--- a/src/java.base/share/conf/security/java.security Thu Oct 25 10:57:42 2018 -0700
+++ b/src/java.base/share/conf/security/java.security Thu Oct 25 10:58:59 2018 -0700
@@ -676,7 +676,7 @@
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
- EC keySize < 224, 3DES_EDE_CBC
+ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
#
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
--- a/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java Thu Oct 25 10:57:42 2018 -0700
+++ b/test/jdk/javax/net/ssl/SSLSession/JSSERenegotiate.java Thu Oct 25 10:58:59 2018 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@
import java.io.*;
import java.net.*;
+import java.security.Security;
import javax.net.ssl.*;
public class JSSERenegotiate {
@@ -190,6 +191,10 @@
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the cipher suites
+ // used in this test are not disabled
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;
--- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Thu Oct 25 10:57:42 2018 -0700
+++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java Thu Oct 25 10:58:59 2018 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 8076221
+ * @bug 8076221 8211883
* @summary Check if weak cipher suites are disabled
* @modules jdk.crypto.ec
* @run main/othervm DisabledAlgorithms default
@@ -60,9 +60,9 @@
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + trustStoreFile;
- // supported RC4 cipher suites
+ // supported RC4, NULL, and anon cipher suites
// it does not contain KRB5 cipher suites because they need a KDC
- private static final String[] rc4_ciphersuites = new String[] {
+ private static final String[] rc4_null_anon_ciphersuites = new String[] {
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_SHA",
@@ -70,7 +70,31 @@
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"SSL_RSA_WITH_RC4_128_MD5",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
- "SSL_DH_anon_WITH_RC4_128_MD5"
+ "SSL_DH_anon_WITH_RC4_128_MD5",
+ "SSL_RSA_WITH_NULL_MD5",
+ "SSL_RSA_WITH_NULL_SHA",
+ "TLS_RSA_WITH_NULL_SHA256",
+ "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+ "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+ "TLS_ECDH_RSA_WITH_NULL_SHA",
+ "TLS_ECDHE_RSA_WITH_NULL_SHA",
+ "TLS_ECDH_anon_WITH_NULL_SHA",
+ "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+ "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
+ "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+ "SSL_DH_anon_WITH_DES_CBC_SHA",
+ "SSL_DH_anon_WITH_RC4_128_MD5",
+ "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+ "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+ "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+ "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+ "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+ "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+ "TLS_ECDH_anon_WITH_NULL_SHA",
+ "TLS_ECDH_anon_WITH_RC4_128_SHA"
};
public static void main(String[] args) throws Exception {
@@ -89,8 +113,9 @@
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));
- // check if RC4 cipher suites can't be used by default
- checkFailure(rc4_ciphersuites);
+ // check if RC4, NULL, and anon cipher suites
+ // can't be used by default
+ checkFailure(rc4_null_anon_ciphersuites);
break;
case "empty":
// reset jdk.tls.disabledAlgorithms
@@ -98,9 +123,9 @@
System.out.println("jdk.tls.disabledAlgorithms = "
+ Security.getProperty("jdk.tls.disabledAlgorithms"));
- // check if RC4 cipher suites can be used
+ // check if RC4, NULL, and anon cipher suites can be used
// if jdk.tls.disabledAlgorithms is empty
- checkSuccess(rc4_ciphersuites);
+ checkSuccess(rc4_null_anon_ciphersuites);
break;
default:
throw new RuntimeException("Wrong parameter: " + args[0]);
--- a/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java Thu Oct 25 10:57:42 2018 -0700
+++ b/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java Thu Oct 25 10:58:59 2018 -0700
@@ -74,6 +74,7 @@
* TLS_ECDH_anon_WITH_AES_128_CBC_SHA
*/
+import java.security.Security;
import javax.net.ssl.*;
/**
@@ -90,14 +91,18 @@
private static boolean isClientMode;
private static String enabledCipherSuite;
- private static String disabledCipherSuite;
+ private static String notEnabledCipherSuite;
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure the cipher suites
+ // used in this test are not disabled
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
contextProtocol = trimQuotes(args[0]);
isClientMode = Boolean.parseBoolean(args[1]);
enabledCipherSuite = trimQuotes(args[2]);
- disabledCipherSuite = trimQuotes(args[3]);
+ notEnabledCipherSuite = trimQuotes(args[3]);
//
// Create instance of SSLContext with the specified protocol.
@@ -206,8 +211,8 @@
isMatch = true;
}
- if (!disabledCipherSuite.isEmpty() &&
- cipher.equals(disabledCipherSuite)) {
+ if (!notEnabledCipherSuite.isEmpty() &&
+ cipher.equals(notEnabledCipherSuite)) {
isBroken = true;
}
}
@@ -219,7 +224,7 @@
if (isBroken) {
throw new Exception(
- "Cipher suite " + disabledCipherSuite + " should be disabled");
+ "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
}
}
@@ -231,7 +236,7 @@
}
boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty();
- boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty();
+ boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty();
for (String cipher : ciphers) {
System.out.println("\tsupported cipher suite " + cipher);
if (!enabledCipherSuite.isEmpty() &&
@@ -239,9 +244,9 @@
hasEnabledCipherSuite = true;
}
- if (!disabledCipherSuite.isEmpty() &&
- cipher.equals(disabledCipherSuite)) {
- hasDisabledCipherSuite = true;
+ if (!notEnabledCipherSuite.isEmpty() &&
+ cipher.equals(notEnabledCipherSuite)) {
+ hasNotEnabledCipherSuite = true;
}
}
@@ -250,9 +255,9 @@
"Cipher suite " + enabledCipherSuite + " should be supported");
}
- if (!hasDisabledCipherSuite) {
+ if (!hasNotEnabledCipherSuite) {
throw new Exception(
- "Cipher suite " + disabledCipherSuite + " should be supported");
+ "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
}
}