Skip to content

Commit

Permalink
Backport 00d22f605d2b54f2774aeaa1edfbb146a5635f21
Browse files Browse the repository at this point in the history
  • Loading branch information
@zzambers
zzambers committed Jun 11, 2024
1 parent 61dde50 commit fd21258
Show file tree
Hide file tree
Showing 7 changed files with 47 additions and 96 deletions.
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-aix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -703,7 +703,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
include jdk.disabled.namedCurves

# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-linux
View file
Original file line number Diff line number Diff line change
Expand Up @@ -703,7 +703,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
include jdk.disabled.namedCurves

# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-macosx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -706,7 +706,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
include jdk.disabled.namedCurves

# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-solaris
View file
Original file line number Diff line number Diff line change
Expand Up @@ -704,7 +704,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
include jdk.disabled.namedCurves

# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Expand Down
2 changes: 1 addition & 1 deletion jdk/src/share/lib/security/java.security-windows
View file
Original file line number Diff line number Diff line change
Expand Up @@ -706,7 +706,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH, \
include jdk.disabled.namedCurves

# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Expand Down
37 changes: 24 additions & 13 deletions jdk/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@

/*
* @test
* @bug 8076221 8211883
* @bug 8076221 8211883 8279164
* @summary Check if weak cipher suites are disabled
* @run main/othervm DisabledAlgorithms default
* @run main/othervm DisabledAlgorithms empty
Expand Down Expand Up @@ -59,9 +59,9 @@ public class DisabledAlgorithms {
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;

// supported RC4, NULL, and anon cipher suites
// it does not contain KRB5 cipher suites because they need a KDC
private static final String[] rc4_null_anon_ciphersuites = new String[] {
// disabled RC4, NULL, anon, and ECDH cipher suites
private static final String[] disabled_ciphersuites
= new String[] {
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
Expand Down Expand Up @@ -93,7 +93,19 @@ public class DisabledAlgorithms {
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_RC4_128_SHA"
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
};

public static void main(String[] args) throws Exception {
Expand All @@ -112,19 +124,18 @@ public static void main(String[] args) throws Exception {
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));

// check if RC4, NULL, and anon cipher suites
// can't be used by default
checkFailure(rc4_null_anon_ciphersuites);
// check that disabled cipher suites can't be used by default
checkFailure(disabled_ciphersuites);
break;
case "empty":
// reset jdk.tls.disabledAlgorithms
Security.setProperty("jdk.tls.disabledAlgorithms", "");
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));

// check if RC4, NULL, and anon cipher suites can be used
// if jdk.tls.disabledAlgorithms is empty
checkSuccess(rc4_null_anon_ciphersuites);
// check that disabled cipher suites can be used if
// jdk.tls.disabledAlgorithms is empty
checkSuccess(disabled_ciphersuites);
break;
default:
throw new RuntimeException("Wrong parameter: " + args[0]);
Expand All @@ -150,11 +161,12 @@ private static void checkFailure(String[] ciphersuites) throws Exception {
throw new RuntimeException("Expected SSLHandshakeException "
+ "not thrown");
} catch (SSLHandshakeException e) {
System.out.println("Expected exception on client side: "
System.out.println("Got expected exception on client side: "
+ e);
}
}

server.stop();
while (server.isRunning()) {
sleep();
}
Expand Down Expand Up @@ -250,7 +262,6 @@ public void run() {
} catch (SSLHandshakeException e) {
System.out.println("Server: run: " + e);
sslError = true;
stopped = true;
} catch (IOException e) {
if (!stopped) {
System.out.println("Server: run: unexpected exception: "
Expand Down
96 changes: 18 additions & 78 deletions jdk/test/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -23,7 +23,7 @@

/*
* @test
* @bug 4750141 4895631 8217579 8163326
* @bug 4750141 4895631 8217579 8163326 8279164
* @summary Check enabled and supported ciphersuites are correct
* @run main/othervm CheckCipherSuites default
* @run main/othervm CheckCipherSuites limited
Expand All @@ -46,52 +46,36 @@ public class CheckCipherSuites {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

// AES_256(GCM) - ECDHE - forward screcy
// AES_256(GCM) - ECDHE - forward secrecy
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

// AES_128(GCM) - ECDHE - forward screcy
// AES_128(GCM) - ECDHE - forward secrecy
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

// AES_256(GCM) - DHE - forward screcy
// AES_256(GCM) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",

// AES_128(GCM) - DHE - forward screcy
// AES_128(GCM) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",

// AES_256(CBC) - ECDHE - forward screcy
// AES_256(CBC) - ECDHE - forward secrecy
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

// AES_256(CBC) - ECDHE - forward screcy
// AES_256(CBC) - ECDHE - forward secrecy
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

// AES_256(CBC) - DHE - forward screcy
// AES_256(CBC) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",

// AES_128(CBC) - DHE - forward screcy
// AES_128(CBC) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",

// AES_256(GCM) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",

// AES_128(GCM) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",

// AES_256(CBC) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",

// AES_128(CBC) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",

// AES_256(CBC) - ECDHE - using SHA
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
Expand All @@ -108,14 +92,6 @@ public class CheckCipherSuites {
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",

// AES_256(CBC) - using SHA, not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",

// AES_128(CBC) - using SHA, not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",

// deprecated
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
Expand All @@ -138,16 +114,10 @@ public class CheckCipherSuites {
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
Expand All @@ -165,52 +135,36 @@ public class CheckCipherSuites {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

// AES_256(GCM) - ECDHE - forward screcy
// AES_256(GCM) - ECDHE - forward secrecy
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

// AES_128(GCM) - ECDHE - forward screcy
// AES_128(GCM) - ECDHE - forward secrecy
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

// AES_256(GCM) - DHE - forward screcy
// AES_256(GCM) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",

// AES_128(GCM) - DHE - forward screcy
// AES_128(GCM) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",

// AES_256(CBC) - ECDHE - forward screcy
// AES_256(CBC) - ECDHE - forward secrecy
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

// AES_256(CBC) - ECDHE - forward screcy
// AES_256(CBC) - ECDHE - forward secrecy
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

// AES_256(CBC) - DHE - forward screcy
// AES_256(CBC) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",

// AES_128(CBC) - DHE - forward screcy
// AES_128(CBC) - DHE - forward secrecy
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",

// AES_256(GCM) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",

// AES_128(GCM) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",

// AES_256(CBC) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",

// AES_128(CBC) - not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",

// AES_256(CBC) - ECDHE - using SHA
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
Expand All @@ -227,14 +181,6 @@ public class CheckCipherSuites {
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",

// AES_256(CBC) - using SHA, not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",

// AES_128(CBC) - using SHA, not forward screcy
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",

// deprecated
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
Expand All @@ -257,16 +203,10 @@ public class CheckCipherSuites {
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
Expand Down

0 comments on commit fd21258

Please sign in to comment.