expected SSL exception "
++                        + "not thrown on server side");
++            }
++        }
++
++    }
++
++    /*
++     * Checks if specified cipher suites can be used.
++     */
++    private static void checkSuccess(String[] ciphersuites) throws Exception {
++        try (SSLServer server = SSLServer.init(ciphersuites)) {
++            startNewThread(server);
++            while (!server.isRunning()) {
++                sleep();
++            }
++
++            int port = server.getPort();
++            for (String ciphersuite : ciphersuites) {
++                try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++                    client.connect();
++                    String negotiated = client.getNegotiatedCipherSuite();
++                    System.out.println("Negotiated cipher suite: "
++                            + negotiated);
++                    if (!negotiated.equals(ciphersuite)) {
++                        throw new RuntimeException("Unexpected cipher suite: "
++                                + negotiated);
++                    }
++                }
++            }
++
++            server.stop();
++            while (server.isRunning()) {
++                sleep();
++            }
++
++            if (server.error()) {
++                throw new RuntimeException("Unexpected error on server side");
++            }
++        }
++
++    }
++
++    private static Thread startNewThread(SSLServer server) {
++        Thread serverThread = new Thread(server, "SSL server thread");
++        serverThread.setDaemon(true);
++        serverThread.start();
++        return serverThread;
++    }
++
++    private static void sleep() {
++        try {
++            TimeUnit.MILLISECONDS.sleep(50);
++        } catch (InterruptedException e) {
++            // do nothing
++        }
++    }
++
++    static class SSLServer implements Runnable, AutoCloseable {
++
++        private final SSLServerSocket ssocket;
++        private volatile boolean stopped = false;
++        private volatile boolean running = false;
++        private volatile boolean sslError = false;
++        private volatile boolean otherError = false;
++
++        private SSLServer(SSLServerSocket ssocket) {
++            this.ssocket = ssocket;
++        }
++
++        @Override
++        public void run() {
++            System.out.println("Server: started");
++            running = true;
++            while (!stopped) {
++                try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
++                    System.out.println("Server: accepted client connection");
++                    InputStream in = socket.getInputStream();
++                    OutputStream out = socket.getOutputStream();
++                    int b = in.read();
++                    if (b < 0) {
++                        throw new IOException("Unexpected EOF");
++                    }
++                    System.out.println("Server: send data: " + b);
++                    out.write(b);
++                    out.flush();
++                    socket.getSession().invalidate();
++                } catch (SSLHandshakeException e) {
++                    System.out.println("Server: run: " + e);
++                    sslError = true;
++                } catch (IOException e) {
++                    if (!stopped) {
++                        System.out.println("Server: run: " + e);
++                        e.printStackTrace();
++                        otherError = true;
++                    }
++                }
++            }
++
++            System.out.println("Server: finished");
++            running = false;
++        }
++
++        int getPort() {
++            return ssocket.getLocalPort();
++        }
++
++        String[] getEnabledCiperSuites() {
++            return ssocket.getEnabledCipherSuites();
++        }
++
++        boolean isRunning() {
++            return running;
++        }
++
++        boolean sslError() {
++            return sslError;
++        }
++
++        boolean error() {
++            return sslError || otherError;
++        }
++
++        void stop() {
++            stopped = true;
++            if (!ssocket.isClosed()) {
++                try {
++                    ssocket.close();
++                } catch (IOException e) {
++                    System.out.println("Server: close: " + e);
++                }
++            }
++        }
++
++        @Override
++        public void close() {
++            stop();
++        }
++
++        static SSLServer init(String[] ciphersuites)
++                throws IOException {
++            SSLServerSocketFactory ssf = (SSLServerSocketFactory)
++                    SSLServerSocketFactory.getDefault();
++            SSLServerSocket ssocket = (SSLServerSocket)
++                    ssf.createServerSocket(0);
++
++            if (ciphersuites != null) {
++                System.out.println("Server: enable cipher suites: "
++                        + java.util.Arrays.toString(ciphersuites));
++                ssocket.setEnabledCipherSuites(ciphersuites);
++            }
++
++            return new SSLServer(ssocket);
++        }
++    }
++
++    static class SSLClient implements AutoCloseable {
++
++        private final SSLSocket socket;
++
++        private SSLClient(SSLSocket socket) {
++            this.socket = socket;
++        }
++
++        void connect() throws IOException {
++            System.out.println("Client: connect to server");
++            try (
++                    BufferedInputStream bis = new BufferedInputStream(
++                            socket.getInputStream());
++                    BufferedOutputStream bos = new BufferedOutputStream(
++                            socket.getOutputStream())) {
++                bos.write('x');
++                bos.flush();
++
++                int read = bis.read();
++                if (read < 0) {
++                    throw new IOException("Client: couldn't read a response");
++                }
++                socket.getSession().invalidate();
++            }
++        }
++
++        String[] getEnabledCiperSuites() {
++            return socket.getEnabledCipherSuites();
++        }
++
++        String getNegotiatedCipherSuite() {
++            return socket.getSession().getCipherSuite();
++        }
++
++        @Override
++        public void close() throws Exception {
++            if (!socket.isClosed()) {
++                try {
++                    socket.close();
++                } catch (IOException e) {
++                    System.out.println("Client: close: " + e);
++                }
++            }
++        }
++
++        static SSLClient init(int port)
++                throws NoSuchAlgorithmException, IOException {
++            return init(port, null);
++        }
++
++        static SSLClient init(int port, String ciphersuite)
++                throws NoSuchAlgorithmException, IOException {
++            SSLContext context = SSLContext.getDefault();
++            SSLSocketFactory ssf = (SSLSocketFactory)
++                    context.getSocketFactory();
++            SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);
++
++            if (ciphersuite != null) {
++                System.out.println("Client: enable cipher suite: "
++                        + ciphersuite);
++                socket.setEnabledCipherSuites(new String[] { ciphersuite });
++            }
++
++            return new SSLClient(socket);
++        }
++
++    }
++
++
++}
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
+--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java	2016-01-20 01:42:21.000000000 +0000
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java	2016-01-25 20:23:28.749086605 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -30,7 +30,7 @@
+  */
+ 
+ import java.io.*;
+-import java.net.*;
++import java.security.Security;
+ import javax.net.ssl.*;
+ 
+ public class CipherSuiteOrder {
+@@ -192,6 +192,10 @@
+     volatile Exception clientException = null;
+ 
+     public static void main(String[] args) throws Exception {
++        // reset the security property to make sure that the algorithms
++        // and keys used in this test are not disabled.
++        Security.setProperty("jdk.tls.disabledAlgorithms", "");
++
+         String keyFilename =
+             System.getProperty("test.src", "./") + "/" + pathToStores +
+                 "/" + keyStoreFile;
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
+--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	2016-01-25 20:15:46.384811880 +0000
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	2016-01-25 20:17:49.902742622 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -102,10 +102,10 @@
+ import java.nio.*;
+ import java.security.KeyStore;
+ import java.security.KeyFactory;
++import java.security.Security;
+ import java.security.cert.Certificate;
+ import java.security.cert.CertificateFactory;
+ import java.security.spec.PKCS8EncodedKeySpec;
+-import java.security.spec.*;
+ import java.security.interfaces.*;
+ import java.util.Base64;
+ 
+@@ -367,6 +367,10 @@
+     }
+ 
+     public static void main(String args[]) throws Exception {
++        // reset the security property to make sure that the algorithms
++        // and keys used in this test are not disabled.
++        Security.setProperty("jdk.tls.disabledAlgorithms", "");
++
+         if (args.length != 4) {
+             System.out.println(
+                 "Usage: java DHEKeySizing cipher-suite " +
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
+--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java	2016-01-20 01:42:24.000000000 +0000
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java	2016-01-25 20:17:49.902742622 +0000
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -622,6 +622,9 @@
+     }
+ 
+     public static void main(String args[]) throws Exception {
++        // reset the security property to make sure that the algorithms
++        // and keys used in this test are not disabled.
++        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ 
+         CheckStatus cs;
+ 
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
+--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	2016-01-20 01:42:24.000000000 +0000
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java	2016-01-25 20:20:24.580152890 +0000
+@@ -33,6 +33,8 @@
+  * The code could certainly be tightened up a lot.
+  *
+  * @author Brad Wetmore
++ *
++ * @run main/othervm ConnectionTest
+  */
+ 
+ import javax.net.ssl.*;
+@@ -672,6 +674,10 @@
+     }
+ 
+     public static void main(String args[]) throws Exception {
++        // reset the security property to make sure that the algorithms
++        // and keys used in this test are not disabled.
++        Security.setProperty("jdk.tls.disabledAlgorithms", "");
++
+         ConnectionTest ct = new ConnectionTest();
+         ct.test();
+     }
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
+--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	2016-01-20 01:42:24.000000000 +0000
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java	2016-01-25 20:19:17.305278447 +0000
+@@ -180,6 +180,9 @@
+     }
+ 
+     public static void main(String args[]) throws Exception {
++        // reset the security property to make sure that the algorithms
++        // and keys used in this test are not disabled.
++        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+ 
+         LargeBufs test;
+ 
+diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
+--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	2016-01-20 01:42:25.000000000 +0000
++++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java	2016-01-25 20:18:53.009685445 +0000
+@@ -33,7 +33,7 @@
+  */
+ 
+ import java.io.*;
+-import java.net.*;
++import java.security.Security;
+ import javax.net.ssl.*;
+ 
+ public class GenericStreamCipher {
+@@ -161,6 +161,10 @@
+     volatile Exception clientException = null;
+ 
+     public static void main(String[] args) throws Exception {
++        // reset the security property to make sure that the algorithms
++        // and keys used in this test are not disabled.
++        Security.setProperty("jdk.tls.disabledAlgorithms", "");
++
+         String keyFilename =
+             System.getProperty("test.src", ".") + "/" + pathToStores +
+                 "/" + keyStoreFile;
diff -r 33e9441c53fc -r 412e3ce4141e patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/8078823-disabledalgorithms_fails_intermittently.patch	Mon Jan 25 22:06:42 2016 +0000
@@ -0,0 +1,58 @@
+# HG changeset patch
+# User asmotrak
+# Date 1435145895 -10800
+#      Wed Jun 24 14:38:15 2015 +0300
+# Node ID 66bf77932d57ef00e0c68c19c5e45e0b1de80fad
+# Parent  fddcb008fd1d285ed7d84011a43cdf556ab16bcb
+8078823: javax/net/ssl/ciphersuites/DisabledAlgorithms.java fails intermittently
+Reviewed-by: xuelei
+
+diff -r fddcb008fd1d -r 66bf77932d57 test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
+--- openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Tue Jun 23 15:07:18 2015 +0100
++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Wed Jun 24 14:38:15 2015 +0300
+@@ -104,6 +104,8 @@
+             default:
+                 throw new RuntimeException("Wrong parameter: " + args[0]);
+         }
++
++        System.out.println("Test passed");
+     }
+ 
+     /*
+@@ -128,7 +130,6 @@
+                 }
+             }
+ 
+-            server.stop();
+             while (server.isRunning()) {
+                 sleep();
+             }
+@@ -224,11 +225,19 @@
+                 } catch (SSLHandshakeException e) {
+                     System.out.println("Server: run: " + e);
+                     sslError = true;
++                    stopped = true;
+                 } catch (IOException e) {
+                     if (!stopped) {
+-                        System.out.println("Server: run: " + e);
++                        System.out.println("Server: run: unexpected exception: "
++                                + e);
+                         e.printStackTrace();
+                         otherError = true;
++                        stopped = true;
++                    } else {
++                        System.out.println("Server: run: " + e);
++                        System.out.println("The exception above occurred "
++                                    + "because socket was closed, "
++                                    + "please ignore it");
+                     }
+                 }
+             }
+@@ -261,6 +270,7 @@
+             stopped = true;
+             if (!ssocket.isClosed()) {
+                 try {
++                    System.out.println("Server: close socket");
+                     ssocket.close();
+                 } catch (IOException e) {
+                     System.out.println("Server: close: " + e);
diff -r 33e9441c53fc -r 412e3ce4141e patches/pr2808-fix_disabled_algorithms_test.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/pr2808-fix_disabled_algorithms_test.patch	Mon Jan 25 22:06:42 2016 +0000
@@ -0,0 +1,226 @@
+--- openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	2015-10-21 05:20:57.910156611 +0100
++++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	2016-01-25 21:58:39.334103875 +0000
+@@ -82,16 +82,14 @@
+         System.setProperty("javax.net.ssl.trustStore", trustFilename);
+         System.setProperty("javax.net.ssl.trustStorePassword", passwd);
+ 
+-        switch (args[0]) {
+-            case "default":
++        if ("default".equals(args[0])) {
+                 // use default jdk.tls.disabledAlgorithms
+                 System.out.println("jdk.tls.disabledAlgorithms = "
+                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
+ 
+                 // check if RC4 cipher suites can't be used by default
+                 checkFailure(rc4_ciphersuites);
+-                break;
+-            case "empty":
++        } else if ("empty".equals(args[0])) {
+                 // reset jdk.tls.disabledAlgorithms
+                 Security.setProperty("jdk.tls.disabledAlgorithms", "");
+                 System.out.println("jdk.tls.disabledAlgorithms = "
+@@ -100,19 +98,19 @@
+                 // check if RC4 cipher suites can be used
+                 // if jdk.tls.disabledAlgorithms is empty
+                 checkSuccess(rc4_ciphersuites);
+-                break;
+-            default:
++        } else {
+                 throw new RuntimeException("Wrong parameter: " + args[0]);
+         }
+-
+-        System.out.println("Test passed");
+     }
+ 
+     /*
+      * Checks if that specified cipher suites cannot be used.
+      */
+     private static void checkFailure(String[] ciphersuites) throws Exception {
+-        try (SSLServer server = SSLServer.init(ciphersuites)) {
++        SSLServer server = null;
++
++        try {
++            server = SSLServer.init(ciphersuites);
+             startNewThread(server);
+             while (!server.isRunning()) {
+                 sleep();
+@@ -120,16 +118,21 @@
+ 
+             int port = server.getPort();
+             for (String ciphersuite : ciphersuites) {
+-                try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++                SSLClient client = null;
++                try {
++                    client = SSLClient.init(port, ciphersuite);
+                     client.connect();
+                     throw new RuntimeException("Expected SSLHandshakeException "
+                             + "not thrown");
+                 } catch (SSLHandshakeException e) {
+                     System.out.println("Expected exception on client side: "
+                             + e);
++                } finally {
++                    if (client != null) { client.close(); }
+                 }
+             }
+ 
++            server.stop();
+             while (server.isRunning()) {
+                 sleep();
+             }
+@@ -138,15 +141,18 @@
+                 throw new RuntimeException("Expected SSL exception "
+                         + "not thrown on server side");
+             }
++        } finally {
++            if (server != null ) { server.close(); }
+         }
+-
+     }
+ 
+     /*
+      * Checks if specified cipher suites can be used.
+      */
+     private static void checkSuccess(String[] ciphersuites) throws Exception {
+-        try (SSLServer server = SSLServer.init(ciphersuites)) {
++        SSLServer server = null;
++        try {
++            server = SSLServer.init(ciphersuites);
+             startNewThread(server);
+             while (!server.isRunning()) {
+                 sleep();
+@@ -154,7 +160,9 @@
+ 
+             int port = server.getPort();
+             for (String ciphersuite : ciphersuites) {
+-                try (SSLClient client = SSLClient.init(port, ciphersuite)) {
++                SSLClient client = null;
++                try {
++                    client = SSLClient.init(port, ciphersuite);
+                     client.connect();
+                     String negotiated = client.getNegotiatedCipherSuite();
+                     System.out.println("Negotiated cipher suite: "
+@@ -163,6 +171,8 @@
+                         throw new RuntimeException("Unexpected cipher suite: "
+                                 + negotiated);
+                     }
++                } finally {
++                    if (client != null) { client.close(); }
+                 }
+             }
+ 
+@@ -174,6 +184,8 @@
+             if (server.error()) {
+                 throw new RuntimeException("Unexpected error on server side");
+             }
++        } finally {
++            if (server != null) { server.close(); }
+         }
+ 
+     }
+@@ -193,7 +205,7 @@
+         }
+     }
+ 
+-    static class SSLServer implements Runnable, AutoCloseable {
++    static class SSLServer implements Runnable {
+ 
+         private final SSLServerSocket ssocket;
+         private volatile boolean stopped = false;
+@@ -210,7 +222,9 @@
+             System.out.println("Server: started");
+             running = true;
+             while (!stopped) {
+-                try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
++                SSLSocket socket = null;
++                try {
++                    socket = (SSLSocket) ssocket.accept();
+                     System.out.println("Server: accepted client connection");
+                     InputStream in = socket.getInputStream();
+                     OutputStream out = socket.getOutputStream();
+@@ -225,19 +239,16 @@
+                 } catch (SSLHandshakeException e) {
+                     System.out.println("Server: run: " + e);
+                     sslError = true;
+-                    stopped = true;
+                 } catch (IOException e) {
+                     if (!stopped) {
+-                        System.out.println("Server: run: unexpected exception: "
+-                                + e);
++                        System.out.println("Server: run: " + e);
+                         e.printStackTrace();
+                         otherError = true;
+-                        stopped = true;
+-                    } else {
+-                        System.out.println("Server: run: " + e);
+-                        System.out.println("The exception above occurred "
+-                                    + "because socket was closed, "
+-                                    + "please ignore it");
++                    }
++                } finally {
++                    if (socket != null ) {
++                        try { socket.close(); }
++                        catch (IOException e) { }
+                     }
+                 }
+             }
+@@ -270,7 +281,6 @@
+             stopped = true;
+             if (!ssocket.isClosed()) {
+                 try {
+-                    System.out.println("Server: close socket");
+                     ssocket.close();
+                 } catch (IOException e) {
+                     System.out.println("Server: close: " + e);
+@@ -278,7 +288,6 @@
+             }
+         }
+ 
+-        @Override
+         public void close() {
+             stop();
+         }
+@@ -300,7 +309,7 @@
+         }
+     }
+ 
+-    static class SSLClient implements AutoCloseable {
++    static class SSLClient {
+ 
+         private final SSLSocket socket;
+ 
+@@ -310,11 +319,12 @@
+ 
+         void connect() throws IOException {
+             System.out.println("Client: connect to server");
+-            try (
+-                    BufferedInputStream bis = new BufferedInputStream(
+-                            socket.getInputStream());
+-                    BufferedOutputStream bos = new BufferedOutputStream(
+-                            socket.getOutputStream())) {
++            BufferedInputStream bis = null;
++            BufferedOutputStream bos = null;
++            try {
++                bis = new BufferedInputStream(socket.getInputStream());
++                bos = new BufferedOutputStream(socket.getOutputStream());
++
+                 bos.write('x');
+                 bos.flush();
+ 
+@@ -323,6 +333,9 @@
+                     throw new IOException("Client: couldn't read a response");
+                 }
+                 socket.getSession().invalidate();
++            } finally {
++                if (bis != null) { bis.close(); }
++                if (bos != null) { bos.close(); }
+             }
+         }
+ 
+@@ -334,7 +347,6 @@
+             return socket.getSession().getCipherSuite();
+         }
+ 
+-        @Override
+         public void close() throws Exception {
+             if (!socket.isClosed()) {
+                 try {