8144773: Further reduce use of MD5
authorxuelei
Tue, 15 Dec 2015 12:59:00 +0000
changeset 35298 9f93cbce8c44
parent 35297 e0ab9045a0dc
child 35299 d5737dedc6df
8144773: Further reduce use of MD5 Reviewed-by: mullan, wetmore, jnimeh, ahgross
jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java
jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java
jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java
jdk/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java
jdk/src/java.base/share/conf/security/java.security
jdk/test/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java
jdk/test/javax/net/ssl/ServerName/SSLSocketSNISensitive.java
jdk/test/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java
jdk/test/javax/net/ssl/TLSv12/ShortRSAKey512.java
jdk/test/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java
jdk/test/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java
jdk/test/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
jdk/test/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java
jdk/test/sun/net/www/protocol/https/HttpsURLConnection/Identities.java
jdk/test/sun/security/ssl/SSLContextImpl/MD2InTrustAnchor.java
jdk/test/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java
jdk/test/sun/security/ssl/X509KeyManager/PreferredKey.java
jdk/test/sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java
jdk/test/sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
jdk/test/sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java
jdk/test/sun/security/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	Tue Dec 15 12:59:00 2015 +0000
@@ -333,7 +333,7 @@
                             input, serverKey,
                             clnt_random.random_bytes, svr_random.random_bytes,
                             messageLen,
-                            localSupportedSignAlgs, protocolVersion);
+                            getLocalSupportedSignAlgs(), protocolVersion);
                     handshakeState.update(dhSrvKeyExchange, resumingSession);
                     this.serverKeyExchange(dhSrvKeyExchange);
                 } catch (GeneralSecurityException e) {
@@ -348,7 +348,7 @@
                         new ECDH_ServerKeyExchange
                             (input, serverKey, clnt_random.random_bytes,
                             svr_random.random_bytes,
-                            localSupportedSignAlgs, protocolVersion);
+                            getLocalSupportedSignAlgs(), protocolVersion);
                     handshakeState.update(ecdhSrvKeyExchange, resumingSession);
                     this.serverKeyExchange(ecdhSrvKeyExchange);
                 } catch (GeneralSecurityException e) {
@@ -398,7 +398,7 @@
 
                 Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
                     SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                            peerSignAlgs);
+                            algorithmConstraints, peerSignAlgs);
                 if (supportedPeerSignAlgs.isEmpty()) {
                     throw new SSLHandshakeException(
                         "No supported signature and hash algorithm in common");
@@ -1211,8 +1211,8 @@
                 if (protocolVersion.useTLS12PlusSpec()) {
                     preferableSignatureAlgorithm =
                         SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                            peerSupportedSignAlgs, signingKey.getAlgorithm(),
-                            signingKey);
+                            getPeerSupportedSignAlgs(),
+                            signingKey.getAlgorithm(), signingKey);
 
                     if (preferableSignatureAlgorithm == null) {
                         throw new SSLHandshakeException(
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1943,7 +1943,7 @@
     // the signature bytes
     private byte[] signature;
 
-    // protocol version being established using this ServerKeyExchange message
+    // protocol version being established using this CertificateVerify message
     ProtocolVersion protocolVersion;
 
     // the preferable signature algorithm used by this CertificateVerify message
@@ -1996,7 +1996,7 @@
                     preferableSignatureAlgorithm)) {
                 throw new SSLHandshakeException(
                         "Unsupported SignatureAndHashAlgorithm in " +
-                        "ServerKeyExchange message");
+                        "CertificateVerify message");
             }
         }
 
--- a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java	Tue Dec 15 12:59:00 2015 +0000
@@ -90,7 +90,7 @@
     AlgorithmConstraints        algorithmConstraints = null;
 
     // Local supported signature and algorithms
-    Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
+    private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
 
     // Peer supported signature and algorithms
     Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java	Tue Dec 15 12:59:00 2015 +0000
@@ -320,7 +320,7 @@
             case HandshakeMessage.ht_certificate_verify:
                 CertificateVerify cvm =
                         new CertificateVerify(input,
-                            localSupportedSignAlgs, protocolVersion);
+                            getLocalSupportedSignAlgs(), protocolVersion);
                 handshakeState.update(cvm, resumingSession);
                 this.clientCertificateVerify(cvm);
 
@@ -772,11 +772,10 @@
                     Collection<SignatureAndHashAlgorithm>
                         supportedPeerSignAlgs =
                             SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                            peerSignAlgs);
+                                algorithmConstraints, peerSignAlgs);
                     if (supportedPeerSignAlgs.isEmpty()) {
                         throw new SSLHandshakeException(
-                            "No supported signature and hash algorithm " +
-                            "in common");
+                            "No signature and hash algorithm in common");
                     }
 
                     setPeerSupportedSignAlgs(supportedPeerSignAlgs);
@@ -1351,6 +1350,13 @@
                     supportedSignAlgs =
                         new ArrayList<SignatureAndHashAlgorithm>(1);
                     supportedSignAlgs.add(algorithm);
+
+                    supportedSignAlgs =
+                            SignatureAndHashAlgorithm.getSupportedAlgorithms(
+                                algorithmConstraints, supportedSignAlgs);
+
+                    // May be no default activated signature algorithm, but
+                    // let the following process make the final decision.
                 }
 
                 // Sets the peer supported signature algorithm to use in KM
@@ -1395,6 +1401,11 @@
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                         supportedSignAlgs, "RSA", privateKey);
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1413,6 +1424,11 @@
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                         supportedSignAlgs, "RSA", privateKey);
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1428,6 +1444,11 @@
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                                 supportedSignAlgs, "DSA");
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1446,6 +1467,11 @@
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                             supportedSignAlgs, "ECDSA");
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1487,7 +1513,8 @@
                     ClientKeyExchangeService.find(keyExchange.name);
             if (p == null) {
                 // internal error, unknown key exchange
-                throw new RuntimeException("Unrecognized cipherSuite: " + suite);
+                throw new RuntimeException(
+                        "Unrecognized cipherSuite: " + suite);
             }
             // need service creds
             if (serviceCreds == null) {
--- a/jdk/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java	Tue Dec 15 12:59:00 2015 +0000
@@ -166,10 +166,13 @@
 
     // Get supported algorithm collection from an untrusted collection
     static Collection<SignatureAndHashAlgorithm> getSupportedAlgorithms(
+            AlgorithmConstraints constraints,
             Collection<SignatureAndHashAlgorithm> algorithms ) {
         Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
         for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM) {
+            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
+                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
+                                sigAlg.algorithm, null)) {
                 supported.add(sigAlg);
             }
         }
@@ -233,30 +236,42 @@
     }
 
     static SignatureAndHashAlgorithm getPreferableAlgorithm(
-        Collection<SignatureAndHashAlgorithm> algorithms,
-        String expected, PrivateKey signingKey) {
+            Collection<SignatureAndHashAlgorithm> algorithms,
+            String expected, PrivateKey signingKey) {
 
-        if (expected == null && !algorithms.isEmpty()) {
-            for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-                if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM) {
-                    return sigAlg;
+        int maxDigestLength = getMaxDigestLength(signingKey);
+        for (SignatureAndHashAlgorithm algorithm : algorithms) {
+            int signValue = algorithm.id & 0xFF;
+            if ((expected == null) ||
+                    (expected.equalsIgnoreCase("rsa") &&
+                            signValue == SignatureAlgorithm.RSA.value) ||
+                    (expected.equalsIgnoreCase("dsa") &&
+                            signValue == SignatureAlgorithm.DSA.value) ||
+                    (expected.equalsIgnoreCase("ecdsa") &&
+                            signValue == SignatureAlgorithm.ECDSA.value) ||
+                    (expected.equalsIgnoreCase("ec") &&
+                            signValue == SignatureAlgorithm.ECDSA.value)) {
+
+                if (algorithm.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
+                        algorithm.hash.length <= maxDigestLength) {
+
+                    return algorithm;
                 }
             }
-
-            return null;  // no supported algorithm
-        }
-
-        if (expected == null ) {
-            return null;  // no expected algorithm, no supported algorithm
         }
 
-        /*
-         * Need to check RSA key length to match the length of hash value
-         */
+        return null;
+    }
+
+    /*
+     * Need to check key length to match the length of hash value
+     */
+    private static int getMaxDigestLength(PrivateKey signingKey) {
         int maxDigestLength = Integer.MAX_VALUE;
+
+        // only need to check RSA algorithm at present.
         if (signingKey != null &&
-                "rsa".equalsIgnoreCase(signingKey.getAlgorithm()) &&
-                expected.equalsIgnoreCase("rsa")) {
+                "rsa".equalsIgnoreCase(signingKey.getAlgorithm())) {
             /*
              * RSA keys of 512 bits have been shown to be practically
              * breakable, it does not make much sense to use the strong
@@ -284,25 +299,7 @@
                 // preferable hash algorithm.
         }
 
-        for (SignatureAndHashAlgorithm algorithm : algorithms) {
-            int signValue = algorithm.id & 0xFF;
-            if (expected.equalsIgnoreCase("rsa") &&
-                    signValue == SignatureAlgorithm.RSA.value) {
-                if (algorithm.hash.length <= maxDigestLength) {
-                    return algorithm;
-                }
-            } else if (
-                    (expected.equalsIgnoreCase("dsa") &&
-                        signValue == SignatureAlgorithm.DSA.value) ||
-                    (expected.equalsIgnoreCase("ecdsa") &&
-                        signValue == SignatureAlgorithm.ECDSA.value) ||
-                    (expected.equalsIgnoreCase("ec") &&
-                        signValue == SignatureAlgorithm.ECDSA.value)) {
-                return algorithm;
-            }
-        }
-
-        return null;
+        return maxDigestLength;
     }
 
     static enum HashAlgorithm {
--- a/jdk/src/java.base/share/conf/security/java.security	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/src/java.base/share/conf/security/java.security	Tue Dec 15 12:59:00 2015 +0000
@@ -576,7 +576,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
--- a/jdk/test/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -159,8 +159,10 @@
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
--- a/jdk/test/javax/net/ssl/ServerName/SSLSocketSNISensitive.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/javax/net/ssl/ServerName/SSLSocketSNISensitive.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -433,8 +433,10 @@
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -230,8 +230,10 @@
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
--- a/jdk/test/javax/net/ssl/TLSv12/ShortRSAKey512.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/javax/net/ssl/TLSv12/ShortRSAKey512.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -282,6 +282,8 @@
         // reset the security property to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/javax/net/ssl/TLSv12/ShortRSAKeyGCM.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -303,6 +303,8 @@
         // reset the security property to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug) {
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -745,8 +745,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -746,8 +746,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -745,8 +745,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/Identities.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/net/www/protocol/https/HttpsURLConnection/Identities.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -745,8 +745,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/security/ssl/SSLContextImpl/MD2InTrustAnchor.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/SSLContextImpl/MD2InTrustAnchor.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -287,8 +287,10 @@
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -339,8 +339,10 @@
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/security/ssl/X509KeyManager/PreferredKey.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/X509KeyManager/PreferredKey.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -57,8 +57,10 @@
 
     public static void main(String[] args) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         KeyStore ks;
         KeyManagerFactory kmf;
--- a/jdk/test/sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -458,8 +458,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/X509TrustManagerImpl/PKIXExtendedTM.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -794,8 +794,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -306,8 +306,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");
--- a/jdk/test/sun/security/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java	Thu Dec 10 12:13:12 2015 +0300
+++ b/jdk/test/sun/security/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java	Tue Dec 15 12:59:00 2015 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -796,8 +796,10 @@
 
     public static void main(String args[]) throws Exception {
         // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty(
-                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "MD2, RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "SSLv3, RC4, DH keySize < 768");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");