author | vinnie |
Wed, 02 Dec 2015 03:37:29 +0000 | |
changeset 34380 | 2b2609379881 |
parent 34379 | e9e364c8c44e |
child 34381 | be5600f6a4da |
--- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLEngine.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLEngine.java Wed Dec 02 03:37:29 2015 +0000 @@ -1253,4 +1253,55 @@ } } + /** + * Returns the most recent application protocol value negotiated for this + * connection. + * <p> + * If supported by the underlying SSL/TLS/DTLS implementation, + * application name negotiation mechanisms such as <a + * href="http://www.ietf.org/rfc/rfc7301.txt"> RFC 7301 </a>, the + * Application-Layer Protocol Negotiation (ALPN), can negotiate + * application-level values between peers. + * <p> + * @implSpec + * The implementation in this class throws + * {@code UnsupportedOperationException} and performs no other action. + * + * @return null if it has not yet been determined if application + * protocols might be used for this connection, an empty + * {@code String} if application protocols values will not + * be used, or a non-empty application protocol {@code String} + * if a value was successfully negotiated. + * @throws UnsupportedOperationException if the underlying provider + * does not implement the operation. + * @since 9 + */ + public String getApplicationProtocol() { + throw new UnsupportedOperationException(); + } + + /** + * Returns the application protocol value negotiated on a SSL/TLS + * handshake currently in progress. + * <p> + * Like {@link #getHandshakeSession()}, + * a connection may be in the middle of a handshake. The + * application protocol may or may not yet be available. + * <p> + * @implSpec + * The implementation in this class throws + * {@code UnsupportedOperationException} and performs no other action. + * + * @return null if it has not yet been determined if application + * protocols might be used for this handshake, an empty + * {@code String} if application protocols values will not + * be used, or a non-empty application protocol {@code String} + * if a value was successfully negotiated. + * @throws UnsupportedOperationException if the underlying provider + * does not implement the operation. + * @since 9 + */ + public String getHandshakeApplicationProtocol() { + throw new UnsupportedOperationException(); + } }
--- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLParameters.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLParameters.java Wed Dec 02 03:37:29 2015 +0000 @@ -56,6 +56,17 @@ * {@link SSLSocket#setSSLParameters SSLSocket.setSSLParameters()} and * {@link SSLServerSocket#setSSLParameters SSLServerSocket.setSSLParameters()} * and {@link SSLEngine#setSSLParameters SSLEngine.setSSLParameters()}. + * <p> + * For example: + * + * <blockquote><pre> + * SSLParameters p = sslSocket.getSSLParameters(); + * p.setProtocols(new String[] { "TLSv1.2" }); + * p.setCipherSuites( + * new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", ... }); + * p.setApplicationProtocols(new String[] {"h2", "http/1.1"}); + * sslSocket.setSSLParameters(p); + * </pre></blockquote> * * @see SSLSocket * @see SSLEngine @@ -76,6 +87,7 @@ private boolean preferLocalCipherSuites; private boolean enableRetransmissions = true; private int maximumPacketSize = 0; + private String[] applicationProtocols = new String[0]; /** * Constructs SSLParameters. @@ -480,7 +492,7 @@ * * @see #getEnableRetransmissions() * - * @since 1.9 + * @since 9 */ public void setEnableRetransmissions(boolean enableRetransmissions) { this.enableRetransmissions = enableRetransmissions; @@ -495,7 +507,7 @@ * * @see #setEnableRetransmissions(boolean) * - * @since 1.9 + * @since 9 */ public boolean getEnableRetransmissions() { return enableRetransmissions; @@ -523,7 +535,7 @@ * * @see #getMaximumPacketSize() * - * @since 1.9 + * @since 9 */ public void setMaximumPacketSize(int maximumPacketSize) { if (maximumPacketSize < 0) { @@ -563,11 +575,80 @@ * * @see #setMaximumPacketSize(int) * - * @since 1.9 + * @since 9 */ public int getMaximumPacketSize() { return maximumPacketSize; } + /** + * Returns a prioritized array of application-layer protocol names that + * can be negotiated over the SSL/TLS/DTLS protocols. + * <p> + * The array could be empty (zero-length), in which case protocol + * indications will not be used. + * <p> + * This method will return a new array each time it is invoked. + * + * @return a non-null, possibly zero-length array of application protocol + * {@code String}s. The array is ordered based on protocol + * preference, with {@code protocols[0]} being the most preferred. + * @see #setApplicationProtocols + * @since 9 + */ + public String[] getApplicationProtocols() { + return applicationProtocols.clone(); + } + + /** + * Sets the prioritized array of application-layer protocol names that + * can be negotiated over the SSL/TLS/DTLS protocols. + * <p> + * If application-layer protocols are supported by the underlying + * SSL/TLS implementation, this method configures which values can + * be negotiated by protocols such as <a + * href="http://www.ietf.org/rfc/rfc7301.txt"> RFC 7301 </a>, the + * Application Layer Protocol Negotiation (ALPN). + * <p> + * If this end of the connection is expected to offer application protocol + * values, all protocols configured by this method will be sent to the + * peer. + * <p> + * If this end of the connection is expected to select the application + * protocol value, the {@code protocols} configured by this method are + * compared with those sent by the peer. The first matched value becomes + * the negotiated value. If none of the {@code protocols} were actually + * requested by the peer, the underlying protocol will determine what + * action to take. (For example, ALPN will send a + * {@code "no_application_protocol"} alert and terminate the connection.) + * <p> + * @implSpec + * This method will make a copy of the {@code protocols} array. + * + * @param protocols an ordered array of application protocols, + * with {@code protocols[0]} being the most preferred. + * If the array is empty (zero-length), protocol + * indications will not be used. + * @throws IllegalArgumentException if protocols is null, or if + * any element in a non-empty array is null or an + * empty (zero-length) string + * @see #getApplicationProtocols + * @since 9 + */ + public void setApplicationProtocols(String[] protocols) { + if (protocols == null) { + throw new IllegalArgumentException("protocols was null"); + } + + String[] tempProtocols = protocols.clone(); + + for (String p : tempProtocols) { + if (p == null || p.equals("")) { + throw new IllegalArgumentException( + "An element of protocols was null/empty"); + } + } + applicationProtocols = tempProtocols; + } }
--- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLSocket.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLSocket.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -662,4 +662,55 @@ } } + /** + * Returns the most recent application protocol value negotiated for this + * connection. + * <p> + * If supported by the underlying SSL/TLS/DTLS implementation, + * application name negotiation mechanisms such as <a + * href="http://www.ietf.org/rfc/rfc7301.txt"> RFC 7301 </a>, the + * Application-Layer Protocol Negotiation (ALPN), can negotiate + * application-level values between peers. + * <p> + * @implSpec + * The implementation in this class throws + * {@code UnsupportedOperationException} and performs no other action. + * + * @return null if it has not yet been determined if application + * protocols might be used for this connection, an empty + * {@code String} if application protocols values will not + * be used, or a non-empty application protocol {@code String} + * if a value was successfully negotiated. + * @throws UnsupportedOperationException if the underlying provider + * does not implement the operation. + * @since 9 + */ + public String getApplicationProtocol() { + throw new UnsupportedOperationException(); + } + + /** + * Returns the application protocol value negotiated on a SSL/TLS + * handshake currently in progress. + * <p> + * Like {@link #getHandshakeSession()}, + * a connection may be in the middle of a handshake. The + * application protocol may or may not yet be available. + * <p> + * @implSpec + * The implementation in this class throws + * {@code UnsupportedOperationException} and performs no other action. + * + * @return null if it has not yet been determined if application + * protocols might be used for this handshake, an empty + * {@code String} if application protocols values will not + * be used, or a non-empty application protocol {@code String} + * if a value was successfully negotiated. + * @throws UnsupportedOperationException if the underlying provider + * does not implement the operation. + * @since 9 + */ + public String getHandshakeApplicationProtocol() { + throw new UnsupportedOperationException(); + } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ALPNExtension.java Wed Dec 02 03:37:29 2015 +0000 @@ -0,0 +1,168 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.io.IOException; +import java.nio.charset.*; +import java.util.*; + +import javax.net.ssl.*; + +/* + * [RFC 7301] + * This TLS extension facilitates the negotiation of application-layer protocols + * within the TLS handshake. Clients MAY include an extension of type + * "application_layer_protocol_negotiation" in the (extended) ClientHello + * message. The "extension_data" field of this extension SHALL contain a + * "ProtocolNameList" value: + * + * enum { + * application_layer_protocol_negotiation(16), (65535) + * } ExtensionType; + * + * opaque ProtocolName<1..2^8-1>; + * + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + */ +final class ALPNExtension extends HelloExtension { + + final static int ALPN_HEADER_LENGTH = 1; + final static int MAX_APPLICATION_PROTOCOL_LENGTH = 255; + final static int MAX_APPLICATION_PROTOCOL_LIST_LENGTH = 65535; + private int listLength = 0; // ProtocolNameList length + private List<String> protocolNames = null; + + // constructor for ServerHello + ALPNExtension(String protocolName) throws SSLException { + this(new String[]{ protocolName }); + } + + // constructor for ClientHello + ALPNExtension(String[] protocolNames) throws SSLException { + super(ExtensionType.EXT_ALPN); + if (protocolNames.length == 0) { // never null, never empty + throw new IllegalArgumentException( + "The list of application protocols cannot be empty"); + } + this.protocolNames = Arrays.asList(protocolNames); + for (String p : protocolNames) { + int length = p.getBytes(StandardCharsets.UTF_8).length; + if (length == 0) { + throw new SSLProtocolException( + "Application protocol name is empty"); + } + if (length <= MAX_APPLICATION_PROTOCOL_LENGTH) { + listLength += length + ALPN_HEADER_LENGTH; + } else { + throw new SSLProtocolException( + "Application protocol name is too long: " + p); + } + if (listLength > MAX_APPLICATION_PROTOCOL_LIST_LENGTH) { + throw new SSLProtocolException( + "Application protocol name list is too long"); + } + } + } + + // constructor for ServerHello for parsing ALPN extension + ALPNExtension(HandshakeInStream s, int len) throws IOException { + super(ExtensionType.EXT_ALPN); + + if (len >= 2) { + listLength = s.getInt16(); // list length + if (listLength < 2 || listLength + 2 != len) { + throw new SSLProtocolException( + "Invalid " + type + " extension: incorrect list length " + + "(length=" + listLength + ")"); + } + } else { + throw new SSLProtocolException( + "Invalid " + type + " extension: insufficient data " + + "(length=" + len + ")"); + } + + int remaining = listLength; + this.protocolNames = new ArrayList<>(); + while (remaining > 0) { + // opaque ProtocolName<1..2^8-1>; // RFC 7301 + byte[] bytes = s.getBytes8(); + if (bytes.length == 0) { + throw new SSLProtocolException("Invalid " + type + + " extension: empty application protocol name"); + } + String p = + new String(bytes, StandardCharsets.UTF_8); // app protocol + protocolNames.add(p); + remaining -= bytes.length + ALPN_HEADER_LENGTH; + } + + if (remaining != 0) { + throw new SSLProtocolException( + "Invalid " + type + " extension: extra data " + + "(length=" + remaining + ")"); + } + } + + List<String> getPeerAPs() { + return protocolNames; + } + + /* + * Return the length in bytes, including extension type and length fields. + */ + @Override + int length() { + return 6 + listLength; + } + + @Override + void send(HandshakeOutStream s) throws IOException { + s.putInt16(type.id); + s.putInt16(listLength + 2); // length of extension_data + s.putInt16(listLength); // length of ProtocolNameList + + for (String p : protocolNames) { + s.putBytes8(p.getBytes(StandardCharsets.UTF_8)); + } + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + if (protocolNames == null || protocolNames.isEmpty()) { + sb.append("<empty>"); + } else { + for (String protocolName : protocolNames) { + sb.append("[" + protocolName + "]"); + } + } + + return "Extension " + type + + ", protocol names: " + sb; + } +}
--- a/jdk/src/java.base/share/classes/sun/security/ssl/Alerts.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/Alerts.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -83,6 +83,9 @@ static final byte alert_bad_certificate_status_response = 113; static final byte alert_bad_certificate_hash_value = 114; + // from RFC 7301 (TLS ALPN Extension) + static final byte alert_no_application_protocol = 120; + static String alertDescription(byte code) { switch (code) { @@ -144,6 +147,8 @@ return "bad_certificate_status_response"; case alert_bad_certificate_hash_value: return "bad_certificate_hash_value"; + case alert_no_application_protocol: + return "no_application_protocol"; default: return "<UNKNOWN ALERT: " + (code & 0x0ff) + ">"; @@ -189,6 +194,7 @@ case alert_unrecognized_name: case alert_bad_certificate_status_response: case alert_bad_certificate_hash_value: + case alert_no_application_protocol: e = new SSLHandshakeException(reason); break;
--- a/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Wed Dec 02 03:37:29 2015 +0000 @@ -764,7 +764,7 @@ final boolean N = (SunJSSE.isFIPS() == false); /* - * TLS Cipher Suite Registry, as of August 2010. + * TLS Cipher Suite Registry, as of November 2015. * * http://www.iana.org/assignments/tls-parameters/tls-parameters.xml * @@ -773,77 +773,77 @@ * 192-254 Specification Required Refers to value of first byte * 255 Reserved for Private Use Refers to value of first byte * - * Value Description Reference - * 0x00,0x00 TLS_NULL_WITH_NULL_NULL [RFC5246] - * 0x00,0x01 TLS_RSA_WITH_NULL_MD5 [RFC5246] - * 0x00,0x02 TLS_RSA_WITH_NULL_SHA [RFC5246] - * 0x00,0x03 TLS_RSA_EXPORT_WITH_RC4_40_MD5 [RFC4346] - * 0x00,0x04 TLS_RSA_WITH_RC4_128_MD5 [RFC5246] - * 0x00,0x05 TLS_RSA_WITH_RC4_128_SHA [RFC5246] - * 0x00,0x06 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 [RFC4346] - * 0x00,0x07 TLS_RSA_WITH_IDEA_CBC_SHA [RFC5469] - * 0x00,0x08 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC4346] - * 0x00,0x09 TLS_RSA_WITH_DES_CBC_SHA [RFC5469] - * 0x00,0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA [RFC5246] - * 0x00,0x0B TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA [RFC4346] - * 0x00,0x0C TLS_DH_DSS_WITH_DES_CBC_SHA [RFC5469] - * 0x00,0x0D TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [RFC5246] - * 0x00,0x0E TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC4346] - * 0x00,0x0F TLS_DH_RSA_WITH_DES_CBC_SHA [RFC5469] - * 0x00,0x10 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [RFC5246] - * 0x00,0x11 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA [RFC4346] - * 0x00,0x12 TLS_DHE_DSS_WITH_DES_CBC_SHA [RFC5469] - * 0x00,0x13 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [RFC5246] - * 0x00,0x14 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC4346] - * 0x00,0x15 TLS_DHE_RSA_WITH_DES_CBC_SHA [RFC5469] - * 0x00,0x16 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [RFC5246] - * 0x00,0x17 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 [RFC4346] - * 0x00,0x18 TLS_DH_anon_WITH_RC4_128_MD5 [RFC5246] - * 0x00,0x19 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA [RFC4346] - * 0x00,0x1A TLS_DH_anon_WITH_DES_CBC_SHA [RFC5469] - * 0x00,0x1B TLS_DH_anon_WITH_3DES_EDE_CBC_SHA [RFC5246] - * 0x00,0x1C-1D Reserved to avoid conflicts with SSLv3 [RFC5246] - * 0x00,0x1E TLS_KRB5_WITH_DES_CBC_SHA [RFC2712] - * 0x00,0x1F TLS_KRB5_WITH_3DES_EDE_CBC_SHA [RFC2712] - * 0x00,0x20 TLS_KRB5_WITH_RC4_128_SHA [RFC2712] - * 0x00,0x21 TLS_KRB5_WITH_IDEA_CBC_SHA [RFC2712] - * 0x00,0x22 TLS_KRB5_WITH_DES_CBC_MD5 [RFC2712] - * 0x00,0x23 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 [RFC2712] - * 0x00,0x24 TLS_KRB5_WITH_RC4_128_MD5 [RFC2712] - * 0x00,0x25 TLS_KRB5_WITH_IDEA_CBC_MD5 [RFC2712] - * 0x00,0x26 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA [RFC2712] - * 0x00,0x27 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA [RFC2712] - * 0x00,0x28 TLS_KRB5_EXPORT_WITH_RC4_40_SHA [RFC2712] - * 0x00,0x29 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 [RFC2712] - * 0x00,0x2A TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 [RFC2712] - * 0x00,0x2B TLS_KRB5_EXPORT_WITH_RC4_40_MD5 [RFC2712] - * 0x00,0x2C TLS_PSK_WITH_NULL_SHA [RFC4785] - * 0x00,0x2D TLS_DHE_PSK_WITH_NULL_SHA [RFC4785] - * 0x00,0x2E TLS_RSA_PSK_WITH_NULL_SHA [RFC4785] - * 0x00,0x2F TLS_RSA_WITH_AES_128_CBC_SHA [RFC5246] - * 0x00,0x30 TLS_DH_DSS_WITH_AES_128_CBC_SHA [RFC5246] - * 0x00,0x31 TLS_DH_RSA_WITH_AES_128_CBC_SHA [RFC5246] - * 0x00,0x32 TLS_DHE_DSS_WITH_AES_128_CBC_SHA [RFC5246] - * 0x00,0x33 TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC5246] - * 0x00,0x34 TLS_DH_anon_WITH_AES_128_CBC_SHA [RFC5246] - * 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA [RFC5246] - * 0x00,0x36 TLS_DH_DSS_WITH_AES_256_CBC_SHA [RFC5246] - * 0x00,0x37 TLS_DH_RSA_WITH_AES_256_CBC_SHA [RFC5246] - * 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA [RFC5246] - * 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA [RFC5246] - * 0x00,0x3A TLS_DH_anon_WITH_AES_256_CBC_SHA [RFC5246] - * 0x00,0x3B TLS_RSA_WITH_NULL_SHA256 [RFC5246] - * 0x00,0x3C TLS_RSA_WITH_AES_128_CBC_SHA256 [RFC5246] - * 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] - * 0x00,0x3E TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [RFC5246] - * 0x00,0x3F TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [RFC5246] - * 0x00,0x40 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [RFC5246] - * 0x00,0x41 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC5932] - * 0x00,0x42 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA [RFC5932] - * 0x00,0x43 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC5932] - * 0x00,0x44 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA [RFC5932] - * 0x00,0x45 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC5932] - * 0x00,0x46 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA [RFC5932] + * Value Description Reference + * 0x00,0x00 TLS_NULL_WITH_NULL_NULL [RFC5246] + * 0x00,0x01 TLS_RSA_WITH_NULL_MD5 [RFC5246] + * 0x00,0x02 TLS_RSA_WITH_NULL_SHA [RFC5246] + * 0x00,0x03 TLS_RSA_EXPORT_WITH_RC4_40_MD5 [RFC4346] + * 0x00,0x04 TLS_RSA_WITH_RC4_128_MD5 [RFC5246] + * 0x00,0x05 TLS_RSA_WITH_RC4_128_SHA [RFC5246] + * 0x00,0x06 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 [RFC4346] + * 0x00,0x07 TLS_RSA_WITH_IDEA_CBC_SHA [RFC5469] + * 0x00,0x08 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC4346] + * 0x00,0x09 TLS_RSA_WITH_DES_CBC_SHA [RFC5469] + * 0x00,0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA [RFC5246] + * 0x00,0x0B TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA [RFC4346] + * 0x00,0x0C TLS_DH_DSS_WITH_DES_CBC_SHA [RFC5469] + * 0x00,0x0D TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA [RFC5246] + * 0x00,0x0E TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC4346] + * 0x00,0x0F TLS_DH_RSA_WITH_DES_CBC_SHA [RFC5469] + * 0x00,0x10 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA [RFC5246] + * 0x00,0x11 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA [RFC4346] + * 0x00,0x12 TLS_DHE_DSS_WITH_DES_CBC_SHA [RFC5469] + * 0x00,0x13 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [RFC5246] + * 0x00,0x14 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA [RFC4346] + * 0x00,0x15 TLS_DHE_RSA_WITH_DES_CBC_SHA [RFC5469] + * 0x00,0x16 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA [RFC5246] + * 0x00,0x17 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 [RFC4346] + * 0x00,0x18 TLS_DH_anon_WITH_RC4_128_MD5 [RFC5246] + * 0x00,0x19 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA [RFC4346] + * 0x00,0x1A TLS_DH_anon_WITH_DES_CBC_SHA [RFC5469] + * 0x00,0x1B TLS_DH_anon_WITH_3DES_EDE_CBC_SHA [RFC5246] + * 0x00,0x1C-1D Reserved to avoid conflicts with SSLv3 [RFC5246] + * 0x00,0x1E TLS_KRB5_WITH_DES_CBC_SHA [RFC2712] + * 0x00,0x1F TLS_KRB5_WITH_3DES_EDE_CBC_SHA [RFC2712] + * 0x00,0x20 TLS_KRB5_WITH_RC4_128_SHA [RFC2712] + * 0x00,0x21 TLS_KRB5_WITH_IDEA_CBC_SHA [RFC2712] + * 0x00,0x22 TLS_KRB5_WITH_DES_CBC_MD5 [RFC2712] + * 0x00,0x23 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 [RFC2712] + * 0x00,0x24 TLS_KRB5_WITH_RC4_128_MD5 [RFC2712] + * 0x00,0x25 TLS_KRB5_WITH_IDEA_CBC_MD5 [RFC2712] + * 0x00,0x26 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA [RFC2712] + * 0x00,0x27 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA [RFC2712] + * 0x00,0x28 TLS_KRB5_EXPORT_WITH_RC4_40_SHA [RFC2712] + * 0x00,0x29 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 [RFC2712] + * 0x00,0x2A TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 [RFC2712] + * 0x00,0x2B TLS_KRB5_EXPORT_WITH_RC4_40_MD5 [RFC2712] + * 0x00,0x2C TLS_PSK_WITH_NULL_SHA [RFC4785] + * 0x00,0x2D TLS_DHE_PSK_WITH_NULL_SHA [RFC4785] + * 0x00,0x2E TLS_RSA_PSK_WITH_NULL_SHA [RFC4785] + * 0x00,0x2F TLS_RSA_WITH_AES_128_CBC_SHA [RFC5246] + * 0x00,0x30 TLS_DH_DSS_WITH_AES_128_CBC_SHA [RFC5246] + * 0x00,0x31 TLS_DH_RSA_WITH_AES_128_CBC_SHA [RFC5246] + * 0x00,0x32 TLS_DHE_DSS_WITH_AES_128_CBC_SHA [RFC5246] + * 0x00,0x33 TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC5246] + * 0x00,0x34 TLS_DH_anon_WITH_AES_128_CBC_SHA [RFC5246] + * 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA [RFC5246] + * 0x00,0x36 TLS_DH_DSS_WITH_AES_256_CBC_SHA [RFC5246] + * 0x00,0x37 TLS_DH_RSA_WITH_AES_256_CBC_SHA [RFC5246] + * 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA [RFC5246] + * 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA [RFC5246] + * 0x00,0x3A TLS_DH_anon_WITH_AES_256_CBC_SHA [RFC5246] + * 0x00,0x3B TLS_RSA_WITH_NULL_SHA256 [RFC5246] + * 0x00,0x3C TLS_RSA_WITH_AES_128_CBC_SHA256 [RFC5246] + * 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] + * 0x00,0x3E TLS_DH_DSS_WITH_AES_128_CBC_SHA256 [RFC5246] + * 0x00,0x3F TLS_DH_RSA_WITH_AES_128_CBC_SHA256 [RFC5246] + * 0x00,0x40 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 [RFC5246] + * 0x00,0x41 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC5932] + * 0x00,0x42 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA [RFC5932] + * 0x00,0x43 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC5932] + * 0x00,0x44 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA [RFC5932] + * 0x00,0x45 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA [RFC5932] + * 0x00,0x46 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA [RFC5932] * 0x00,0x47-4F Reserved to avoid conflicts with * deployed implementations [Pasi_Eronen] * 0x00,0x50-58 Reserved to avoid conflicts [Pasi Eronen] @@ -852,143 +852,261 @@ * 0x00,0x5D-5F Unassigned * 0x00,0x60-66 Reserved to avoid conflicts with widely * deployed implementations [Pasi_Eronen] - * 0x00,0x67 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [RFC5246] - * 0x00,0x68 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [RFC5246] - * 0x00,0x69 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] - * 0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [RFC5246] - * 0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] - * 0x00,0x6C TLS_DH_anon_WITH_AES_128_CBC_SHA256 [RFC5246] - * 0x00,0x6D TLS_DH_anon_WITH_AES_256_CBC_SHA256 [RFC5246] + * 0x00,0x67 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [RFC5246] + * 0x00,0x68 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 [RFC5246] + * 0x00,0x69 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] + * 0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 [RFC5246] + * 0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [RFC5246] + * 0x00,0x6C TLS_DH_anon_WITH_AES_128_CBC_SHA256 [RFC5246] + * 0x00,0x6D TLS_DH_anon_WITH_AES_256_CBC_SHA256 [RFC5246] * 0x00,0x6E-83 Unassigned - * 0x00,0x84 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC5932] - * 0x00,0x85 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA [RFC5932] - * 0x00,0x86 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC5932] - * 0x00,0x87 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA [RFC5932] - * 0x00,0x88 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC5932] - * 0x00,0x89 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA [RFC5932] - * 0x00,0x8A TLS_PSK_WITH_RC4_128_SHA [RFC4279] - * 0x00,0x8B TLS_PSK_WITH_3DES_EDE_CBC_SHA [RFC4279] - * 0x00,0x8C TLS_PSK_WITH_AES_128_CBC_SHA [RFC4279] - * 0x00,0x8D TLS_PSK_WITH_AES_256_CBC_SHA [RFC4279] - * 0x00,0x8E TLS_DHE_PSK_WITH_RC4_128_SHA [RFC4279] - * 0x00,0x8F TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [RFC4279] - * 0x00,0x90 TLS_DHE_PSK_WITH_AES_128_CBC_SHA [RFC4279] - * 0x00,0x91 TLS_DHE_PSK_WITH_AES_256_CBC_SHA [RFC4279] - * 0x00,0x92 TLS_RSA_PSK_WITH_RC4_128_SHA [RFC4279] - * 0x00,0x93 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [RFC4279] - * 0x00,0x94 TLS_RSA_PSK_WITH_AES_128_CBC_SHA [RFC4279] - * 0x00,0x95 TLS_RSA_PSK_WITH_AES_256_CBC_SHA [RFC4279] - * 0x00,0x96 TLS_RSA_WITH_SEED_CBC_SHA [RFC4162] - * 0x00,0x97 TLS_DH_DSS_WITH_SEED_CBC_SHA [RFC4162] - * 0x00,0x98 TLS_DH_RSA_WITH_SEED_CBC_SHA [RFC4162] - * 0x00,0x99 TLS_DHE_DSS_WITH_SEED_CBC_SHA [RFC4162] - * 0x00,0x9A TLS_DHE_RSA_WITH_SEED_CBC_SHA [RFC4162] - * 0x00,0x9B TLS_DH_anon_WITH_SEED_CBC_SHA [RFC4162] - * 0x00,0x9C TLS_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] - * 0x00,0x9D TLS_RSA_WITH_AES_256_GCM_SHA384 [RFC5288] - * 0x00,0x9E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] - * 0x00,0x9F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 [RFC5288] - * 0x00,0xA0 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] - * 0x00,0xA1 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 [RFC5288] - * 0x00,0xA2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 [RFC5288] - * 0x00,0xA3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 [RFC5288] - * 0x00,0xA4 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 [RFC5288] - * 0x00,0xA5 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 [RFC5288] - * 0x00,0xA6 TLS_DH_anon_WITH_AES_128_GCM_SHA256 [RFC5288] - * 0x00,0xA7 TLS_DH_anon_WITH_AES_256_GCM_SHA384 [RFC5288] - * 0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] - * 0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] - * 0x00,0xAA TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] - * 0x00,0xAB TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] - * 0x00,0xAC TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] - * 0x00,0xAD TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] - * 0x00,0xAE TLS_PSK_WITH_AES_128_CBC_SHA256 [RFC5487] - * 0x00,0xAF TLS_PSK_WITH_AES_256_CBC_SHA384 [RFC5487] - * 0x00,0xB0 TLS_PSK_WITH_NULL_SHA256 [RFC5487] - * 0x00,0xB1 TLS_PSK_WITH_NULL_SHA384 [RFC5487] - * 0x00,0xB2 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 [RFC5487] - * 0x00,0xB3 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 [RFC5487] - * 0x00,0xB4 TLS_DHE_PSK_WITH_NULL_SHA256 [RFC5487] - * 0x00,0xB5 TLS_DHE_PSK_WITH_NULL_SHA384 [RFC5487] - * 0x00,0xB6 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 [RFC5487] - * 0x00,0xB7 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 [RFC5487] - * 0x00,0xB8 TLS_RSA_PSK_WITH_NULL_SHA256 [RFC5487] - * 0x00,0xB9 TLS_RSA_PSK_WITH_NULL_SHA384 [RFC5487] - * 0x00,0xBA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] - * 0x00,0xBB TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] - * 0x00,0xBC TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] - * 0x00,0xBD TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] - * 0x00,0xBE TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] - * 0x00,0xBF TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] - * 0x00,0xC0 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] - * 0x00,0xC1 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] - * 0x00,0xC2 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] - * 0x00,0xC3 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] - * 0x00,0xC4 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] - * 0x00,0xC5 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] + * 0x00,0x84 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC5932] + * 0x00,0x85 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA [RFC5932] + * 0x00,0x86 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC5932] + * 0x00,0x87 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA [RFC5932] + * 0x00,0x88 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA [RFC5932] + * 0x00,0x89 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA [RFC5932] + * 0x00,0x8A TLS_PSK_WITH_RC4_128_SHA [RFC4279] + * 0x00,0x8B TLS_PSK_WITH_3DES_EDE_CBC_SHA [RFC4279] + * 0x00,0x8C TLS_PSK_WITH_AES_128_CBC_SHA [RFC4279] + * 0x00,0x8D TLS_PSK_WITH_AES_256_CBC_SHA [RFC4279] + * 0x00,0x8E TLS_DHE_PSK_WITH_RC4_128_SHA [RFC4279] + * 0x00,0x8F TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA [RFC4279] + * 0x00,0x90 TLS_DHE_PSK_WITH_AES_128_CBC_SHA [RFC4279] + * 0x00,0x91 TLS_DHE_PSK_WITH_AES_256_CBC_SHA [RFC4279] + * 0x00,0x92 TLS_RSA_PSK_WITH_RC4_128_SHA [RFC4279] + * 0x00,0x93 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA [RFC4279] + * 0x00,0x94 TLS_RSA_PSK_WITH_AES_128_CBC_SHA [RFC4279] + * 0x00,0x95 TLS_RSA_PSK_WITH_AES_256_CBC_SHA [RFC4279] + * 0x00,0x96 TLS_RSA_WITH_SEED_CBC_SHA [RFC4162] + * 0x00,0x97 TLS_DH_DSS_WITH_SEED_CBC_SHA [RFC4162] + * 0x00,0x98 TLS_DH_RSA_WITH_SEED_CBC_SHA [RFC4162] + * 0x00,0x99 TLS_DHE_DSS_WITH_SEED_CBC_SHA [RFC4162] + * 0x00,0x9A TLS_DHE_RSA_WITH_SEED_CBC_SHA [RFC4162] + * 0x00,0x9B TLS_DH_anon_WITH_SEED_CBC_SHA [RFC4162] + * 0x00,0x9C TLS_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] + * 0x00,0x9D TLS_RSA_WITH_AES_256_GCM_SHA384 [RFC5288] + * 0x00,0x9E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] + * 0x00,0x9F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 [RFC5288] + * 0x00,0xA0 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 [RFC5288] + * 0x00,0xA1 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 [RFC5288] + * 0x00,0xA2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 [RFC5288] + * 0x00,0xA3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 [RFC5288] + * 0x00,0xA4 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 [RFC5288] + * 0x00,0xA5 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 [RFC5288] + * 0x00,0xA6 TLS_DH_anon_WITH_AES_128_GCM_SHA256 [RFC5288] + * 0x00,0xA7 TLS_DH_anon_WITH_AES_256_GCM_SHA384 [RFC5288] + * 0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] + * 0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] + * 0x00,0xAA TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] + * 0x00,0xAB TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] + * 0x00,0xAC TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] + * 0x00,0xAD TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] + * 0x00,0xAE TLS_PSK_WITH_AES_128_CBC_SHA256 [RFC5487] + * 0x00,0xAF TLS_PSK_WITH_AES_256_CBC_SHA384 [RFC5487] + * 0x00,0xB0 TLS_PSK_WITH_NULL_SHA256 [RFC5487] + * 0x00,0xB1 TLS_PSK_WITH_NULL_SHA384 [RFC5487] + * 0x00,0xB2 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 [RFC5487] + * 0x00,0xB3 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 [RFC5487] + * 0x00,0xB4 TLS_DHE_PSK_WITH_NULL_SHA256 [RFC5487] + * 0x00,0xB5 TLS_DHE_PSK_WITH_NULL_SHA384 [RFC5487] + * 0x00,0xB6 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 [RFC5487] + * 0x00,0xB7 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 [RFC5487] + * 0x00,0xB8 TLS_RSA_PSK_WITH_NULL_SHA256 [RFC5487] + * 0x00,0xB9 TLS_RSA_PSK_WITH_NULL_SHA384 [RFC5487] + * 0x00,0xBA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] + * 0x00,0xBB TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] + * 0x00,0xBC TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] + * 0x00,0xBD TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] + * 0x00,0xBE TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] + * 0x00,0xBF TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 [RFC5932] + * 0x00,0xC0 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] + * 0x00,0xC1 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] + * 0x00,0xC2 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] + * 0x00,0xC3 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] + * 0x00,0xC4 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] + * 0x00,0xC5 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 [RFC5932] * 0x00,0xC6-FE Unassigned - * 0x00,0xFF TLS_EMPTY_RENEGOTIATION_INFO_SCSV [RFC5746] - * 0x01-BF,* Unassigned - * 0xC0,0x01 TLS_ECDH_ECDSA_WITH_NULL_SHA [RFC4492] - * 0xC0,0x02 TLS_ECDH_ECDSA_WITH_RC4_128_SHA [RFC4492] - * 0xC0,0x03 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA [RFC4492] - * 0xC0,0x04 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA [RFC4492] - * 0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA [RFC4492] - * 0xC0,0x06 TLS_ECDHE_ECDSA_WITH_NULL_SHA [RFC4492] - * 0xC0,0x07 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA [RFC4492] - * 0xC0,0x08 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA [RFC4492] - * 0xC0,0x09 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [RFC4492] - * 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [RFC4492] - * 0xC0,0x0B TLS_ECDH_RSA_WITH_NULL_SHA [RFC4492] - * 0xC0,0x0C TLS_ECDH_RSA_WITH_RC4_128_SHA [RFC4492] - * 0xC0,0x0D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA [RFC4492] - * 0xC0,0x0E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA [RFC4492] - * 0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA [RFC4492] - * 0xC0,0x10 TLS_ECDHE_RSA_WITH_NULL_SHA [RFC4492] - * 0xC0,0x11 TLS_ECDHE_RSA_WITH_RC4_128_SHA [RFC4492] - * 0xC0,0x12 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [RFC4492] - * 0xC0,0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [RFC4492] - * 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [RFC4492] - * 0xC0,0x15 TLS_ECDH_anon_WITH_NULL_SHA [RFC4492] - * 0xC0,0x16 TLS_ECDH_anon_WITH_RC4_128_SHA [RFC4492] - * 0xC0,0x17 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [RFC4492] - * 0xC0,0x18 TLS_ECDH_anon_WITH_AES_128_CBC_SHA [RFC4492] - * 0xC0,0x19 TLS_ECDH_anon_WITH_AES_256_CBC_SHA [RFC4492] - * 0xC0,0x1A TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA [RFC5054] - * 0xC0,0x1B TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA [RFC5054] - * 0xC0,0x1C TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA [RFC5054] - * 0xC0,0x1D TLS_SRP_SHA_WITH_AES_128_CBC_SHA [RFC5054] - * 0xC0,0x1E TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA [RFC5054] - * 0xC0,0x1F TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA [RFC5054] - * 0xC0,0x20 TLS_SRP_SHA_WITH_AES_256_CBC_SHA [RFC5054] - * 0xC0,0x21 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA [RFC5054] - * 0xC0,0x22 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA [RFC5054] - * 0xC0,0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [RFC5289] - * 0xC0,0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [RFC5289] - * 0xC0,0x25 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [RFC5289] - * 0xC0,0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [RFC5289] - * 0xC0,0x27 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [RFC5289] - * 0xC0,0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [RFC5289] - * 0xC0,0x29 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 [RFC5289] - * 0xC0,0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 [RFC5289] - * 0xC0,0x2B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [RFC5289] - * 0xC0,0x2C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [RFC5289] - * 0xC0,0x2D TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 [RFC5289] - * 0xC0,0x2E TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 [RFC5289] - * 0xC0,0x2F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [RFC5289] - * 0xC0,0x30 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [RFC5289] - * 0xC0,0x31 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 [RFC5289] - * 0xC0,0x32 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 [RFC5289] - * 0xC0,0x33 TLS_ECDHE_PSK_WITH_RC4_128_SHA [RFC5489] - * 0xC0,0x34 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA [RFC5489] - * 0xC0,0x35 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA [RFC5489] - * 0xC0,0x36 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA [RFC5489] - * 0xC0,0x37 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 [RFC5489] - * 0xC0,0x38 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 [RFC5489] - * 0xC0,0x39 TLS_ECDHE_PSK_WITH_NULL_SHA [RFC5489] - * 0xC0,0x3A TLS_ECDHE_PSK_WITH_NULL_SHA256 [RFC5489] - * 0xC0,0x3B TLS_ECDHE_PSK_WITH_NULL_SHA384 [RFC5489] - * 0xC0,0x3C-FF Unassigned + * 0x00,0xFF TLS_EMPTY_RENEGOTIATION_INFO_SCSV [RFC5746] + * 0x01-55,* Unassigned + * 0x56,0x00 TLS_FALLBACK_SCSV [RFC7507] + * 0x56,0x01-0xC0,0x00 Unassigned + * 0xC0,0x01 TLS_ECDH_ECDSA_WITH_NULL_SHA [RFC4492] + * 0xC0,0x02 TLS_ECDH_ECDSA_WITH_RC4_128_SHA [RFC4492] + * 0xC0,0x03 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA [RFC4492] + * 0xC0,0x04 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA [RFC4492] + * 0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA [RFC4492] + * 0xC0,0x06 TLS_ECDHE_ECDSA_WITH_NULL_SHA [RFC4492] + * 0xC0,0x07 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA [RFC4492] + * 0xC0,0x08 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA [RFC4492] + * 0xC0,0x09 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA [RFC4492] + * 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA [RFC4492] + * 0xC0,0x0B TLS_ECDH_RSA_WITH_NULL_SHA [RFC4492] + * 0xC0,0x0C TLS_ECDH_RSA_WITH_RC4_128_SHA [RFC4492] + * 0xC0,0x0D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA [RFC4492] + * 0xC0,0x0E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA [RFC4492] + * 0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA [RFC4492] + * 0xC0,0x10 TLS_ECDHE_RSA_WITH_NULL_SHA [RFC4492] + * 0xC0,0x11 TLS_ECDHE_RSA_WITH_RC4_128_SHA [RFC4492] + * 0xC0,0x12 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [RFC4492] + * 0xC0,0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA [RFC4492] + * 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [RFC4492] + * 0xC0,0x15 TLS_ECDH_anon_WITH_NULL_SHA [RFC4492] + * 0xC0,0x16 TLS_ECDH_anon_WITH_RC4_128_SHA [RFC4492] + * 0xC0,0x17 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [RFC4492] + * 0xC0,0x18 TLS_ECDH_anon_WITH_AES_128_CBC_SHA [RFC4492] + * 0xC0,0x19 TLS_ECDH_anon_WITH_AES_256_CBC_SHA [RFC4492] + * 0xC0,0x1A TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA [RFC5054] + * 0xC0,0x1B TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA [RFC5054] + * 0xC0,0x1C TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA [RFC5054] + * 0xC0,0x1D TLS_SRP_SHA_WITH_AES_128_CBC_SHA [RFC5054] + * 0xC0,0x1E TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA [RFC5054] + * 0xC0,0x1F TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA [RFC5054] + * 0xC0,0x20 TLS_SRP_SHA_WITH_AES_256_CBC_SHA [RFC5054] + * 0xC0,0x21 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA [RFC5054] + * 0xC0,0x22 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA [RFC5054] + * 0xC0,0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [RFC5289] + * 0xC0,0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 [RFC5289] + * 0xC0,0x25 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 [RFC5289] + * 0xC0,0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 [RFC5289] + * 0xC0,0x27 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [RFC5289] + * 0xC0,0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [RFC5289] + * 0xC0,0x29 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 [RFC5289] + * 0xC0,0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 [RFC5289] + * 0xC0,0x2B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [RFC5289] + * 0xC0,0x2C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 [RFC5289] + * 0xC0,0x2D TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 [RFC5289] + * 0xC0,0x2E TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 [RFC5289] + * 0xC0,0x2F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [RFC5289] + * 0xC0,0x30 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [RFC5289] + * 0xC0,0x31 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 [RFC5289] + * 0xC0,0x32 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 [RFC5289] + * 0xC0,0x33 TLS_ECDHE_PSK_WITH_RC4_128_SHA [RFC5489] + * 0xC0,0x34 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA [RFC5489] + * 0xC0,0x35 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA [RFC5489] + * 0xC0,0x36 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA [RFC5489] + * 0xC0,0x37 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 [RFC5489] + * 0xC0,0x38 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 [RFC5489] + * 0xC0,0x39 TLS_ECDHE_PSK_WITH_NULL_SHA [RFC5489] + * 0xC0,0x3A TLS_ECDHE_PSK_WITH_NULL_SHA256 [RFC5489] + * 0xC0,0x3B TLS_ECDHE_PSK_WITH_NULL_SHA384 [RFC5489] + * 0xC0,0x3C TLS_RSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x3D TLS_RSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x3E TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x3F TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x40 TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x41 TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x42 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x43 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x44 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x45 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x46 TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x47 TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x48 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x49 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x4A TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x4B TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x4C TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x4D TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x4E TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x4F TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x50 TLS_RSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x51 TLS_RSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x52 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x53 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x54 TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x55 TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x56 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x57 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x58 TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x59 TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x5A TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x5B TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x5C TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x5D TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x5E TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x5F TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x60 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x61 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x62 TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x63 TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x64 TLS_PSK_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x65 TLS_PSK_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x66 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x67 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x68 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x69 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x6A TLS_PSK_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x6B TLS_PSK_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x6C TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x6D TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x6E TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 [RFC6209] + * 0xC0,0x6F TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 [RFC6209] + * 0xC0,0x70 TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 [RFC6209] + * 0xC0,0x71 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 [RFC6209] + * 0xC0,0x72 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x73 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x74 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x75 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x76 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x77 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x78 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x79 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x7A TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x7B TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x7C TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x7D TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x7E TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x7F TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x80 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x81 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x82 TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x83 TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x84 TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x85 TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x86 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x87 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x88 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x89 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x8A TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x8B TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x8C TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x8D TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x8E TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x8F TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x90 TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x91 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x92 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 [RFC6367] + * 0xC0,0x93 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 [RFC6367] + * 0xC0,0x94 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x95 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x96 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x97 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x98 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x99 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x9A TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 [RFC6367] + * 0xC0,0x9B TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 [RFC6367] + * 0xC0,0x9C TLS_RSA_WITH_AES_128_CCM [RFC6655] + * 0xC0,0x9D TLS_RSA_WITH_AES_256_CCM [RFC6655] + * 0xC0,0x9E TLS_DHE_RSA_WITH_AES_128_CCM [RFC6655] + * 0xC0,0x9F TLS_DHE_RSA_WITH_AES_256_CCM [RFC6655] + * 0xC0,0xA0 TLS_RSA_WITH_AES_128_CCM_8 [RFC6655] + * 0xC0,0xA1 TLS_RSA_WITH_AES_256_CCM_8 [RFC6655] + * 0xC0,0xA2 TLS_DHE_RSA_WITH_AES_128_CCM_8 [RFC6655] + * 0xC0,0xA3 TLS_DHE_RSA_WITH_AES_256_CCM_8 [RFC6655] + * 0xC0,0xA4 TLS_PSK_WITH_AES_128_CCM [RFC6655] + * 0xC0,0xA5 TLS_PSK_WITH_AES_256_CCM [RFC6655] + * 0xC0,0xA6 TLS_DHE_PSK_WITH_AES_128_CCM [RFC6655] + * 0xC0,0xA7 TLS_DHE_PSK_WITH_AES_256_CCM [RFC6655] + * 0xC0,0xA8 TLS_PSK_WITH_AES_128_CCM_8 [RFC6655] + * 0xC0,0xA9 TLS_PSK_WITH_AES_256_CCM_8 [RFC6655] + * 0xC0,0xAA TLS_PSK_DHE_WITH_AES_128_CCM_8 [RFC6655] + * 0xC0,0xAB TLS_PSK_DHE_WITH_AES_256_CCM_8 [RFC6655] + * 0xC0,0xAC TLS_ECDHE_ECDSA_WITH_AES_128_CCM [RFC7251] + * 0xC0,0xAD TLS_ECDHE_ECDSA_WITH_AES_256_CCM [RFC7251] + * 0xC0,0xAE TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251] + * 0xC0,0xAF TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 [RFC7251] + * 0xC0,0xB0-FF Unassigned * 0xC1-FD,* Unassigned * 0xFE,0x00-FD Unassigned * 0xFE,0xFE-FF Reserved to avoid conflicts with widely @@ -1289,149 +1407,276 @@ // the debug output. // remaining unsupported ciphersuites defined in RFC2246. - add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", 0x0006); - add("SSL_RSA_WITH_IDEA_CBC_SHA", 0x0007); - add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x000b); - add("SSL_DH_DSS_WITH_DES_CBC_SHA", 0x000c); - add("SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA", 0x000d); - add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x000e); - add("SSL_DH_RSA_WITH_DES_CBC_SHA", 0x000f); - add("SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA", 0x0010); + add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", 0x0006); + add("SSL_RSA_WITH_IDEA_CBC_SHA", 0x0007); + add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", 0x000b); + add("SSL_DH_DSS_WITH_DES_CBC_SHA", 0x000c); + add("SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA", 0x000d); + add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", 0x000e); + add("SSL_DH_RSA_WITH_DES_CBC_SHA", 0x000f); + add("SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA", 0x0010); // SSL 3.0 Fortezza ciphersuites - add("SSL_FORTEZZA_DMS_WITH_NULL_SHA", 0x001c); - add("SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA", 0x001d); + add("SSL_FORTEZZA_DMS_WITH_NULL_SHA", 0x001c); + add("SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA", 0x001d); // 1024/56 bit exportable ciphersuites from expired internet draft - add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", 0x0062); - add("SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", 0x0063); - add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", 0x0064); - add("SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", 0x0065); - add("SSL_DHE_DSS_WITH_RC4_128_SHA", 0x0066); + add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", 0x0062); + add("SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", 0x0063); + add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", 0x0064); + add("SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", 0x0065); + add("SSL_DHE_DSS_WITH_RC4_128_SHA", 0x0066); // Netscape old and new SSL 3.0 FIPS ciphersuites // see http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html - add("NETSCAPE_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xffe0); - add("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA", 0xffe1); - add("SSL_RSA_FIPS_WITH_DES_CBC_SHA", 0xfefe); - add("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xfeff); + add("NETSCAPE_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xffe0); + add("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA", 0xffe1); + add("SSL_RSA_FIPS_WITH_DES_CBC_SHA", 0xfefe); + add("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xfeff); // Unsupported Kerberos cipher suites from RFC 2712 - add("TLS_KRB5_WITH_IDEA_CBC_SHA", 0x0021); - add("TLS_KRB5_WITH_IDEA_CBC_MD5", 0x0025); - add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", 0x0027); - add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", 0x002a); + add("TLS_KRB5_WITH_IDEA_CBC_SHA", 0x0021); + add("TLS_KRB5_WITH_IDEA_CBC_MD5", 0x0025); + add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", 0x0027); + add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", 0x002a); // Unsupported cipher suites from RFC 4162 - add("TLS_RSA_WITH_SEED_CBC_SHA", 0x0096); - add("TLS_DH_DSS_WITH_SEED_CBC_SHA", 0x0097); - add("TLS_DH_RSA_WITH_SEED_CBC_SHA", 0x0098); - add("TLS_DHE_DSS_WITH_SEED_CBC_SHA", 0x0099); - add("TLS_DHE_RSA_WITH_SEED_CBC_SHA", 0x009a); - add("TLS_DH_anon_WITH_SEED_CBC_SHA", 0x009b); + add("TLS_RSA_WITH_SEED_CBC_SHA", 0x0096); + add("TLS_DH_DSS_WITH_SEED_CBC_SHA", 0x0097); + add("TLS_DH_RSA_WITH_SEED_CBC_SHA", 0x0098); + add("TLS_DHE_DSS_WITH_SEED_CBC_SHA", 0x0099); + add("TLS_DHE_RSA_WITH_SEED_CBC_SHA", 0x009a); + add("TLS_DH_anon_WITH_SEED_CBC_SHA", 0x009b); // Unsupported cipher suites from RFC 4279 - add("TLS_PSK_WITH_RC4_128_SHA", 0x008a); - add("TLS_PSK_WITH_3DES_EDE_CBC_SHA", 0x008b); - add("TLS_PSK_WITH_AES_128_CBC_SHA", 0x008c); - add("TLS_PSK_WITH_AES_256_CBC_SHA", 0x008d); - add("TLS_DHE_PSK_WITH_RC4_128_SHA", 0x008e); - add("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", 0x008f); - add("TLS_DHE_PSK_WITH_AES_128_CBC_SHA", 0x0090); - add("TLS_DHE_PSK_WITH_AES_256_CBC_SHA", 0x0091); - add("TLS_RSA_PSK_WITH_RC4_128_SHA", 0x0092); - add("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", 0x0093); - add("TLS_RSA_PSK_WITH_AES_128_CBC_SHA", 0x0094); - add("TLS_RSA_PSK_WITH_AES_256_CBC_SHA", 0x0095); + add("TLS_PSK_WITH_RC4_128_SHA", 0x008a); + add("TLS_PSK_WITH_3DES_EDE_CBC_SHA", 0x008b); + add("TLS_PSK_WITH_AES_128_CBC_SHA", 0x008c); + add("TLS_PSK_WITH_AES_256_CBC_SHA", 0x008d); + add("TLS_DHE_PSK_WITH_RC4_128_SHA", 0x008e); + add("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", 0x008f); + add("TLS_DHE_PSK_WITH_AES_128_CBC_SHA", 0x0090); + add("TLS_DHE_PSK_WITH_AES_256_CBC_SHA", 0x0091); + add("TLS_RSA_PSK_WITH_RC4_128_SHA", 0x0092); + add("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", 0x0093); + add("TLS_RSA_PSK_WITH_AES_128_CBC_SHA", 0x0094); + add("TLS_RSA_PSK_WITH_AES_256_CBC_SHA", 0x0095); // Unsupported cipher suites from RFC 4785 - add("TLS_PSK_WITH_NULL_SHA", 0x002c); - add("TLS_DHE_PSK_WITH_NULL_SHA", 0x002d); - add("TLS_RSA_PSK_WITH_NULL_SHA", 0x002e); + add("TLS_PSK_WITH_NULL_SHA", 0x002c); + add("TLS_DHE_PSK_WITH_NULL_SHA", 0x002d); + add("TLS_RSA_PSK_WITH_NULL_SHA", 0x002e); // Unsupported cipher suites from RFC 5246 - add("TLS_DH_DSS_WITH_AES_128_CBC_SHA", 0x0030); - add("TLS_DH_RSA_WITH_AES_128_CBC_SHA", 0x0031); - add("TLS_DH_DSS_WITH_AES_256_CBC_SHA", 0x0036); - add("TLS_DH_RSA_WITH_AES_256_CBC_SHA", 0x0037); - add("TLS_DH_DSS_WITH_AES_128_CBC_SHA256", 0x003e); - add("TLS_DH_RSA_WITH_AES_128_CBC_SHA256", 0x003f); - add("TLS_DH_DSS_WITH_AES_256_CBC_SHA256", 0x0068); - add("TLS_DH_RSA_WITH_AES_256_CBC_SHA256", 0x0069); + add("TLS_DH_DSS_WITH_AES_128_CBC_SHA", 0x0030); + add("TLS_DH_RSA_WITH_AES_128_CBC_SHA", 0x0031); + add("TLS_DH_DSS_WITH_AES_256_CBC_SHA", 0x0036); + add("TLS_DH_RSA_WITH_AES_256_CBC_SHA", 0x0037); + add("TLS_DH_DSS_WITH_AES_128_CBC_SHA256", 0x003e); + add("TLS_DH_RSA_WITH_AES_128_CBC_SHA256", 0x003f); + add("TLS_DH_DSS_WITH_AES_256_CBC_SHA256", 0x0068); + add("TLS_DH_RSA_WITH_AES_256_CBC_SHA256", 0x0069); // Unsupported cipher suites from RFC 5288 - add("TLS_DH_RSA_WITH_AES_128_GCM_SHA256", 0x00a0); - add("TLS_DH_RSA_WITH_AES_256_GCM_SHA384", 0x00a1); - add("TLS_DH_DSS_WITH_AES_128_GCM_SHA256", 0x00a4); - add("TLS_DH_DSS_WITH_AES_256_GCM_SHA384", 0x00a5); + add("TLS_DH_RSA_WITH_AES_128_GCM_SHA256", 0x00a0); + add("TLS_DH_RSA_WITH_AES_256_GCM_SHA384", 0x00a1); + add("TLS_DH_DSS_WITH_AES_128_GCM_SHA256", 0x00a4); + add("TLS_DH_DSS_WITH_AES_256_GCM_SHA384", 0x00a5); // Unsupported cipher suites from RFC 5487 - add("TLS_PSK_WITH_AES_128_GCM_SHA256", 0x00a8); - add("TLS_PSK_WITH_AES_256_GCM_SHA384", 0x00a9); - add("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", 0x00aa); - add("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", 0x00ab); - add("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", 0x00ac); - add("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", 0x00ad); - add("TLS_PSK_WITH_AES_128_CBC_SHA256", 0x00ae); - add("TLS_PSK_WITH_AES_256_CBC_SHA384", 0x00af); - add("TLS_PSK_WITH_NULL_SHA256", 0x00b0); - add("TLS_PSK_WITH_NULL_SHA384", 0x00b1); - add("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", 0x00b2); - add("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", 0x00b3); - add("TLS_DHE_PSK_WITH_NULL_SHA256", 0x00b4); - add("TLS_DHE_PSK_WITH_NULL_SHA384", 0x00b5); - add("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", 0x00b6); - add("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", 0x00b7); - add("TLS_RSA_PSK_WITH_NULL_SHA256", 0x00b8); - add("TLS_RSA_PSK_WITH_NULL_SHA384", 0x00b9); + add("TLS_PSK_WITH_AES_128_GCM_SHA256", 0x00a8); + add("TLS_PSK_WITH_AES_256_GCM_SHA384", 0x00a9); + add("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", 0x00aa); + add("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", 0x00ab); + add("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", 0x00ac); + add("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", 0x00ad); + add("TLS_PSK_WITH_AES_128_CBC_SHA256", 0x00ae); + add("TLS_PSK_WITH_AES_256_CBC_SHA384", 0x00af); + add("TLS_PSK_WITH_NULL_SHA256", 0x00b0); + add("TLS_PSK_WITH_NULL_SHA384", 0x00b1); + add("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", 0x00b2); + add("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", 0x00b3); + add("TLS_DHE_PSK_WITH_NULL_SHA256", 0x00b4); + add("TLS_DHE_PSK_WITH_NULL_SHA384", 0x00b5); + add("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", 0x00b6); + add("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", 0x00b7); + add("TLS_RSA_PSK_WITH_NULL_SHA256", 0x00b8); + add("TLS_RSA_PSK_WITH_NULL_SHA384", 0x00b9); // Unsupported cipher suites from RFC 5932 - add("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0041); - add("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", 0x0042); - add("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0043); - add("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", 0x0044); - add("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0045); - add("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", 0x0046); - add("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0084); - add("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", 0x0085); - add("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0086); - add("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", 0x0087); - add("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0088); - add("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", 0x0089); - add("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00ba); - add("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", 0x00bb); - add("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00bc); - add("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", 0x00bd); - add("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00be); - add("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", 0x00bf); - add("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c0); - add("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", 0x00c1); - add("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c2); - add("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", 0x00c3); - add("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c4); - add("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", 0x00c5); + add("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0041); + add("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", 0x0042); + add("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0043); + add("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", 0x0044); + add("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", 0x0045); + add("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", 0x0046); + add("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0084); + add("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", 0x0085); + add("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0086); + add("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", 0x0087); + add("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", 0x0088); + add("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", 0x0089); + add("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00ba); + add("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", 0x00bb); + add("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00bc); + add("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", 0x00bd); + add("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0x00be); + add("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", 0x00bf); + add("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c0); + add("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", 0x00c1); + add("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c2); + add("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", 0x00c3); + add("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", 0x00c4); + add("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", 0x00c5); + + // TLS Fallback Signaling Cipher Suite Value (SCSV) RFC 7507 + add("TLS_FALLBACK_SCSV", 0x5600); // Unsupported cipher suites from RFC 5054 - add("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", 0xc01a); - add("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", 0xc01b); - add("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", 0xc01c); - add("TLS_SRP_SHA_WITH_AES_128_CBC_SHA", 0xc01d); - add("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", 0xc01e); - add("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", 0xc01f); - add("TLS_SRP_SHA_WITH_AES_256_CBC_SHA", 0xc020); - add("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", 0xc021); - add("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", 0xc022); + add("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", 0xc01a); + add("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", 0xc01b); + add("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", 0xc01c); + add("TLS_SRP_SHA_WITH_AES_128_CBC_SHA", 0xc01d); + add("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", 0xc01e); + add("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", 0xc01f); + add("TLS_SRP_SHA_WITH_AES_256_CBC_SHA", 0xc020); + add("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", 0xc021); + add("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", 0xc022); // Unsupported cipher suites from RFC 5489 - add("TLS_ECDHE_PSK_WITH_RC4_128_SHA", 0xc033); - add("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", 0xc034); - add("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 0xc035); - add("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", 0xc036); - add("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", 0xc037); - add("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", 0xc038); - add("TLS_ECDHE_PSK_WITH_NULL_SHA", 0xc039); - add("TLS_ECDHE_PSK_WITH_NULL_SHA256", 0xc03a); - add("TLS_ECDHE_PSK_WITH_NULL_SHA384", 0xc03b); + add("TLS_ECDHE_PSK_WITH_RC4_128_SHA", 0xc033); + add("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", 0xc034); + add("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 0xc035); + add("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", 0xc036); + add("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", 0xc037); + add("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", 0xc038); + add("TLS_ECDHE_PSK_WITH_NULL_SHA", 0xc039); + add("TLS_ECDHE_PSK_WITH_NULL_SHA256", 0xc03a); + add("TLS_ECDHE_PSK_WITH_NULL_SHA384", 0xc03b); + + // Unsupported cipher suites from RFC 6209 + add("TLS_RSA_WITH_ARIA_128_CBC_SHA256", 0xc03c); + add("TLS_RSA_WITH_ARIA_256_CBC_SHA384", 0xc03d); + add("TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", 0xc03e); + add("TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", 0xc03f); + add("TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", 0xc040); + add("TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", 0xc041); + add("TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", 0xc042); + add("TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", 0xc043); + add("TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", 0xc044); + add("TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", 0xc045); + add("TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", 0xc046); + add("TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", 0xc047); + add("TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", 0xc048); + add("TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", 0xc049); + add("TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", 0xc04a); + add("TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", 0xc04b); + add("TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", 0xc04c); + add("TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", 0xc04d); + add("TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", 0xc04e); + add("TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", 0xc04f); + add("TLS_RSA_WITH_ARIA_128_GCM_SHA256", 0xc050); + add("TLS_RSA_WITH_ARIA_256_GCM_SHA384", 0xc051); + add("TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", 0xc052); + add("TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", 0xc053); + add("TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", 0xc054); + add("TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", 0xc055); + add("TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", 0xc056); + add("TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", 0xc057); + add("TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", 0xc058); + add("TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", 0xc059); + add("TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", 0xc05a); + add("TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", 0xc05b); + add("TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", 0xc05c); + add("TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", 0xc05d); + add("TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", 0xc05e); + add("TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", 0xc05f); + add("TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", 0xc060); + add("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", 0xc061); + add("TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", 0xc062); + add("TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", 0xc063); + add("TLS_PSK_WITH_ARIA_128_CBC_SHA256", 0xc064); + add("TLS_PSK_WITH_ARIA_256_CBC_SHA384", 0xc065); + add("TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", 0xc066); + add("TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", 0xc067); + add("TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", 0xc068); + add("TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", 0xc069); + add("TLS_PSK_WITH_ARIA_128_GCM_SHA256", 0xc06a); + add("TLS_PSK_WITH_ARIA_256_GCM_SHA384", 0xc06b); + add("TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", 0xc06c); + add("TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", 0xc06d); + add("TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", 0xc06e); + add("TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", 0xc06f); + add("TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", 0xc070); + add("TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", 0xc071); + + // Unsupported cipher suites from RFC 6367 + add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc072); + add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc073); + add("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc074); + add("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc075); + add("TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc076); + add("TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc077); + add("TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc078); + add("TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc079); + add("TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc07a); + add("TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc07b); + add("TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc07c); + add("TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc07d); + add("TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc07e); + add("TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc07f); + add("TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", 0xc080); + add("TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", 0xc081); + add("TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", 0xc082); + add("TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", 0xc083); + add("TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", 0xc084); + add("TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", 0xc085); + add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc086); + add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc087); + add("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc088); + add("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc089); + add("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc08a); + add("TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc08b); + add("TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc08c); + add("TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc08d); + add("TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", 0xc08e); + add("TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", 0xc08f); + add("TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", 0xc090); + add("TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", 0xc091); + add("TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", 0xc092); + add("TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", 0xc093); + add("TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc094); + add("TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc095); + add("TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc096); + add("TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc097); + add("TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc098); + add("TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc099); + add("TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", 0xc09a); + add("TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", 0xc09b); + + // Unsupported cipher suites from RFC 6655 + add("TLS_RSA_WITH_AES_128_CCM", 0xc09c); + add("TLS_RSA_WITH_AES_256_CCM", 0xc09d); + add("TLS_DHE_RSA_WITH_AES_128_CCM", 0xc09e); + add("TLS_DHE_RSA_WITH_AES_256_CCM", 0xc09f); + add("TLS_RSA_WITH_AES_128_CCM_8", 0xc0A0); + add("TLS_RSA_WITH_AES_256_CCM_8", 0xc0A1); + add("TLS_DHE_RSA_WITH_AES_128_CCM_8", 0xc0A2); + add("TLS_DHE_RSA_WITH_AES_256_CCM_8", 0xc0A3); + add("TLS_PSK_WITH_AES_128_CCM", 0xc0A4); + add("TLS_PSK_WITH_AES_256_CCM", 0xc0A5); + add("TLS_DHE_PSK_WITH_AES_128_CCM", 0xc0A6); + add("TLS_DHE_PSK_WITH_AES_256_CCM", 0xc0A7); + add("TLS_PSK_WITH_AES_128_CCM_8", 0xc0A8); + add("TLS_PSK_WITH_AES_256_CCM_8", 0xc0A9); + add("TLS_PSK_DHE_WITH_AES_128_CCM_8", 0xc0Aa); + add("TLS_PSK_DHE_WITH_AES_256_CCM_8", 0xc0Ab); + + // Unsupported cipher suites from RFC 7251 + add("TLS_ECDHE_ECDSA_WITH_AES_128_CCM", 0xc0Ac); + add("TLS_ECDHE_ECDSA_WITH_AES_256_CCM", 0xc0Ad); + add("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", 0xc0Ae); + add("TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", 0xc0Af); } // ciphersuite SSL_NULL_WITH_NULL_NULL
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java Wed Dec 02 03:37:29 2015 +0000 @@ -151,6 +151,9 @@ private static final boolean enableMFLExtension = Debug.getBooleanProperty("jsse.enableMFLExtension", false); + // Whether an ALPN extension was sent in the ClientHello + private boolean alpnActive = false; + private List<SNIServerName> requestedServerNames = Collections.<SNIServerName>emptyList(); @@ -700,6 +703,44 @@ } // Otherwise, using the value negotiated during the original // session initiation + // check the ALPN extension + ALPNExtension serverHelloALPN = + (ALPNExtension) mesg.extensions.get(ExtensionType.EXT_ALPN); + + if (serverHelloALPN != null) { + // Check whether an ALPN extension was sent in ClientHello message + if (!alpnActive) { + fatalSE(Alerts.alert_unsupported_extension, + "Server sent " + ExtensionType.EXT_ALPN + + " extension when not requested by client"); + } + + List<String> protocols = serverHelloALPN.getPeerAPs(); + // Only one application protocol name should be present + String p; + if ((protocols.size() == 1) && + !((p = protocols.get(0)).isEmpty())) { + int i; + for (i = 0; i < localApl.length; i++) { + if (localApl[i].equals(p)) { + break; + } + } + if (i == localApl.length) { + fatalSE(Alerts.alert_handshake_failure, + "Server has selected an application protocol name " + + "which was not offered by the client: " + p); + } + applicationProtocol = p; + } else { + fatalSE(Alerts.alert_handshake_failure, + "Incorrect data in ServerHello " + ExtensionType.EXT_ALPN + + " message"); + } + } else { + applicationProtocol = ""; + } + if (resumingSession && session != null) { setHandshakeSessionSE(session); // Reserve the handshake state if this is a session-resumption @@ -729,6 +770,7 @@ } else if ((type != ExtensionType.EXT_ELLIPTIC_CURVES) && (type != ExtensionType.EXT_EC_POINT_FORMATS) && (type != ExtensionType.EXT_SERVER_NAME) + && (type != ExtensionType.EXT_ALPN) && (type != ExtensionType.EXT_RENEGOTIATION_INFO) && (type != ExtensionType.EXT_STATUS_REQUEST) && (type != ExtensionType.EXT_STATUS_REQUEST_V2)) { @@ -1525,6 +1567,12 @@ clientHelloMessage.addCertStatusRequestExtension(); } + // Add ALPN extension + if (localApl != null && localApl.length > 0) { + clientHelloMessage.addALPNExtension(localApl); + alpnActive = true; + } + // reset the client random cookie clnt_random = clientHelloMessage.clnt_random;
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java Wed Dec 02 03:37:29 2015 +0000 @@ -43,8 +43,7 @@ return name; } - static List<ExtensionType> knownExtensions = - new ArrayList<ExtensionType>(14); + static List<ExtensionType> knownExtensions = new ArrayList<>(15); static ExtensionType get(int id) { for (ExtensionType ext : knownExtensions) { @@ -97,6 +96,11 @@ static final ExtensionType EXT_SIGNATURE_ALGORITHMS = e(0x000D, "signature_algorithms"); // IANA registry value: 13 + // extension defined in RFC 7301 (ALPN) + static final ExtensionType EXT_ALPN = + e(0x0010, "application_layer_protocol_negotiation"); + // IANA registry value: 16 + // extensions defined in RFC 6961 static final ExtensionType EXT_STATUS_REQUEST_V2 = e(0x0011, "status_request_v2"); // IANA registry value: 17
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java Wed Dec 02 03:37:29 2015 +0000 @@ -412,6 +412,11 @@ extensions.add(new CertStatusReqListV2Extension(itemList)); } + // add application_layer_protocol_negotiation extension + void addALPNExtension(String[] applicationProtocols) throws SSLException { + extensions.add(new ALPNExtension(applicationProtocols)); + } + @Override int messageType() { return ht_client_hello; }
--- a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java Wed Dec 02 03:37:29 2015 +0000 @@ -116,6 +116,12 @@ List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList(); Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList(); + // List of local ApplicationProtocols + String[] localApl = null; + + // Negotiated ALPN value + String applicationProtocol = null; + // The maximum expected network packet size for SSL/TLS/DTLS records. int maximumPacketSize = 0; @@ -481,6 +487,20 @@ } /** + * Sets the Application Protocol list. + */ + void setApplicationProtocols(String[] apl) { + this.localApl = apl; + } + + /** + * Gets the "negotiated" ALPN value. + */ + String getHandshakeApplicationProtocol() { + return applicationProtocol; + } + + /** * Sets the cipher suites preference. */ void setUseCipherSuitesOrder(boolean on) {
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java Wed Dec 02 03:37:29 2015 +0000 @@ -33,8 +33,8 @@ /** * This file contains all the classes relevant to TLS Extensions for the * ClientHello and ServerHello messages. The extension mechanism and - * several extensions are defined in RFC 3546. Additional extensions are - * defined in the ECC RFC 4492. + * several extensions are defined in RFC 6066. Additional extensions are + * defined in the ECC RFC 4492 and the ALPN extension is defined in RFC 7301. * * Currently, only the two ECC extensions are fully supported. * @@ -52,6 +52,7 @@ * . SupportedEllipticCurvesExtension: the ECC supported curves extension. * . SupportedEllipticPointFormatsExtension: the ECC supported point formats * (compressed/uncompressed) extension. + * . ALPNExtension: the application_layer_protocol_negotiation extension. * * @since 1.6 * @author Andreas Sterbenz @@ -85,6 +86,8 @@ new SupportedEllipticPointFormatsExtension(s, extlen); } else if (extType == ExtensionType.EXT_RENEGOTIATION_INFO) { extension = new RenegotiationInfoExtension(s, extlen); + } else if (extType == ExtensionType.EXT_ALPN) { + extension = new ALPNExtension(s, extlen); } else if (extType == ExtensionType.EXT_MAX_FRAGMENT_LENGTH) { extension = new MaxFragmentLengthExtension(s, extlen); } else if (extType == ExtensionType.EXT_STATUS_REQUEST) {
--- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -198,6 +198,14 @@ Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList(); + // Configured application protocol values + String[] applicationProtocols = new String[0]; + + // Negotiated application protocol value. + // + // The value under negotiation will be obtained from handshaker. + String applicationProtocol = null; + // Have we been told whether we're client or server? private boolean serverModeSet = false; private boolean roleIsServer; @@ -413,6 +421,7 @@ } else { // cs_DATA connectionState = cs_RENEGOTIATE; } + if (roleIsServer) { handshaker = new ServerHandshaker(this, sslContext, enabledProtocols, doClientAuth, @@ -432,6 +441,7 @@ handshaker.setMaximumPacketSize(maximumPacketSize); handshaker.setEnabledCipherSuites(enabledCipherSuites); handshaker.setEnableSessionCreation(enableSessionCreation); + handshaker.setApplicationProtocols(applicationProtocols); outputRecord.initHandshaker(); } @@ -1055,6 +1065,9 @@ handshaker.isSecureRenegotiation(); clientVerifyData = handshaker.getClientVerifyData(); serverVerifyData = handshaker.getServerVerifyData(); + // set connection ALPN value + applicationProtocol = + handshaker.getHandshakeApplicationProtocol(); sess = handshaker.getSession(); handshakeSession = null; @@ -2140,6 +2153,7 @@ params.setUseCipherSuitesOrder(preferLocalCipherSuites); params.setEnableRetransmissions(enableRetransmissions); params.setMaximumPacketSize(maximumPacketSize); + params.setApplicationProtocols(applicationProtocols); return params; } @@ -2174,11 +2188,13 @@ if (matchers != null) { sniMatchers = matchers; } + applicationProtocols = params.getApplicationProtocols(); if ((handshaker != null) && !handshaker.started()) { handshaker.setIdentificationProtocol(identificationProtocol); handshaker.setAlgorithmConstraints(algorithmConstraints); handshaker.setMaximumPacketSize(maximumPacketSize); + handshaker.setApplicationProtocols(applicationProtocols); if (roleIsServer) { handshaker.setSNIMatchers(sniMatchers); handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites); @@ -2188,6 +2204,19 @@ } } + @Override + public synchronized String getApplicationProtocol() { + return applicationProtocol; + } + + @Override + public synchronized String getHandshakeApplicationProtocol() { + if ((handshaker != null) && !handshaker.started()) { + return handshaker.getHandshakeApplicationProtocol(); + } + return null; + } + /** * Returns a printable representation of this end of the connection. */
--- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -92,6 +92,9 @@ Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList(); + // Configured application protocol values + String[] applicationProtocols = new String[0]; + /* * Whether local cipher suites preference in server side should be * honored during handshaking? @@ -311,7 +314,7 @@ params.setAlgorithmConstraints(algorithmConstraints); params.setSNIMatchers(sniMatchers); params.setUseCipherSuitesOrder(preferLocalCipherSuites); - + params.setApplicationProtocols(applicationProtocols); return params; } @@ -331,6 +334,7 @@ if (matchers != null) { sniMatchers = params.getSNIMatchers(); } + applicationProtocols = params.getApplicationProtocols(); } /**
--- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java Wed Dec 02 03:37:29 2015 +0000 @@ -210,6 +210,14 @@ Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList(); + // Configured application protocol values + String[] applicationProtocols = new String[0]; + + // Negotiated application protocol value. + // + // The value under negotiation will be obtained from handshaker. + String applicationProtocol = null; + /* * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME * * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES. @@ -1116,6 +1124,9 @@ handshaker.isSecureRenegotiation(); clientVerifyData = handshaker.getClientVerifyData(); serverVerifyData = handshaker.getServerVerifyData(); + // set connection ALPN value + applicationProtocol = + handshaker.getHandshakeApplicationProtocol(); sess = handshaker.getSession(); handshakeSession = null; @@ -1314,6 +1325,7 @@ } else { // cs_DATA connectionState = cs_RENEGOTIATE; } + if (roleIsServer) { handshaker = new ServerHandshaker(this, sslContext, enabledProtocols, doClientAuth, @@ -1331,6 +1343,7 @@ handshaker.setMaximumPacketSize(maximumPacketSize); handshaker.setEnabledCipherSuites(enabledCipherSuites); handshaker.setEnableSessionCreation(enableSessionCreation); + handshaker.setApplicationProtocols(applicationProtocols); } /** @@ -2511,6 +2524,7 @@ params.setServerNames(serverNames); params.setUseCipherSuitesOrder(preferLocalCipherSuites); params.setMaximumPacketSize(maximumPacketSize); + params.setApplicationProtocols(applicationProtocols); // DTLS handshake retransmissions parameter does not apply here. @@ -2549,10 +2563,13 @@ sniMatchers = matchers; } + applicationProtocols = params.getApplicationProtocols(); + if ((handshaker != null) && !handshaker.started()) { handshaker.setIdentificationProtocol(identificationProtocol); handshaker.setAlgorithmConstraints(algorithmConstraints); handshaker.setMaximumPacketSize(maximumPacketSize); + handshaker.setApplicationProtocols(applicationProtocols); if (roleIsServer) { handshaker.setSNIMatchers(sniMatchers); handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites); @@ -2562,6 +2579,19 @@ } } + @Override + public synchronized String getApplicationProtocol() { + return applicationProtocol; + } + + @Override + public synchronized String getHandshakeApplicationProtocol() { + if ((handshaker != null) && !handshaker.started()) { + return handshaker.getHandshakeApplicationProtocol(); + } + return null; + } + // // We allocate a separate thread to deliver handshake completion // events. This ensures that the notifications don't block the
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java Wed Dec 02 03:37:29 2015 +0000 @@ -528,6 +528,36 @@ } } + // check the ALPN extension + ALPNExtension clientHelloALPN = (ALPNExtension) + mesg.extensions.get(ExtensionType.EXT_ALPN); + + if ((clientHelloALPN != null) && (localApl.length > 0)) { + + // Intersect the requested and the locally supported, + // and save for later. + String negotiatedValue = null; + List<String> protocols = clientHelloALPN.getPeerAPs(); + + // Use server preference order + for (String ap : localApl) { + if (protocols.contains(ap)) { + negotiatedValue = ap; + break; + } + } + + if (negotiatedValue == null) { + fatalSE(Alerts.alert_no_application_protocol, + new SSLHandshakeException( + "No matching ALPN values")); + } + applicationProtocol = negotiatedValue; + + } else { + applicationProtocol = ""; + } + // cookie exchange if (isDTLS) { HelloCookieManager hcMgr = sslContext.getHelloCookieManager(); @@ -921,6 +951,11 @@ } } + // Prepare the ALPN response + if (applicationProtocol != null && !applicationProtocol.isEmpty()) { + m1.extensions.add(new ALPNExtension(applicationProtocol)); + } + if (debug != null && Debug.isOn("handshake")) { m1.print(System.out); System.out.println("Cipher suite: " + session.getSuite());
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/javax/net/ssl/ALPN/SSLEngineAlpnTest.java Wed Dec 02 03:37:29 2015 +0000 @@ -0,0 +1,497 @@ +/* + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. + +/* + * @test + * @bug 8051498 + * @summary JEP 244: TLS Application-Layer Protocol Negotiation Extension + * @run main/othervm SSLEngineAlpnTest h2 h2 h2 + * @run main/othervm SSLEngineAlpnTest h2 h2,http/1.1 h2 + * @run main/othervm SSLEngineAlpnTest h2,http/1.1 h2,http/1.1 h2 + * @run main/othervm SSLEngineAlpnTest http/1.1,h2 h2,http/1.1 http/1.1 + * @run main/othervm SSLEngineAlpnTest h4,h3,h2 h1,h2 h2 + * @run main/othervm SSLEngineAlpnTest EMPTY h2,http/1.1 NONE + * @run main/othervm SSLEngineAlpnTest h2 EMPTY NONE + * @run main/othervm SSLEngineAlpnTest H2 h2 ERROR + * @run main/othervm SSLEngineAlpnTest h2 http/1.1 ERROR + */ +/** + * A simple SSLEngine-based client/server that demonstrates the proposed API + * changes for JEP 244 in support of the TLS ALPN extension (RFC 7301). + * + * This example is based on our standard SSLEngineTemplate. + * + * The immediate consumer of ALPN will be HTTP/2 (RFC 7540), aka H2. The H2 IETF + * Working Group wanted to use TLSv1.3+ as the secure transport mechanism, but + * TLSv1.3 wasn't ready. The H2 folk agreed to a compromise that only TLSv1.2+ + * can be used, and that if TLSv1.2 was selected, non-TLSv.1.3-approved + * ciphersuites would be blacklisted and their use discouraged. + * + * In order to support connections that might negotiate either HTTP/1.1 and H2, + * the guidance from the IETF Working Group is that the H2 ciphersuites be + * prioritized/tried first. + */ + +/* + * The original SSLEngineTemplate comments follow. + * + * A SSLEngine usage example which simplifies the presentation + * by removing the I/O and multi-threading concerns. + * + * The test creates two SSLEngines, simulating a client and server. + * The "transport" layer consists two byte buffers: think of them + * as directly connected pipes. + * + * Note, this is a *very* simple example: real code will be much more + * involved. For example, different threading and I/O models could be + * used, transport mechanisms could close unexpectedly, and so on. + * + * When this application runs, notice that several messages + * (wrap/unwrap) pass before any application data is consumed or + * produced. (For more information, please see the SSL/TLS + * specifications.) There may several steps for a successful handshake, + * so it's typical to see the following series of operations: + * + * client server message + * ====== ====== ======= + * wrap() ... ClientHello + * ... unwrap() ClientHello + * ... wrap() ServerHello/Certificate + * unwrap() ... ServerHello/Certificate + * wrap() ... ClientKeyExchange + * wrap() ... ChangeCipherSpec + * wrap() ... Finished + * ... unwrap() ClientKeyExchange + * ... unwrap() ChangeCipherSpec + * ... unwrap() Finished + * ... wrap() ChangeCipherSpec + * ... wrap() Finished + * unwrap() ... ChangeCipherSpec + * unwrap() ... Finished + */ +import javax.net.ssl.*; +import javax.net.ssl.SSLEngineResult.*; +import java.io.*; +import java.security.*; +import java.nio.*; + +public class SSLEngineAlpnTest { + + /* + * Enables logging of the SSLEngine operations. + */ + private static final boolean logging = true; + + /* + * Enables the JSSE system debugging system property: + * + * -Djavax.net.debug=all + * + * This gives a lot of low-level information about operations underway, + * including specific handshake messages, and might be best examined + * after gaining some familiarity with this application. + */ + private static final boolean debug = false; + + private final SSLContext sslc; + + private SSLEngine clientEngine; // client Engine + private ByteBuffer clientOut; // write side of clientEngine + private ByteBuffer clientIn; // read side of clientEngine + + private SSLEngine serverEngine; // server Engine + private ByteBuffer serverOut; // write side of serverEngine + private ByteBuffer serverIn; // read side of serverEngine + + /* + * For data transport, this example uses local ByteBuffers. This + * isn't really useful, but the purpose of this example is to show + * SSLEngine concepts, not how to do network transport. + */ + private ByteBuffer cTOs; // "reliable" transport client->server + private ByteBuffer sTOc; // "reliable" transport server->client + + /* + * The following is to set up the keystores. + */ + private static final String pathToStores = "../etc"; + private static final String keyStoreFile = "keystore"; + private static final String trustStoreFile = "truststore"; + private static final String passwd = "passphrase"; + + private static final String keyFilename + = System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + keyStoreFile; + private static final String trustFilename + = System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + trustStoreFile; + + /* + * Main entry point for this test. + */ + public static void main(String args[]) throws Exception { + if (debug) { + System.setProperty("javax.net.debug", "all"); + } + + // Validate parameters + if (args.length != 3) { + throw new Exception("Invalid number of test parameters"); + } + + SSLEngineAlpnTest test = new SSLEngineAlpnTest(); + try { + test.runTest(convert(args[0]), convert(args[1]), args[2]); + } catch (SSLHandshakeException she) { + if (args[2].equals("ERROR")) { + System.out.println("Caught the expected exception: " + she); + } else { + throw she; + } + } + + System.out.println("Test Passed."); + } + + /* + * Create an initialized SSLContext to use for these tests. + */ + public SSLEngineAlpnTest() throws Exception { + + KeyStore ks = KeyStore.getInstance("JKS"); + KeyStore ts = KeyStore.getInstance("JKS"); + + char[] passphrase = "passphrase".toCharArray(); + + ks.load(new FileInputStream(keyFilename), passphrase); + ts.load(new FileInputStream(trustFilename), passphrase); + + KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); + kmf.init(ks, passphrase); + + TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); + tmf.init(ts); + + SSLContext sslCtx = SSLContext.getInstance("TLS"); + + sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + + sslc = sslCtx; + } + + /* + * Convert a comma-separated list into an array of strings. + */ + private static String[] convert(String list) { + String[] strings = null; + + if (list.equals("EMPTY")) { + return new String[0]; + } + + if (list.indexOf(',') > 0) { + strings = list.split(","); + } else { + strings = new String[]{ list }; + } + + return strings; + } + + /* + * Run the test. + * + * Sit in a tight loop, both engines calling wrap/unwrap regardless + * of whether data is available or not. We do this until both engines + * report back they are closed. + * + * The main loop handles all of the I/O phases of the SSLEngine's + * lifetime: + * + * initial handshaking + * application data transfer + * engine closing + * + * One could easily separate these phases into separate + * sections of code. + */ + private void runTest(String[] serverAPs, String[] clientAPs, + String expectedAP) throws Exception { + + boolean dataDone = false; + + createSSLEngines(serverAPs, clientAPs); + createBuffers(); + + SSLEngineResult clientResult; // results from client's last operation + SSLEngineResult serverResult; // results from server's last operation + + /* + * Examining the SSLEngineResults could be much more involved, + * and may alter the overall flow of the application. + * + * For example, if we received a BUFFER_OVERFLOW when trying + * to write to the output pipe, we could reallocate a larger + * pipe, but instead we wait for the peer to drain it. + */ + while (!isEngineClosed(clientEngine) + || !isEngineClosed(serverEngine)) { + + log("================"); + + clientResult = clientEngine.wrap(clientOut, cTOs); + log("client wrap: ", clientResult); + runDelegatedTasks(clientResult, clientEngine); + checkAPResult(clientEngine, clientResult, expectedAP); + + serverResult = serverEngine.wrap(serverOut, sTOc); + log("server wrap: ", serverResult); + runDelegatedTasks(serverResult, serverEngine); + checkAPResult(serverEngine, serverResult, expectedAP); + + cTOs.flip(); + sTOc.flip(); + + log("----"); + + clientResult = clientEngine.unwrap(sTOc, clientIn); + log("client unwrap: ", clientResult); + runDelegatedTasks(clientResult, clientEngine); + checkAPResult(clientEngine, clientResult, expectedAP); + + serverResult = serverEngine.unwrap(cTOs, serverIn); + log("server unwrap: ", serverResult); + runDelegatedTasks(serverResult, serverEngine); + checkAPResult(serverEngine, serverResult, expectedAP); + + cTOs.compact(); + sTOc.compact(); + + /* + * After we've transfered all application data between the client + * and server, we close the clientEngine's outbound stream. + * This generates a close_notify handshake message, which the + * server engine receives and responds by closing itself. + */ + if (!dataDone && (clientOut.limit() == serverIn.position()) + && (serverOut.limit() == clientIn.position())) { + + /* + * A sanity check to ensure we got what was sent. + */ + checkTransfer(serverOut, clientIn); + checkTransfer(clientOut, serverIn); + + log("\tClosing clientEngine's *OUTBOUND*..."); + clientEngine.closeOutbound(); + dataDone = true; + } + } + } + + /* + * Check that the resulting connection meets our defined ALPN + * criteria. If we were connecting to a non-JSSE implementation, + * the server might have negotiated something we shouldn't accept. + * + * If we were expecting an ALPN value from server, let's make sure + * the conditions match. + */ + private static void checkAPResult(SSLEngine engine, SSLEngineResult result, + String expectedAP) throws Exception { + + if (result.getHandshakeStatus() != HandshakeStatus.FINISHED) { + return; + } + + String ap = engine.getApplicationProtocol(); + System.out.println("Application Protocol: \"" + ap + "\""); + + if (ap == null) { + throw new Exception( + "Handshake was completed but null was received"); + } + if (expectedAP.equals("NONE")) { + if (!ap.isEmpty()) { + throw new Exception("Expected no ALPN value"); + } else { + System.out.println("No ALPN value negotiated, as expected"); + } + } else if (!expectedAP.equals(ap)) { + throw new Exception(expectedAP + + " ALPN value not available on negotiated connection"); + } + } + + /* + * Using the SSLContext created during object creation, + * create/configure the SSLEngines we'll use for this test. + */ + private void createSSLEngines(String[] serverAPs, String[] clientAPs) + throws Exception { + /* + * Configure the serverEngine to act as a server in the SSL/TLS + * handshake. Also, require SSL client authentication. + */ + serverEngine = sslc.createSSLEngine(); + serverEngine.setUseClientMode(false); + + SSLParameters sslp = serverEngine.getSSLParameters(); + + sslp.setNeedClientAuth(true); + + /* + * The default ciphersuite ordering from the SSLContext may not + * reflect "h2" ciphersuites as being preferred, additionally the + * client may not send them in an appropriate order. We could resort + * the suite list if so desired. + */ + String[] suites = sslp.getCipherSuites(); + sslp.setCipherSuites(suites); + sslp.setApplicationProtocols(serverAPs); + sslp.setUseCipherSuitesOrder(true); // Set server side order + + serverEngine.setSSLParameters(sslp); + + /* + * Similar to above, but using client mode instead. + */ + clientEngine = sslc.createSSLEngine("client", 80); + clientEngine.setUseClientMode(true); + sslp = clientEngine.getSSLParameters(); + sslp.setApplicationProtocols(clientAPs); + clientEngine.setSSLParameters(sslp); + } + + /* + * Create and size the buffers appropriately. + */ + private void createBuffers() { + + /* + * We'll assume the buffer sizes are the same + * between client and server. + */ + SSLSession session = clientEngine.getSession(); + int appBufferMax = session.getApplicationBufferSize(); + int netBufferMax = session.getPacketBufferSize(); + + /* + * We'll make the input buffers a bit bigger than the max needed + * size, so that unwrap()s following a successful data transfer + * won't generate BUFFER_OVERFLOWS. + * + * We'll use a mix of direct and indirect ByteBuffers for + * tutorial purposes only. In reality, only use direct + * ByteBuffers when they give a clear performance enhancement. + */ + clientIn = ByteBuffer.allocate(appBufferMax + 50); + serverIn = ByteBuffer.allocate(appBufferMax + 50); + + cTOs = ByteBuffer.allocateDirect(netBufferMax); + sTOc = ByteBuffer.allocateDirect(netBufferMax); + + clientOut = ByteBuffer.wrap("Hi Server, I'm Client".getBytes()); + serverOut = ByteBuffer.wrap("Hello Client, I'm Server".getBytes()); + } + + /* + * If the result indicates that we have outstanding tasks to do, + * go ahead and run them in this thread. + */ + private static void runDelegatedTasks(SSLEngineResult result, + SSLEngine engine) throws Exception { + + if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) { + Runnable runnable; + while ((runnable = engine.getDelegatedTask()) != null) { + log("\trunning delegated task..."); + runnable.run(); + } + HandshakeStatus hsStatus = engine.getHandshakeStatus(); + if (hsStatus == HandshakeStatus.NEED_TASK) { + throw new Exception( + "handshake shouldn't need additional tasks"); + } + log("\tnew HandshakeStatus: " + hsStatus); + } + } + + private static boolean isEngineClosed(SSLEngine engine) { + return (engine.isOutboundDone() && engine.isInboundDone()); + } + + /* + * Simple check to make sure everything came across as expected. + */ + private static void checkTransfer(ByteBuffer a, ByteBuffer b) + throws Exception { + a.flip(); + b.flip(); + + if (!a.equals(b)) { + throw new Exception("Data didn't transfer cleanly"); + } else { + log("\tData transferred cleanly"); + } + + a.position(a.limit()); + b.position(b.limit()); + a.limit(a.capacity()); + b.limit(b.capacity()); + } + + /* + * Logging code + */ + private static boolean resultOnce = true; + + private static void log(String str, SSLEngineResult result) { + if (!logging) { + return; + } + if (resultOnce) { + resultOnce = false; + System.out.println("The format of the SSLEngineResult is: \n" + + "\t\"getStatus() / getHandshakeStatus()\" +\n" + + "\t\"bytesConsumed() / bytesProduced()\"\n"); + } + HandshakeStatus hsStatus = result.getHandshakeStatus(); + log(str + + result.getStatus() + "/" + hsStatus + ", " + + result.bytesConsumed() + "/" + result.bytesProduced() + + " bytes"); + if (hsStatus == HandshakeStatus.FINISHED) { + log("\t...ready for application data"); + } + } + + private static void log(String str) { + if (logging) { + System.out.println(str); + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/javax/net/ssl/ALPN/SSLSocketAlpnTest.java Wed Dec 02 03:37:29 2015 +0000 @@ -0,0 +1,439 @@ +/* + * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. + +/* + * @test + * @bug 8051498 + * @summary JEP 244: TLS Application-Layer Protocol Negotiation Extension + * @run main/othervm SSLSocketAlpnTest h2 h2 h2 + * @run main/othervm SSLSocketAlpnTest h2 h2,http/1.1 h2 + * @run main/othervm SSLSocketAlpnTest h2,http/1.1 h2,http/1.1 h2 + * @run main/othervm SSLSocketAlpnTest http/1.1,h2 h2,http/1.1 http/1.1 + * @run main/othervm SSLSocketAlpnTest h4,h3,h2 h1,h2 h2 + * @run main/othervm SSLSocketAlpnTest EMPTY h2,http/1.1 NONE + * @run main/othervm SSLSocketAlpnTest h2 EMPTY NONE + * @run main/othervm SSLSocketAlpnTest H2 h2 ERROR + * @run main/othervm SSLSocketAlpnTest h2 http/1.1 ERROR + * @author Brad Wetmore + */ +import java.io.*; +import javax.net.ssl.*; + +public class SSLSocketAlpnTest { + + /* + * ============================================================= + * Set the various variables needed for the tests, then + * specify what tests to run on each side. + */ + + /* + * Should we run the client or server in a separate thread? + * Both sides can throw exceptions, but do you have a preference + * as to which side should be the main thread. + */ + static boolean separateServerThread = false; + + /* + * Where do we find the keystores? + */ + static String pathToStores = "../etc"; + static String keyStoreFile = "keystore"; + static String trustStoreFile = "truststore"; + static String passwd = "passphrase"; + + /* + * Is the server ready to serve? + */ + volatile static boolean serverReady = false; + + /* + * Turn on SSL debugging? + */ + static boolean debug = false; + + static String[] serverAPs; + static String[] clientAPs; + static String expectedAP; + + /* + * If the client or server is doing some kind of object creation + * that the other side depends on, and that thread prematurely + * exits, you may experience a hang. The test harness will + * terminate all hung threads after its timeout has expired, + * currently 3 minutes by default, but you might try to be + * smart about it.... + */ + + /* + * Define the server side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doServerSide() throws Exception { + SSLServerSocketFactory sslssf + = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); + SSLServerSocket sslServerSocket + = (SSLServerSocket) sslssf.createServerSocket(serverPort); + + serverPort = sslServerSocket.getLocalPort(); + + /* + * Signal Client, we're ready for his connect. + */ + serverReady = true; + + SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); + + SSLParameters sslp = sslSocket.getSSLParameters(); + + /* + * The default ciphersuite ordering from the SSLContext may not + * reflect "h2" ciphersuites as being preferred, additionally the + * client may not send them in an appropriate order. We could resort + * the suite list if so desired. + */ + String[] suites = sslp.getCipherSuites(); + sslp.setCipherSuites(suites); + sslp.setUseCipherSuitesOrder(true); // Set server side order + + // Set the ALPN selection. + sslp.setApplicationProtocols(serverAPs); + sslSocket.setSSLParameters(sslp); + + sslSocket.startHandshake(); + + String ap = sslSocket.getApplicationProtocol(); + System.out.println("Application Protocol: \"" + ap + "\""); + + if (ap == null) { + throw new Exception( + "Handshake was completed but null was received"); + } + if (expectedAP.equals("NONE")) { + if (!ap.isEmpty()) { + throw new Exception("Expected no ALPN value"); + } else { + System.out.println("No ALPN value negotiated, as expected"); + } + } else if (!expectedAP.equals(ap)) { + throw new Exception(expectedAP + + " ALPN value not available on negotiated connection"); + } + + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslIS.read(); + sslOS.write(85); + sslOS.flush(); + + sslSocket.close(); + } + + /* + * Define the client side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doClientSide() throws Exception { + + /* + * Wait for server to get started. + */ + while (!serverReady) { + Thread.sleep(50); + } + + SSLSocketFactory sslsf + = (SSLSocketFactory) SSLSocketFactory.getDefault(); + SSLSocket sslSocket + = (SSLSocket) sslsf.createSocket("localhost", serverPort); + + SSLParameters sslp = sslSocket.getSSLParameters(); + + /* + * The default ciphersuite ordering from the SSLContext may not + * reflect "h2" ciphersuites as being preferred, additionally the + * client may not send them in an appropriate order. We could resort + * the suite list if so desired. + */ + String[] suites = sslp.getCipherSuites(); + sslp.setCipherSuites(suites); + sslp.setUseCipherSuitesOrder(true); // Set server side order + + // Set the ALPN selection. + sslp.setApplicationProtocols(clientAPs); + sslSocket.setSSLParameters(sslp); + + sslSocket.startHandshake(); + + /* + * Check that the resulting connection meets our defined ALPN + * criteria. If we were connecting to a non-JSSE implementation, + * the server might have negotiated something we shouldn't accept. + * + * We were expecting H2 from server, let's make sure the + * conditions match. + */ + String ap = sslSocket.getApplicationProtocol(); + System.out.println("Application Protocol: \"" + ap + "\""); + + if (ap == null) { + throw new Exception( + "Handshake was completed but null was received"); + } + if (expectedAP.equals("NONE")) { + if (!ap.isEmpty()) { + throw new Exception("Expected no ALPN value"); + } else { + System.out.println("No ALPN value negotiated, as expected"); + } + } else if (!expectedAP.equals(ap)) { + throw new Exception(expectedAP + + " ALPN value not available on negotiated connection"); + } + + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslOS.write(280); + sslOS.flush(); + sslIS.read(); + + sslSocket.close(); + } + + /* + * ============================================================= + * The remainder is just support stuff + */ + // use any free port by default + volatile int serverPort = 0; + + volatile Exception serverException = null; + volatile Exception clientException = null; + + public static void main(String[] args) throws Exception { + String keyFilename + = System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + keyStoreFile; + String trustFilename + = System.getProperty("test.src", ".") + "/" + pathToStores + + "/" + trustStoreFile; + + System.setProperty("javax.net.ssl.keyStore", keyFilename); + System.setProperty("javax.net.ssl.keyStorePassword", passwd); + System.setProperty("javax.net.ssl.trustStore", trustFilename); + System.setProperty("javax.net.ssl.trustStorePassword", passwd); + + if (debug) { + System.setProperty("javax.net.debug", "all"); + } + + // Validate parameters + if (args.length != 3) { + throw new Exception("Invalid number of test parameters"); + } + serverAPs = convert(args[0]); + clientAPs = convert(args[1]); + expectedAP = args[2]; + + /* + * Start the tests. + */ + try { + new SSLSocketAlpnTest(); + } catch (SSLHandshakeException she) { + if (args[2].equals("ERROR")) { + System.out.println("Caught the expected exception: " + she); + } else { + throw she; + } + } + + System.out.println("Test Passed."); + } + + /* + * Convert a comma-separated list into an array of strings. + */ + private static String[] convert(String list) { + String[] strings; + + if (list.equals("EMPTY")) { + return new String[0]; + } + + if (list.indexOf(',') > 0) { + strings = list.split(","); + } else { + strings = new String[]{ list }; + } + + return strings; + } + + Thread clientThread = null; + Thread serverThread = null; + + /* + * Primary constructor, used to drive remainder of the test. + * + * Fork off the other side, then do your work. + */ + SSLSocketAlpnTest() throws Exception { + Exception startException = null; + try { + if (separateServerThread) { + startServer(true); + startClient(false); + } else { + startClient(true); + startServer(false); + } + } catch (Exception e) { + startException = e; + } + + /* + * Wait for other side to close down. + */ + if (separateServerThread) { + if (serverThread != null) { + serverThread.join(); + } + } else { + if (clientThread != null) { + clientThread.join(); + } + } + + /* + * When we get here, the test is pretty much over. + * Which side threw the error? + */ + Exception local; + Exception remote; + + if (separateServerThread) { + remote = serverException; + local = clientException; + } else { + remote = clientException; + local = serverException; + } + + Exception exception = null; + + /* + * Check various exception conditions. + */ + if ((local != null) && (remote != null)) { + // If both failed, return the curthread's exception. + local.initCause(remote); + exception = local; + } else if (local != null) { + exception = local; + } else if (remote != null) { + exception = remote; + } else if (startException != null) { + exception = startException; + } + + /* + * If there was an exception *AND* a startException, + * output it. + */ + if (exception != null) { + if (exception != startException && startException != null) { + exception.addSuppressed(startException); + } + throw exception; + } + + // Fall-through: no exception to throw! + } + + void startServer(boolean newThread) throws Exception { + if (newThread) { + serverThread = new Thread() { + @Override + public void run() { + try { + doServerSide(); + } catch (Exception e) { + /* + * Our server thread just died. + * + * Release the client, if not active already... + */ + System.err.println("Server died..."); + serverReady = true; + serverException = e; + } + } + }; + serverThread.start(); + } else { + try { + doServerSide(); + } catch (Exception e) { + serverException = e; + } finally { + serverReady = true; + } + } + } + + void startClient(boolean newThread) throws Exception { + if (newThread) { + clientThread = new Thread() { + @Override + public void run() { + try { + doClientSide(); + } catch (Exception e) { + /* + * Our client thread just died. + */ + System.err.println("Client died..."); + clientException = e; + } + } + }; + clientThread.start(); + } else { + try { + doClientSide(); + } catch (Exception e) { + clientException = e; + } + } + } +}
--- a/jdk/test/javax/net/ssl/templates/SSLEngineTemplate.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/test/javax/net/ssl/templates/SSLEngineTemplate.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -78,7 +78,7 @@ /* * Enables logging of the SSLEngine operations. */ - private static boolean logging = true; + private static final boolean logging = true; /* * Enables the JSSE system debugging system property: @@ -89,9 +89,9 @@ * including specific handshake messages, and might be best examined * after gaining some familiarity with this application. */ - private static boolean debug = false; + private static final boolean debug = false; - private SSLContext sslc; + private final SSLContext sslc; private SSLEngine clientEngine; // client Engine private ByteBuffer clientOut; // write side of clientEngine @@ -112,15 +112,15 @@ /* * The following is to set up the keystores. */ - private static String pathToStores = "../etc"; - private static String keyStoreFile = "keystore"; - private static String trustStoreFile = "truststore"; - private static String passwd = "passphrase"; + private static final String pathToStores = "../etc"; + private static final String keyStoreFile = "keystore"; + private static final String trustStoreFile = "truststore"; + private static final String passwd = "passphrase"; - private static String keyFilename = + private static final String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; - private static String trustFilename = + private static final String trustFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile;
--- a/jdk/test/javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/test/javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -86,7 +86,7 @@ /* * Enables logging of the SSL/TLS operations. */ - private static boolean logging = true; + private static final boolean logging = true; /* * Enables the JSSE system debugging system property: @@ -97,8 +97,8 @@ * including specific handshake messages, and might be best examined * after gaining some familiarity with this application. */ - private static boolean debug = false; - private SSLContext sslc; + private static final boolean debug = false; + private final SSLContext sslc; private SSLEngine serverEngine; // server-side SSLEngine private SSLSocket sslSocket; // client-side socket private ServerSocket serverSocket; // server-side Socket, generates the... @@ -128,10 +128,10 @@ private static final String keyStoreFile = "keystore"; private static final String trustStoreFile = "truststore"; private static final String passwd = "passphrase"; - private static String keyFilename = + private static final String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; - private static String trustFilename = + private static final String trustFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + trustStoreFile; @@ -252,7 +252,7 @@ byte[] outbound = new byte[8192]; while (!isEngineClosed(serverEngine)) { - int len = 0; + int len; // Inbound data log("================"); @@ -326,7 +326,6 @@ serverIn.compact(); } } - return; } catch (Exception e) { serverException = e; } finally { @@ -384,13 +383,12 @@ int pos = 0; int len; -done: while ((len = is.read(inbound, pos, 2048 - pos)) != -1) { pos += len; // Let the client do the closing. if ((pos == serverMsg.length) && !serverClose) { sslSocket.close(); - break done; + break; } }
--- a/jdk/test/javax/net/ssl/templates/SSLSocketTemplate.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/test/javax/net/ssl/templates/SSLSocketTemplate.java Wed Dec 02 03:37:29 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,7 +33,6 @@ */ import java.io.*; -import java.net.*; import javax.net.ssl.*; public class SSLSocketTemplate { @@ -162,8 +161,9 @@ System.setProperty("javax.net.ssl.trustStore", trustFilename); System.setProperty("javax.net.ssl.trustStorePassword", passwd); - if (debug) + if (debug) { System.setProperty("javax.net.debug", "all"); + } /* * Start the tests. @@ -255,6 +255,7 @@ void startServer(boolean newThread) throws Exception { if (newThread) { serverThread = new Thread() { + @Override public void run() { try { doServerSide(); @@ -285,6 +286,7 @@ void startClient(boolean newThread) throws Exception { if (newThread) { clientThread = new Thread() { + @Override public void run() { try { doClientSide();
--- a/jdk/test/sun/security/ssl/ExtensionType/OptimalListSize.java Wed Dec 02 03:29:49 2015 +0000 +++ b/jdk/test/sun/security/ssl/ExtensionType/OptimalListSize.java Wed Dec 02 03:37:29 2015 +0000 @@ -36,6 +36,6 @@ public static void main(String[] args) throws Throwable { OptimalCapacity.ofArrayList( Class.forName("sun.security.ssl.ExtensionType"), - "knownExtensions", 14); + "knownExtensions", 15); } }