|
|
60df80 |
# HG changeset patch
|
|
|
60df80 |
# User xuelei
|
|
|
60df80 |
# Date 1453868482 0
|
|
|
60df80 |
# Wed Jan 27 04:21:22 2016 +0000
|
|
|
60df80 |
# Node ID 8d589911411743fa38badf69c10aa067eaa996b7
|
|
|
60df80 |
# Parent ceb95f0d38d7ab09762dd7ff33bb855f3088a6b5
|
|
|
60df80 |
8076221, PR2809: Disable RC4 cipher suites
|
|
|
60df80 |
Reviewed-by: wetmore
|
|
|
60df80 |
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/lib/security/java.security-linux
|
|
|
60df80 |
+++ openjdk/jdk/src/share/lib/security/java.security-linux
|
|
|
60df80 |
@@ -556,8 +556,8 @@
|
|
|
60df80 |
#
|
|
|
60df80 |
# Example:
|
|
|
60df80 |
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
|
|
|
60df80 |
-jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
- EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
+ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
|
|
|
60df80 |
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
|
|
|
60df80 |
# processing in JSSE implementation.
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-macosx openjdk/jdk/src/share/lib/security/java.security-macosx
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/lib/security/java.security-macosx
|
|
|
60df80 |
+++ openjdk/jdk/src/share/lib/security/java.security-macosx
|
|
|
60df80 |
@@ -561,8 +561,8 @@
|
|
|
60df80 |
#
|
|
|
60df80 |
# Example:
|
|
|
60df80 |
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
|
|
|
60df80 |
-jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
- EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
+ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
|
|
|
60df80 |
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
|
|
|
60df80 |
# processing in JSSE implementation.
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris
|
|
|
60df80 |
+++ openjdk/jdk/src/share/lib/security/java.security-solaris
|
|
|
60df80 |
@@ -560,8 +560,8 @@
|
|
|
60df80 |
#
|
|
|
60df80 |
# Example:
|
|
|
60df80 |
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
|
|
|
60df80 |
-jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
- EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
+ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
|
|
|
60df80 |
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
|
|
|
60df80 |
# processing in JSSE implementation.
|
|
|
60df80 |
diff --git openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows
|
|
|
60df80 |
--- openjdk.orig/jdk/src/share/lib/security/java.security-windows
|
|
|
60df80 |
+++ openjdk/jdk/src/share/lib/security/java.security-windows
|
|
|
60df80 |
@@ -561,8 +561,8 @@
|
|
|
60df80 |
#
|
|
|
60df80 |
# Example:
|
|
|
60df80 |
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
|
|
|
60df80 |
-jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
- EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
|
|
|
60df80 |
+ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
|
|
|
60df80 |
|
|
|
60df80 |
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
|
|
|
60df80 |
# processing in JSSE implementation.
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
|
|
|
60df80 |
new file mode 100644
|
|
|
60df80 |
--- /dev/null
|
|
|
60df80 |
+++ openjdk/jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
|
|
|
60df80 |
@@ -0,0 +1,362 @@
|
|
|
60df80 |
+/*
|
|
|
60df80 |
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
60df80 |
+ *
|
|
|
60df80 |
+ * This code is free software; you can redistribute it and/or modify it
|
|
|
60df80 |
+ * under the terms of the GNU General Public License version 2 only, as
|
|
|
60df80 |
+ * published by the Free Software Foundation.
|
|
|
60df80 |
+ *
|
|
|
60df80 |
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
60df80 |
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
60df80 |
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
60df80 |
+ * version 2 for more details (a copy is included in the LICENSE file that
|
|
|
60df80 |
+ * accompanied this code).
|
|
|
60df80 |
+ *
|
|
|
60df80 |
+ * You should have received a copy of the GNU General Public License version
|
|
|
60df80 |
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
60df80 |
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
60df80 |
+ *
|
|
|
60df80 |
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
60df80 |
+ * or visit www.oracle.com if you need additional information or have any
|
|
|
60df80 |
+ * questions.
|
|
|
60df80 |
+ */
|
|
|
60df80 |
+
|
|
|
60df80 |
+import java.io.BufferedInputStream;
|
|
|
60df80 |
+import java.io.BufferedOutputStream;
|
|
|
60df80 |
+import java.io.IOException;
|
|
|
60df80 |
+import java.io.InputStream;
|
|
|
60df80 |
+import java.io.OutputStream;
|
|
|
60df80 |
+import java.security.NoSuchAlgorithmException;
|
|
|
60df80 |
+import java.security.Security;
|
|
|
60df80 |
+import java.util.concurrent.TimeUnit;
|
|
|
60df80 |
+import javax.net.ssl.SSLContext;
|
|
|
60df80 |
+import javax.net.ssl.SSLHandshakeException;
|
|
|
60df80 |
+import javax.net.ssl.SSLServerSocket;
|
|
|
60df80 |
+import javax.net.ssl.SSLServerSocketFactory;
|
|
|
60df80 |
+import javax.net.ssl.SSLSocket;
|
|
|
60df80 |
+import javax.net.ssl.SSLSocketFactory;
|
|
|
60df80 |
+
|
|
|
60df80 |
+/**
|
|
|
60df80 |
+ * @test
|
|
|
60df80 |
+ * @bug 8076221
|
|
|
60df80 |
+ * @summary Check if weak cipher suites are disabled
|
|
|
60df80 |
+ * @run main/othervm DisabledAlgorithms default
|
|
|
60df80 |
+ * @run main/othervm DisabledAlgorithms empty
|
|
|
60df80 |
+ */
|
|
|
60df80 |
+public class DisabledAlgorithms {
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private static final String pathToStores =
|
|
|
60df80 |
+ "../../../../sun/security/ssl/etc";
|
|
|
60df80 |
+ private static final String keyStoreFile = "keystore";
|
|
|
60df80 |
+ private static final String trustStoreFile = "truststore";
|
|
|
60df80 |
+ private static final String passwd = "passphrase";
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private static final String keyFilename =
|
|
|
60df80 |
+ System.getProperty("test.src", "./") + "/" + pathToStores +
|
|
|
60df80 |
+ "/" + keyStoreFile;
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private static final String trustFilename =
|
|
|
60df80 |
+ System.getProperty("test.src", "./") + "/" + pathToStores +
|
|
|
60df80 |
+ "/" + trustStoreFile;
|
|
|
60df80 |
+
|
|
|
60df80 |
+ // supported RC4 cipher suites
|
|
|
60df80 |
+ // it does not contain KRB5 cipher suites because they need a KDC
|
|
|
60df80 |
+ private static final String[] rc4_ciphersuites = new String[] {
|
|
|
60df80 |
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
|
|
|
60df80 |
+ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
|
|
60df80 |
+ "SSL_RSA_WITH_RC4_128_SHA",
|
|
|
60df80 |
+ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
|
|
|
60df80 |
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA",
|
|
|
60df80 |
+ "SSL_RSA_WITH_RC4_128_MD5",
|
|
|
60df80 |
+ "TLS_ECDH_anon_WITH_RC4_128_SHA",
|
|
|
60df80 |
+ "SSL_DH_anon_WITH_RC4_128_MD5"
|
|
|
60df80 |
+ };
|
|
|
60df80 |
+
|
|
|
60df80 |
+ public static void main(String[] args) throws Exception {
|
|
|
60df80 |
+ if (args.length < 1) {
|
|
|
60df80 |
+ throw new RuntimeException("No parameters specified");
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ System.setProperty("javax.net.ssl.keyStore", keyFilename);
|
|
|
60df80 |
+ System.setProperty("javax.net.ssl.keyStorePassword", passwd);
|
|
|
60df80 |
+ System.setProperty("javax.net.ssl.trustStore", trustFilename);
|
|
|
60df80 |
+ System.setProperty("javax.net.ssl.trustStorePassword", passwd);
|
|
|
60df80 |
+
|
|
|
60df80 |
+ switch (args[0]) {
|
|
|
60df80 |
+ case "default":
|
|
|
60df80 |
+ // use default jdk.tls.disabledAlgorithms
|
|
|
60df80 |
+ System.out.println("jdk.tls.disabledAlgorithms = "
|
|
|
60df80 |
+ + Security.getProperty("jdk.tls.disabledAlgorithms"));
|
|
|
60df80 |
+
|
|
|
60df80 |
+ // check if RC4 cipher suites can't be used by default
|
|
|
60df80 |
+ checkFailure(rc4_ciphersuites);
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
+ case "empty":
|
|
|
60df80 |
+ // reset jdk.tls.disabledAlgorithms
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
+ System.out.println("jdk.tls.disabledAlgorithms = "
|
|
|
60df80 |
+ + Security.getProperty("jdk.tls.disabledAlgorithms"));
|
|
|
60df80 |
+
|
|
|
60df80 |
+ // check if RC4 cipher suites can be used
|
|
|
60df80 |
+ // if jdk.tls.disabledAlgorithms is empty
|
|
|
60df80 |
+ checkSuccess(rc4_ciphersuites);
|
|
|
60df80 |
+ break;
|
|
|
60df80 |
+ default:
|
|
|
60df80 |
+ throw new RuntimeException("Wrong parameter: " + args[0]);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ /*
|
|
|
60df80 |
+ * Checks if that specified cipher suites cannot be used.
|
|
|
60df80 |
+ */
|
|
|
60df80 |
+ private static void checkFailure(String[] ciphersuites) throws Exception {
|
|
|
60df80 |
+ try (SSLServer server = SSLServer.init(ciphersuites)) {
|
|
|
60df80 |
+ startNewThread(server);
|
|
|
60df80 |
+ while (!server.isRunning()) {
|
|
|
60df80 |
+ sleep();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ int port = server.getPort();
|
|
|
60df80 |
+ for (String ciphersuite : ciphersuites) {
|
|
|
60df80 |
+ try (SSLClient client = SSLClient.init(port, ciphersuite)) {
|
|
|
60df80 |
+ client.connect();
|
|
|
60df80 |
+ throw new RuntimeException("Expected SSLHandshakeException "
|
|
|
60df80 |
+ + "not thrown");
|
|
|
60df80 |
+ } catch (SSLHandshakeException e) {
|
|
|
60df80 |
+ System.out.println("Expected exception on client side: "
|
|
|
60df80 |
+ + e);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ server.stop();
|
|
|
60df80 |
+ while (server.isRunning()) {
|
|
|
60df80 |
+ sleep();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ if (!server.sslError()) {
|
|
|
60df80 |
+ throw new RuntimeException("Expected SSL exception "
|
|
|
60df80 |
+ + "not thrown on server side");
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ /*
|
|
|
60df80 |
+ * Checks if specified cipher suites can be used.
|
|
|
60df80 |
+ */
|
|
|
60df80 |
+ private static void checkSuccess(String[] ciphersuites) throws Exception {
|
|
|
60df80 |
+ try (SSLServer server = SSLServer.init(ciphersuites)) {
|
|
|
60df80 |
+ startNewThread(server);
|
|
|
60df80 |
+ while (!server.isRunning()) {
|
|
|
60df80 |
+ sleep();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ int port = server.getPort();
|
|
|
60df80 |
+ for (String ciphersuite : ciphersuites) {
|
|
|
60df80 |
+ try (SSLClient client = SSLClient.init(port, ciphersuite)) {
|
|
|
60df80 |
+ client.connect();
|
|
|
60df80 |
+ String negotiated = client.getNegotiatedCipherSuite();
|
|
|
60df80 |
+ System.out.println("Negotiated cipher suite: "
|
|
|
60df80 |
+ + negotiated);
|
|
|
60df80 |
+ if (!negotiated.equals(ciphersuite)) {
|
|
|
60df80 |
+ throw new RuntimeException("Unexpected cipher suite: "
|
|
|
60df80 |
+ + negotiated);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ server.stop();
|
|
|
60df80 |
+ while (server.isRunning()) {
|
|
|
60df80 |
+ sleep();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ if (server.error()) {
|
|
|
60df80 |
+ throw new RuntimeException("Unexpected error on server side");
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private static Thread startNewThread(SSLServer server) {
|
|
|
60df80 |
+ Thread serverThread = new Thread(server, "SSL server thread");
|
|
|
60df80 |
+ serverThread.setDaemon(true);
|
|
|
60df80 |
+ serverThread.start();
|
|
|
60df80 |
+ return serverThread;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private static void sleep() {
|
|
|
60df80 |
+ try {
|
|
|
60df80 |
+ TimeUnit.MILLISECONDS.sleep(50);
|
|
|
60df80 |
+ } catch (InterruptedException e) {
|
|
|
60df80 |
+ // do nothing
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ static class SSLServer implements Runnable, AutoCloseable {
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private final SSLServerSocket ssocket;
|
|
|
60df80 |
+ private volatile boolean stopped = false;
|
|
|
60df80 |
+ private volatile boolean running = false;
|
|
|
60df80 |
+ private volatile boolean sslError = false;
|
|
|
60df80 |
+ private volatile boolean otherError = false;
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private SSLServer(SSLServerSocket ssocket) {
|
|
|
60df80 |
+ this.ssocket = ssocket;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ @Override
|
|
|
60df80 |
+ public void run() {
|
|
|
60df80 |
+ System.out.println("Server: started");
|
|
|
60df80 |
+ running = true;
|
|
|
60df80 |
+ while (!stopped) {
|
|
|
60df80 |
+ try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
|
|
|
60df80 |
+ System.out.println("Server: accepted client connection");
|
|
|
60df80 |
+ InputStream in = socket.getInputStream();
|
|
|
60df80 |
+ OutputStream out = socket.getOutputStream();
|
|
|
60df80 |
+ int b = in.read();
|
|
|
60df80 |
+ if (b < 0) {
|
|
|
60df80 |
+ throw new IOException("Unexpected EOF");
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ System.out.println("Server: send data: " + b);
|
|
|
60df80 |
+ out.write(b);
|
|
|
60df80 |
+ out.flush();
|
|
|
60df80 |
+ socket.getSession().invalidate();
|
|
|
60df80 |
+ } catch (SSLHandshakeException e) {
|
|
|
60df80 |
+ System.out.println("Server: run: " + e);
|
|
|
60df80 |
+ sslError = true;
|
|
|
60df80 |
+ } catch (IOException e) {
|
|
|
60df80 |
+ if (!stopped) {
|
|
|
60df80 |
+ System.out.println("Server: run: " + e);
|
|
|
60df80 |
+ e.printStackTrace();
|
|
|
60df80 |
+ otherError = true;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ System.out.println("Server: finished");
|
|
|
60df80 |
+ running = false;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ int getPort() {
|
|
|
60df80 |
+ return ssocket.getLocalPort();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ String[] getEnabledCiperSuites() {
|
|
|
60df80 |
+ return ssocket.getEnabledCipherSuites();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ boolean isRunning() {
|
|
|
60df80 |
+ return running;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ boolean sslError() {
|
|
|
60df80 |
+ return sslError;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ boolean error() {
|
|
|
60df80 |
+ return sslError || otherError;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ void stop() {
|
|
|
60df80 |
+ stopped = true;
|
|
|
60df80 |
+ if (!ssocket.isClosed()) {
|
|
|
60df80 |
+ try {
|
|
|
60df80 |
+ ssocket.close();
|
|
|
60df80 |
+ } catch (IOException e) {
|
|
|
60df80 |
+ System.out.println("Server: close: " + e);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ @Override
|
|
|
60df80 |
+ public void close() {
|
|
|
60df80 |
+ stop();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ static SSLServer init(String[] ciphersuites)
|
|
|
60df80 |
+ throws IOException {
|
|
|
60df80 |
+ SSLServerSocketFactory ssf = (SSLServerSocketFactory)
|
|
|
60df80 |
+ SSLServerSocketFactory.getDefault();
|
|
|
60df80 |
+ SSLServerSocket ssocket = (SSLServerSocket)
|
|
|
60df80 |
+ ssf.createServerSocket(0);
|
|
|
60df80 |
+
|
|
|
60df80 |
+ if (ciphersuites != null) {
|
|
|
60df80 |
+ System.out.println("Server: enable cipher suites: "
|
|
|
60df80 |
+ + java.util.Arrays.toString(ciphersuites));
|
|
|
60df80 |
+ ssocket.setEnabledCipherSuites(ciphersuites);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ return new SSLServer(ssocket);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ static class SSLClient implements AutoCloseable {
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private final SSLSocket socket;
|
|
|
60df80 |
+
|
|
|
60df80 |
+ private SSLClient(SSLSocket socket) {
|
|
|
60df80 |
+ this.socket = socket;
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ void connect() throws IOException {
|
|
|
60df80 |
+ System.out.println("Client: connect to server");
|
|
|
60df80 |
+ try (
|
|
|
60df80 |
+ BufferedInputStream bis = new BufferedInputStream(
|
|
|
60df80 |
+ socket.getInputStream());
|
|
|
60df80 |
+ BufferedOutputStream bos = new BufferedOutputStream(
|
|
|
60df80 |
+ socket.getOutputStream())) {
|
|
|
60df80 |
+ bos.write('x');
|
|
|
60df80 |
+ bos.flush();
|
|
|
60df80 |
+
|
|
|
60df80 |
+ int read = bis.read();
|
|
|
60df80 |
+ if (read < 0) {
|
|
|
60df80 |
+ throw new IOException("Client: couldn't read a response");
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ socket.getSession().invalidate();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ String[] getEnabledCiperSuites() {
|
|
|
60df80 |
+ return socket.getEnabledCipherSuites();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ String getNegotiatedCipherSuite() {
|
|
|
60df80 |
+ return socket.getSession().getCipherSuite();
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ @Override
|
|
|
60df80 |
+ public void close() throws Exception {
|
|
|
60df80 |
+ if (!socket.isClosed()) {
|
|
|
60df80 |
+ try {
|
|
|
60df80 |
+ socket.close();
|
|
|
60df80 |
+ } catch (IOException e) {
|
|
|
60df80 |
+ System.out.println("Client: close: " + e);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ static SSLClient init(int port)
|
|
|
60df80 |
+ throws NoSuchAlgorithmException, IOException {
|
|
|
60df80 |
+ return init(port, null);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ static SSLClient init(int port, String ciphersuite)
|
|
|
60df80 |
+ throws NoSuchAlgorithmException, IOException {
|
|
|
60df80 |
+ SSLContext context = SSLContext.getDefault();
|
|
|
60df80 |
+ SSLSocketFactory ssf = (SSLSocketFactory)
|
|
|
60df80 |
+ context.getSocketFactory();
|
|
|
60df80 |
+ SSLSocket socket = (SSLSocket) ssf.createSocket("localhost", port);
|
|
|
60df80 |
+
|
|
|
60df80 |
+ if (ciphersuite != null) {
|
|
|
60df80 |
+ System.out.println("Client: enable cipher suite: "
|
|
|
60df80 |
+ + ciphersuite);
|
|
|
60df80 |
+ socket.setEnabledCipherSuites(new String[] { ciphersuite });
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ return new SSLClient(socket);
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+ }
|
|
|
60df80 |
+
|
|
|
60df80 |
+
|
|
|
60df80 |
+}
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/krb5/auto/SSL.java openjdk/jdk/test/sun/security/krb5/auto/SSL.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/krb5/auto/SSL.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/krb5/auto/SSL.java
|
|
|
60df80 |
@@ -1,5 +1,5 @@
|
|
|
60df80 |
/*
|
|
|
60df80 |
- * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
60df80 |
*
|
|
|
60df80 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
60df80 |
@@ -40,6 +40,7 @@
|
|
|
60df80 |
import java.net.InetAddress;
|
|
|
60df80 |
import javax.net.ssl.*;
|
|
|
60df80 |
import java.security.Principal;
|
|
|
60df80 |
+import java.security.Security;
|
|
|
60df80 |
import java.util.Date;
|
|
|
60df80 |
import sun.security.jgss.GSSUtil;
|
|
|
60df80 |
import sun.security.krb5.PrincipalName;
|
|
|
60df80 |
@@ -54,6 +55,9 @@
|
|
|
60df80 |
private static volatile int port;
|
|
|
60df80 |
|
|
|
60df80 |
public static void main(String[] args) throws Exception {
|
|
|
60df80 |
+ // reset the security property to make sure that the algorithms
|
|
|
60df80 |
+ // and keys used in this test are not disabled.
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
|
|
|
60df80 |
krb5Cipher = args[0];
|
|
|
60df80 |
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/CipherSuite/NoDesRC4CiphSuite.java openjdk/jdk/test/sun/security/ssl/CipherSuite/NoDesRC4CiphSuite.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/CipherSuite/NoDesRC4CiphSuite.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/CipherSuite/NoDesRC4CiphSuite.java
|
|
|
60df80 |
@@ -95,12 +95,9 @@
|
|
|
60df80 |
allGood &= testEngOnlyDisabled(DES_CS_LIST_NAMES);
|
|
|
60df80 |
|
|
|
60df80 |
// Disabled RC4 tests
|
|
|
60df80 |
- /*
|
|
|
60df80 |
- RC4 is not yet disabled, as 8076221 has not been backported
|
|
|
60df80 |
allGood &= testDefaultCase(RC4_CS_LIST);
|
|
|
60df80 |
allGood &= testEngAddDisabled(RC4_CS_LIST_NAMES, RC4_CS_LIST);
|
|
|
60df80 |
allGood &= testEngOnlyDisabled(RC4_CS_LIST_NAMES);
|
|
|
60df80 |
- */
|
|
|
60df80 |
|
|
|
60df80 |
if (allGood) {
|
|
|
60df80 |
System.err.println("All tests passed");
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/CipherSuiteOrder.java
|
|
|
60df80 |
@@ -1,5 +1,5 @@
|
|
|
60df80 |
/*
|
|
|
60df80 |
- * Copyright (c) 2001, 2002, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
60df80 |
*
|
|
|
60df80 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
60df80 |
@@ -36,7 +36,7 @@
|
|
|
60df80 |
*/
|
|
|
60df80 |
|
|
|
60df80 |
import java.io.*;
|
|
|
60df80 |
-import java.net.*;
|
|
|
60df80 |
+import java.security.Security;
|
|
|
60df80 |
import javax.net.ssl.*;
|
|
|
60df80 |
|
|
|
60df80 |
public class CipherSuiteOrder {
|
|
|
60df80 |
@@ -198,6 +198,10 @@
|
|
|
60df80 |
volatile Exception clientException = null;
|
|
|
60df80 |
|
|
|
60df80 |
public static void main(String[] args) throws Exception {
|
|
|
60df80 |
+ // reset the security property to make sure that the algorithms
|
|
|
60df80 |
+ // and keys used in this test are not disabled.
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
+
|
|
|
60df80 |
String keyFilename =
|
|
|
60df80 |
System.getProperty("test.src", "./") + "/" + pathToStores +
|
|
|
60df80 |
"/" + keyStoreFile;
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
|
|
|
60df80 |
@@ -103,10 +103,10 @@
|
|
|
60df80 |
import java.security.Security;
|
|
|
60df80 |
import java.security.KeyStore;
|
|
|
60df80 |
import java.security.KeyFactory;
|
|
|
60df80 |
+import java.security.Security;
|
|
|
60df80 |
import java.security.cert.Certificate;
|
|
|
60df80 |
import java.security.cert.CertificateFactory;
|
|
|
60df80 |
import java.security.spec.PKCS8EncodedKeySpec;
|
|
|
60df80 |
-import java.security.spec.*;
|
|
|
60df80 |
import java.security.interfaces.*;
|
|
|
60df80 |
import sun.misc.BASE64Decoder;
|
|
|
60df80 |
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/CheckStatus.java
|
|
|
60df80 |
@@ -1,5 +1,5 @@
|
|
|
60df80 |
/*
|
|
|
60df80 |
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
|
|
|
60df80 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
60df80 |
*
|
|
|
60df80 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
60df80 |
@@ -622,6 +622,9 @@
|
|
|
60df80 |
}
|
|
|
60df80 |
|
|
|
60df80 |
public static void main(String args[]) throws Exception {
|
|
|
60df80 |
+ // reset the security property to make sure that the algorithms
|
|
|
60df80 |
+ // and keys used in this test are not disabled.
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
|
|
|
60df80 |
CheckStatus cs;
|
|
|
60df80 |
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/ConnectionTest.java
|
|
|
60df80 |
@@ -33,6 +33,8 @@
|
|
|
60df80 |
* The code could certainly be tightened up a lot.
|
|
|
60df80 |
*
|
|
|
60df80 |
* @author Brad Wetmore
|
|
|
60df80 |
+ *
|
|
|
60df80 |
+ * @run main/othervm ConnectionTest
|
|
|
60df80 |
*/
|
|
|
60df80 |
|
|
|
60df80 |
import javax.net.ssl.*;
|
|
|
60df80 |
@@ -672,6 +674,10 @@
|
|
|
60df80 |
}
|
|
|
60df80 |
|
|
|
60df80 |
public static void main(String args[]) throws Exception {
|
|
|
60df80 |
+ // reset the security property to make sure that the algorithms
|
|
|
60df80 |
+ // and keys used in this test are not disabled.
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
+
|
|
|
60df80 |
ConnectionTest ct = new ConnectionTest();
|
|
|
60df80 |
ct.test();
|
|
|
60df80 |
}
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/LargeBufs.java
|
|
|
60df80 |
@@ -180,6 +180,9 @@
|
|
|
60df80 |
}
|
|
|
60df80 |
|
|
|
60df80 |
public static void main(String args[]) throws Exception {
|
|
|
60df80 |
+ // reset the security property to make sure that the algorithms
|
|
|
60df80 |
+ // and keys used in this test are not disabled.
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
|
|
|
60df80 |
LargeBufs test;
|
|
|
60df80 |
|
|
|
60df80 |
diff --git openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
|
|
|
60df80 |
--- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
|
|
|
60df80 |
+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/GenericStreamCipher.java
|
|
|
60df80 |
@@ -37,7 +37,7 @@
|
|
|
60df80 |
*/
|
|
|
60df80 |
|
|
|
60df80 |
import java.io.*;
|
|
|
60df80 |
-import java.net.*;
|
|
|
60df80 |
+import java.security.Security;
|
|
|
60df80 |
import javax.net.ssl.*;
|
|
|
60df80 |
|
|
|
60df80 |
public class GenericStreamCipher {
|
|
|
60df80 |
@@ -165,6 +165,10 @@
|
|
|
60df80 |
volatile Exception clientException = null;
|
|
|
60df80 |
|
|
|
60df80 |
public static void main(String[] args) throws Exception {
|
|
|
60df80 |
+ // reset the security property to make sure that the algorithms
|
|
|
60df80 |
+ // and keys used in this test are not disabled.
|
|
|
60df80 |
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
|
|
60df80 |
+
|
|
|
60df80 |
String keyFilename =
|
|
|
60df80 |
System.getProperty("test.src", ".") + "/" + pathToStores +
|
|
|
60df80 |
"/" + keyStoreFile;
|