Mercurial > hg > icedtea8-forest > jdk
changeset 10661:1c0cc3bbe07d jdk8u31-b09
8061210: Issues in TLS
Reviewed-by: jnimeh, mullan, wetmore, ahgross, asmotrak
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/Handshaker.java Fri May 23 19:43:14 2014 +0400 +++ b/src/share/classes/sun/security/ssl/Handshaker.java Fri Oct 24 11:49:24 2014 +0000 @@ -500,7 +500,9 @@ if (activeProtocols.collection().isEmpty() || activeProtocols.max.v == ProtocolVersion.NONE.v) { - throw new SSLHandshakeException("No appropriate protocol"); + throw new SSLHandshakeException( + "No appropriate protocol (protocol is disabled or " + + "cipher suites are inappropriate)"); } if (activeCipherSuites == null) { @@ -678,6 +680,16 @@ if (activeProtocols == null) { ArrayList<ProtocolVersion> protocols = new ArrayList<>(4); for (ProtocolVersion protocol : enabledProtocols.collection()) { + if (!algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + protocol.name, null)) { + if (debug != null && Debug.isOn("verbose")) { + System.out.println( + "Ignoring disabled protocol: " + protocol); + } + + continue; + } boolean found = false; for (CipherSuite suite : enabledCipherSuites.collection()) { if (suite.isAvailable() && suite.obsoleted > protocol.v &&
--- a/src/share/classes/sun/security/ssl/ProtocolVersion.java Fri May 23 19:43:14 2014 +0400 +++ b/src/share/classes/sun/security/ssl/ProtocolVersion.java Fri Oct 24 11:49:24 2014 +0000 @@ -25,6 +25,9 @@ package sun.security.ssl; +import java.util.*; +import java.security.CryptoPrimitive; + /** * Type safe enum for an SSL/TLS protocol version. Instances are obtained * using the static factory methods or by referencing the static members @@ -86,6 +89,11 @@ // Default version for hello messages (SSLv2Hello) final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30; + // Available protocols + // + // Including all supported protocols except the disabled ones. + final static Set<ProtocolVersion> availableProtocols; + // version in 16 bit MSB format as it appears in records and // messages, i.e. 0x0301 for TLS 1.0 public final int v; @@ -96,6 +104,24 @@ // name used in JSSE (e.g. TLSv1 for TLS 1.0) final String name; + // Initialize the available protocols. + static { + Set<ProtocolVersion> protocols = new HashSet<>(5); + + ProtocolVersion[] pvs = new ProtocolVersion[] { + SSL20Hello, SSL30, TLS10, TLS11, TLS12}; + for (ProtocolVersion p : pvs) { + if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + p.name, null)) { + protocols.add(p); + } + } + + availableProtocols = + Collections.<ProtocolVersion>unmodifiableSet(protocols); + } + // private private ProtocolVersion(int v, String name) { this.v = v;
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java Fri May 23 19:43:14 2014 +0400 +++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java Fri Oct 24 11:49:24 2014 +0000 @@ -55,6 +55,14 @@ private boolean enabledX509DisabledAlgConstraints = true; + // the default algorithm constraints + final static AlgorithmConstraints DEFAULT = + new SSLAlgorithmConstraints(null); + + // the default SSL only algorithm constraints + final static AlgorithmConstraints DEFAULT_SSL_ONLY = + new SSLAlgorithmConstraints((SSLSocket)null, false); + SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { userAlgConstraints = algorithmConstraints; }
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java Fri May 23 19:43:14 2014 +0400 +++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java Fri Oct 24 11:49:24 2014 +0000 @@ -52,10 +52,6 @@ private X509TrustManager trustManager; private SecureRandom secureRandom; - // The default algrithm constraints - private AlgorithmConstraints defaultAlgorithmConstraints = - new SSLAlgorithmConstraints(null); - // supported and default protocols private ProtocolList defaultServerProtocolList; private ProtocolList defaultClientProtocolList; @@ -350,7 +346,7 @@ if (suite.isAvailable() && suite.obsoleted > protocols.min.v && suite.supported <= protocols.max.v) { - if (defaultAlgorithmConstraints.permits( + if (SSLAlgorithmConstraints.DEFAULT.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { suites.add(suite); @@ -431,11 +427,16 @@ */ private abstract static class AbstractSSLContext extends SSLContextImpl { // parameters - private final static SSLParameters defaultServerSSLParams; - private final static SSLParameters supportedSSLParams; + private static final SSLParameters defaultServerSSLParams; + private static final SSLParameters supportedSSLParams; static { + // supported SSL parameters supportedSSLParams = new SSLParameters(); + + // candidates for available protocols + ProtocolVersion[] candidates; + if (SunJSSE.isFIPS()) { supportedSSLParams.setProtocols(new String[] { ProtocolVersion.TLS10.name, @@ -443,7 +444,11 @@ ProtocolVersion.TLS12.name }); - defaultServerSSLParams = supportedSSLParams; + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { supportedSSLParams.setProtocols(new String[] { ProtocolVersion.SSL20Hello.name, @@ -453,8 +458,18 @@ ProtocolVersion.TLS12.name }); - defaultServerSSLParams = supportedSSLParams; + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL20Hello, + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } + + defaultServerSSLParams = new SSLParameters(); + defaultServerSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -466,6 +481,22 @@ SSLParameters getSupportedSSLParams() { return supportedSSLParams; } + + static List<String> getAvailableProtocols( + ProtocolVersion[] protocolCandidates) { + + List<String> availableProtocols = Collections.<String>emptyList(); + if (protocolCandidates != null && protocolCandidates.length != 0) { + availableProtocols = new ArrayList<>(protocolCandidates.length); + for (ProtocolVersion p : protocolCandidates) { + if (ProtocolVersion.availableProtocols.contains(p)) { + availableProtocols.add(p.name); + } + } + } + + return availableProtocols; + } } /* @@ -474,21 +505,25 @@ * @see SSLContext */ public static final class TLS10Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10 + }; + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10 + }; + } - } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name - }); - } + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -503,23 +538,27 @@ * @see SSLContext */ public static final class TLS11Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11 + }; + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11 + }; + } - } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name - }); - } + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -534,25 +573,29 @@ * @see SSLContext */ public static final class TLS12Context extends AbstractSSLContext { - private final static SSLParameters defaultClientSSLParams; + private static final SSLParameters defaultClientSSLParams; static { - defaultClientSSLParams = new SSLParameters(); + // candidates for available protocols + ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; + } - } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); - } + defaultClientSSLParams = new SSLParameters(); + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } @Override @@ -567,8 +610,8 @@ * @see SSLContext */ private static class CustomizedSSLContext extends AbstractSSLContext { - private final static String PROPERTY_NAME = "jdk.tls.client.protocols"; - private final static SSLParameters defaultClientSSLParams; + private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; + private static final SSLParameters defaultClientSSLParams; private static IllegalArgumentException reservedException = null; // Don't want a java.lang.LinkageError for illegal system property. @@ -578,60 +621,74 @@ // the provider service. Instead, let's handle the initialization // exception in constructor. static { + // candidates for available protocols + ProtocolVersion[] candidates; + String property = AccessController.doPrivileged( new GetPropertyAction(PROPERTY_NAME)); - defaultClientSSLParams = new SSLParameters(); if (property == null || property.length() == 0) { // the default enabled client TLS protocols if (SunJSSE.isFIPS()) { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); - + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } else { - defaultClientSSLParams.setProtocols(new String[] { - ProtocolVersion.SSL30.name, - ProtocolVersion.TLS10.name, - ProtocolVersion.TLS11.name, - ProtocolVersion.TLS12.name - }); + candidates = new ProtocolVersion[] { + ProtocolVersion.SSL30, + ProtocolVersion.TLS10, + ProtocolVersion.TLS11, + ProtocolVersion.TLS12 + }; } } else { // remove double quote marks from beginning/end of the property - if (property.charAt(0) == '"' && + if (property.length() > 1 && property.charAt(0) == '"' && property.charAt(property.length() - 1) == '"') { property = property.substring(1, property.length() - 1); } - String[] protocols = property.split(","); + String[] protocols = null; + if (property != null && property.length() != 0) { + protocols = property.split(","); + } else { + reservedException = new IllegalArgumentException( + "No protocol specified in " + + PROPERTY_NAME + " system property"); + protocols = new String[0]; + } + + candidates = new ProtocolVersion[protocols.length]; for (int i = 0; i < protocols.length; i++) { protocols[i] = protocols[i].trim(); // Is it a supported protocol name? try { - ProtocolVersion.valueOf(protocols[i]); + candidates[i] = ProtocolVersion.valueOf(protocols[i]); } catch (IllegalArgumentException iae) { reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocols[i] + - " is not a standard SSL protocol name", iae); + PROPERTY_NAME + ": " + protocols[i] + + " is not a standard SSL/TLS protocol name", iae); + break; } } if ((reservedException == null) && SunJSSE.isFIPS()) { - for (String protocol : protocols) { - if (ProtocolVersion.SSL20Hello.name.equals(protocol) || - ProtocolVersion.SSL30.name.equals(protocol)) { + for (ProtocolVersion protocolVersion : candidates) { + if (ProtocolVersion.SSL20Hello.v == protocolVersion.v || + ProtocolVersion.SSL30.v == protocolVersion.v) { reservedException = new IllegalArgumentException( - PROPERTY_NAME + ": " + protocol + + PROPERTY_NAME + ": " + protocolVersion + " is not FIPS compliant"); } } } + } - if (reservedException == null) { - defaultClientSSLParams.setProtocols(protocols); - } + defaultClientSSLParams = new SSLParameters(); + if (reservedException == null) { + defaultClientSSLParams.setProtocols( + getAvailableProtocols(candidates).toArray(new String[0])); } }
--- a/src/share/lib/security/java.security-aix Fri May 23 19:43:14 2014 +0400 +++ b/src/share/lib/security/java.security-aix Fri Oct 24 11:49:24 2014 +0000 @@ -479,8 +479,12 @@ # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -495,4 +499,5 @@ # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-linux Fri May 23 19:43:14 2014 +0400 +++ b/src/share/lib/security/java.security-linux Fri Oct 24 11:49:24 2014 +0000 @@ -479,8 +479,12 @@ # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -495,4 +499,5 @@ # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-macosx Fri May 23 19:43:14 2014 +0400 +++ b/src/share/lib/security/java.security-macosx Fri Oct 24 11:49:24 2014 +0000 @@ -482,8 +482,12 @@ # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -498,4 +502,5 @@ # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-solaris Fri May 23 19:43:14 2014 +0400 +++ b/src/share/lib/security/java.security-solaris Fri Oct 24 11:49:24 2014 +0000 @@ -481,8 +481,12 @@ # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -497,4 +501,5 @@ # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-windows Fri May 23 19:43:14 2014 +0400 +++ b/src/share/lib/security/java.security-windows Fri Oct 24 11:49:24 2014 +0000 @@ -482,8 +482,12 @@ # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling -# algorithms during SSL/TLS security parameters negotiation, including cipher -# suites selection, peer authentication and key exchange mechanisms. +# algorithms during SSL/TLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, peer authentication +# and key exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path @@ -498,4 +502,5 @@ # It is not guaranteed to be examined and used by other implementations. # # Example: -# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=SSLv3
--- a/test/sun/security/ec/TestEC.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ec/TestEC.java Fri Oct 24 11:49:24 2014 +0000 @@ -68,6 +68,10 @@ } public static void main0(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + Provider p = Security.getProvider("SunEC"); if (p == null) {
--- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java Fri Oct 24 11:49:24 2014 +0000 @@ -43,6 +43,10 @@ private static String[] cmdArgs; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + cmdArgs = args; main(new ClientJSSEServerJSSE()); }
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java Fri Oct 24 11:49:24 2014 +0000 @@ -32,6 +32,7 @@ import java.io.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; public class HttpsProtocols implements HostnameVerifier { @@ -177,6 +178,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile;
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java Fri Oct 24 11:49:24 2014 +0000 @@ -35,6 +35,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class CustomizedDefaultProtocols { static enum ContextVersion { @@ -93,6 +94,10 @@ } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion);
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java Fri Oct 24 11:49:24 2014 +0000 @@ -34,6 +34,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class DefaultEnabledProtocols { static enum ContextVersion { @@ -92,6 +93,10 @@ } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion);
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java Fri Oct 24 11:49:24 2014 +0000 @@ -35,6 +35,7 @@ import javax.net.*; import javax.net.ssl.*; import java.util.Arrays; +import java.security.Security; public class NoOldVersionContext { static enum ContextVersion { @@ -93,6 +94,10 @@ } public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + boolean failed = false; for (ContextVersion cv : ContextVersion.values()) { System.out.println("Checking SSLContext of " + cv.contextVersion);
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java Fri Oct 24 11:49:24 2014 +0000 @@ -115,6 +115,9 @@ } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); DelegatedTaskWrongException test;
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java Fri Oct 24 11:49:24 2014 +0000 @@ -21,6 +21,11 @@ * questions. */ +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + /* * @test * @bug 4416068 4478803 4479736 @@ -31,9 +36,6 @@ * 4701722 protocol mismatch exceptions should be consistent between * SSLv3 and TLSv1 * @run main/othervm testEnabledProtocols - * - * SunJSSE does not support dynamic system properties, no way to re-use - * system properties in samevm/agentvm mode. * @author Ram Marti */ @@ -120,6 +122,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile;
--- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java Fri Oct 24 11:49:24 2014 +0000 @@ -44,6 +44,7 @@ import java.net.*; import java.util.*; import java.nio.channels.*; +import java.security.Security; public class SSLEngineExplorer extends SSLEngineService { @@ -231,6 +232,10 @@ volatile int serverPort = 0; public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + if (debug) System.setProperty("javax.net.debug", "all");
--- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java Fri Oct 24 11:49:24 2014 +0000 @@ -45,6 +45,7 @@ import java.util.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; public class SSLSocketExplorer { @@ -224,6 +225,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile;
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java Fri May 23 19:43:14 2014 +0400 +++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java Fri Oct 24 11:49:24 2014 +0000 @@ -29,9 +29,15 @@ * @run main/othervm/timeout=300 ClientJSSEServerJSSE */ +import java.security.Security; + public class ClientJSSEServerJSSE { public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + CipherTest.main(new JSSEFactory(), args); }