Mercurial > hg > release > icedtea7-forest-2.6 > jdk
changeset 9714:4586938ba63d
8211883: Disable anon and NULL cipher suites
Reviewed-by: mullan, coffeys
author | pkoppula |
---|---|
date | Wed, 13 Feb 2019 07:49:48 +0000 |
parents | ba99d2bbbda5 |
children | d3294ba0c8a4 |
files | src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java |
diffstat | 6 files changed, 26 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/lib/security/java.security-linux Mon Oct 01 23:44:46 2018 +0100 +++ b/src/share/lib/security/java.security-linux Wed Feb 13 07:49:48 2019 +0000 @@ -553,7 +553,7 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, RC4_40, 3DES_EDE_CBC + EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-macosx Mon Oct 01 23:44:46 2018 +0100 +++ b/src/share/lib/security/java.security-macosx Wed Feb 13 07:49:48 2019 +0000 @@ -558,7 +558,7 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, RC4_40, 3DES_EDE_CBC + EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-solaris Mon Oct 01 23:44:46 2018 +0100 +++ b/src/share/lib/security/java.security-solaris Wed Feb 13 07:49:48 2019 +0000 @@ -557,7 +557,7 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, RC4_40, 3DES_EDE_CBC + EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation.
--- a/src/share/lib/security/java.security-windows Mon Oct 01 23:44:46 2018 +0100 +++ b/src/share/lib/security/java.security-windows Wed Feb 13 07:49:48 2019 +0000 @@ -558,7 +558,7 @@ # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, RC4_40, 3DES_EDE_CBC + EC keySize < 224, RC4_40, 3DES_EDE_CBC, anon, NULL # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation.
--- a/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java Mon Oct 01 23:44:46 2018 +0100 +++ b/test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java Wed Feb 13 07:49:48 2019 +0000 @@ -74,6 +74,7 @@ * TLS_ECDH_anon_WITH_AES_128_CBC_SHA */ +import java.security.Security; import javax.net.ssl.*; /** @@ -90,14 +91,18 @@ private static boolean isClientMode; private static String enabledCipherSuite; - private static String disabledCipherSuite; + private static String notEnabledCipherSuite; public static void main(String[] args) throws Exception { + // reset the security property to make sure the cipher suites + // used in this test are not disabled + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + contextProtocol = trimQuotes(args[0]); isClientMode = Boolean.parseBoolean(args[1]); enabledCipherSuite = trimQuotes(args[2]); - disabledCipherSuite = trimQuotes(args[3]); + notEnabledCipherSuite = trimQuotes(args[3]); // // Create instance of SSLContext with the specified protocol. @@ -206,8 +211,8 @@ isMatch = true; } - if (!disabledCipherSuite.isEmpty() && - cipher.equals(disabledCipherSuite)) { + if (!notEnabledCipherSuite.isEmpty() && + cipher.equals(notEnabledCipherSuite)) { isBroken = true; } } @@ -219,7 +224,7 @@ if (isBroken) { throw new Exception( - "Cipher suite " + disabledCipherSuite + " should be disabled"); + "Cipher suite " + notEnabledCipherSuite + " should not be enabled"); } } @@ -231,7 +236,7 @@ } boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty(); - boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty(); + boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty(); for (String cipher : ciphers) { System.out.println("\tsupported cipher suite " + cipher); if (!enabledCipherSuite.isEmpty() && @@ -239,9 +244,9 @@ hasEnabledCipherSuite = true; } - if (!disabledCipherSuite.isEmpty() && - cipher.equals(disabledCipherSuite)) { - hasDisabledCipherSuite = true; + if (!notEnabledCipherSuite.isEmpty() && + cipher.equals(notEnabledCipherSuite)) { + hasNotEnabledCipherSuite = true; } } @@ -250,9 +255,9 @@ "Cipher suite " + enabledCipherSuite + " should be supported"); } - if (!hasDisabledCipherSuite) { + if (!hasNotEnabledCipherSuite) { throw new Exception( - "Cipher suite " + disabledCipherSuite + " should be supported"); + "Cipher suite " + notEnabledCipherSuite + " should not be enabled"); } }
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java Mon Oct 01 23:44:46 2018 +0100 +++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java Wed Feb 13 07:49:48 2019 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,6 +38,7 @@ import java.io.*; import java.net.*; +import java.security.Security; import javax.net.ssl.*; public class JSSERenegotiate { @@ -191,6 +192,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the cipher suites + // used in this test are not disabled + Security.setProperty("jdk.tls.disabledAlgorithms", ""); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile;