8061210: Issues in TLS
Reviewed-by: jnimeh, mullan, wetmore, ahgross, asmotrak
diff --git a/jdk/src/share/classes/sun/security/ssl/Handshaker.java b/jdk/src/share/classes/sun/security/ssl/Handshaker.java
index 4d6fc97..092c125 100644
--- a/jdk/src/share/classes/sun/security/ssl/Handshaker.java
+++ b/jdk/src/share/classes/sun/security/ssl/Handshaker.java
@@ -500,7 +500,9 @@
if (activeProtocols.collection().isEmpty() ||
activeProtocols.max.v == ProtocolVersion.NONE.v) {
- throw new SSLHandshakeException("No appropriate protocol");
+ throw new SSLHandshakeException(
+ "No appropriate protocol (protocol is disabled or " +
+ "cipher suites are inappropriate)");
}
if (activeCipherSuites == null) {
@@ -678,6 +680,16 @@
if (activeProtocols == null) {
ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
for (ProtocolVersion protocol : enabledProtocols.collection()) {
+ if (!algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+ protocol.name, null)) {
+ if (debug != null && Debug.isOn("verbose")) {
+ System.out.println(
+ "Ignoring disabled protocol: " + protocol);
+ }
+
+ continue;
+ }
boolean found = false;
for (CipherSuite suite : enabledCipherSuites.collection()) {
if (suite.isAvailable() && suite.obsoleted > protocol.v &&
diff --git a/jdk/src/share/classes/sun/security/ssl/ProtocolVersion.java b/jdk/src/share/classes/sun/security/ssl/ProtocolVersion.java
index fb47641..879d0f0 100644
--- a/jdk/src/share/classes/sun/security/ssl/ProtocolVersion.java
+++ b/jdk/src/share/classes/sun/security/ssl/ProtocolVersion.java
@@ -25,6 +25,9 @@
package sun.security.ssl;
+import java.util.*;
+import java.security.CryptoPrimitive;
+
/**
* Type safe enum for an SSL/TLS protocol version. Instances are obtained
* using the static factory methods or by referencing the static members
@@ -86,6 +89,11 @@
// Default version for hello messages (SSLv2Hello)
final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;
+ // Available protocols
+ //
+ // Including all supported protocols except the disabled ones.
+ final static Set<ProtocolVersion> availableProtocols;
+
// version in 16 bit MSB format as it appears in records and
// messages, i.e. 0x0301 for TLS 1.0
public final int v;
@@ -96,6 +104,24 @@
// name used in JSSE (e.g. TLSv1 for TLS 1.0)
final String name;
+ // Initialize the available protocols.
+ static {
+ Set<ProtocolVersion> protocols = new HashSet<>(5);
+
+ ProtocolVersion[] pvs = new ProtocolVersion[] {
+ SSL20Hello, SSL30, TLS10, TLS11, TLS12};
+ for (ProtocolVersion p : pvs) {
+ if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+ p.name, null)) {
+ protocols.add(p);
+ }
+ }
+
+ availableProtocols =
+ Collections.<ProtocolVersion>unmodifiableSet(protocols);
+ }
+
// private
private ProtocolVersion(int v, String name) {
this.v = v;
diff --git a/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java b/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
index d62641b..1a8a973 100644
--- a/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
+++ b/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
@@ -55,6 +55,14 @@
private boolean enabledX509DisabledAlgConstraints = true;
+ // the default algorithm constraints
+ final static AlgorithmConstraints DEFAULT =
+ new SSLAlgorithmConstraints(null);
+
+ // the default SSL only algorithm constraints
+ final static AlgorithmConstraints DEFAULT_SSL_ONLY =
+ new SSLAlgorithmConstraints((SSLSocket)null, false);
+
SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
userAlgConstraints = algorithmConstraints;
}
diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
index 8f8fb4d..b00a26d 100644
--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -52,10 +52,6 @@
private X509TrustManager trustManager;
private SecureRandom secureRandom;
- // The default algrithm constraints
- private AlgorithmConstraints defaultAlgorithmConstraints =
- new SSLAlgorithmConstraints(null);
-
// supported and default protocols
private ProtocolList defaultServerProtocolList;
private ProtocolList defaultClientProtocolList;
@@ -350,7 +346,7 @@
if (suite.isAvailable() &&
suite.obsoleted > protocols.min.v &&
suite.supported <= protocols.max.v) {
- if (defaultAlgorithmConstraints.permits(
+ if (SSLAlgorithmConstraints.DEFAULT.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
suite.name, null)) {
suites.add(suite);
@@ -431,11 +427,16 @@
*/
private abstract static class AbstractSSLContext extends SSLContextImpl {
// parameters
- private final static SSLParameters defaultServerSSLParams;
- private final static SSLParameters supportedSSLParams;
+ private static final SSLParameters defaultServerSSLParams;
+ private static final SSLParameters supportedSSLParams;
static {
+ // supported SSL parameters
supportedSSLParams = new SSLParameters();
+
+ // candidates for available protocols
+ ProtocolVersion[] candidates;
+
if (SunJSSE.isFIPS()) {
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
@@ -443,7 +444,11 @@
ProtocolVersion.TLS12.name
});
- defaultServerSSLParams = supportedSSLParams;
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS12
+ };
} else {
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
@@ -453,8 +458,18 @@
ProtocolVersion.TLS12.name
});
- defaultServerSSLParams = supportedSSLParams;
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.SSL20Hello,
+ ProtocolVersion.SSL30,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS12
+ };
}
+
+ defaultServerSSLParams = new SSLParameters();
+ defaultServerSSLParams.setProtocols(
+ getAvailableProtocols(candidates).toArray(new String[0]));
}
@Override
@@ -466,6 +481,22 @@
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
}
+
+ static List<String> getAvailableProtocols(
+ ProtocolVersion[] protocolCandidates) {
+
+ List<String> availableProtocols = Collections.<String>emptyList();
+ if (protocolCandidates != null && protocolCandidates.length != 0) {
+ availableProtocols = new ArrayList<>(protocolCandidates.length);
+ for (ProtocolVersion p : protocolCandidates) {
+ if (ProtocolVersion.availableProtocols.contains(p)) {
+ availableProtocols.add(p.name);
+ }
+ }
+ }
+
+ return availableProtocols;
+ }
}
/*
@@ -474,21 +505,25 @@
* @see SSLContext
*/
public static final class TLS10Context extends AbstractSSLContext {
- private final static SSLParameters defaultClientSSLParams;
+ private static final SSLParameters defaultClientSSLParams;
static {
- defaultClientSSLParams = new SSLParameters();
+ // candidates for available protocols
+ ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.TLS10.name
- });
-
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS10
+ };
} else {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.SSL30.name,
- ProtocolVersion.TLS10.name
- });
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.SSL30,
+ ProtocolVersion.TLS10
+ };
}
+
+ defaultClientSSLParams = new SSLParameters();
+ defaultClientSSLParams.setProtocols(
+ getAvailableProtocols(candidates).toArray(new String[0]));
}
@Override
@@ -503,23 +538,27 @@
* @see SSLContext
*/
public static final class TLS11Context extends AbstractSSLContext {
- private final static SSLParameters defaultClientSSLParams;
+ private static final SSLParameters defaultClientSSLParams;
static {
- defaultClientSSLParams = new SSLParameters();
+ // candidates for available protocols
+ ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.TLS10.name,
- ProtocolVersion.TLS11.name
- });
-
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11
+ };
} else {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.SSL30.name,
- ProtocolVersion.TLS10.name,
- ProtocolVersion.TLS11.name
- });
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.SSL30,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11
+ };
}
+
+ defaultClientSSLParams = new SSLParameters();
+ defaultClientSSLParams.setProtocols(
+ getAvailableProtocols(candidates).toArray(new String[0]));
}
@Override
@@ -534,25 +573,29 @@
* @see SSLContext
*/
public static final class TLS12Context extends AbstractSSLContext {
- private final static SSLParameters defaultClientSSLParams;
+ private static final SSLParameters defaultClientSSLParams;
static {
- defaultClientSSLParams = new SSLParameters();
+ // candidates for available protocols
+ ProtocolVersion[] candidates;
if (SunJSSE.isFIPS()) {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.TLS10.name,
- ProtocolVersion.TLS11.name,
- ProtocolVersion.TLS12.name
- });
-
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS12
+ };
} else {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.SSL30.name,
- ProtocolVersion.TLS10.name,
- ProtocolVersion.TLS11.name,
- ProtocolVersion.TLS12.name
- });
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.SSL30,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS12
+ };
}
+
+ defaultClientSSLParams = new SSLParameters();
+ defaultClientSSLParams.setProtocols(
+ getAvailableProtocols(candidates).toArray(new String[0]));
}
@Override
@@ -567,8 +610,8 @@
* @see SSLContext
*/
private static class CustomizedSSLContext extends AbstractSSLContext {
- private final static String PROPERTY_NAME = "jdk.tls.client.protocols";
- private final static SSLParameters defaultClientSSLParams;
+ private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
+ private static final SSLParameters defaultClientSSLParams;
private static IllegalArgumentException reservedException = null;
// Don't want a java.lang.LinkageError for illegal system property.
@@ -578,60 +621,74 @@
// the provider service. Instead, let's handle the initialization
// exception in constructor.
static {
+ // candidates for available protocols
+ ProtocolVersion[] candidates;
+
String property = AccessController.doPrivileged(
new GetPropertyAction(PROPERTY_NAME));
- defaultClientSSLParams = new SSLParameters();
if (property == null || property.length() == 0) {
// the default enabled client TLS protocols
if (SunJSSE.isFIPS()) {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.TLS10.name,
- ProtocolVersion.TLS11.name,
- ProtocolVersion.TLS12.name
- });
-
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS12
+ };
} else {
- defaultClientSSLParams.setProtocols(new String[] {
- ProtocolVersion.SSL30.name,
- ProtocolVersion.TLS10.name,
- ProtocolVersion.TLS11.name,
- ProtocolVersion.TLS12.name
- });
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.SSL30,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS12
+ };
}
} else {
// remove double quote marks from beginning/end of the property
- if (property.charAt(0) == '"' &&
+ if (property.length() > 1 && property.charAt(0) == '"' &&
property.charAt(property.length() - 1) == '"') {
property = property.substring(1, property.length() - 1);
}
- String[] protocols = property.split(",");
+ String[] protocols = null;
+ if (property != null && property.length() != 0) {
+ protocols = property.split(",");
+ } else {
+ reservedException = new IllegalArgumentException(
+ "No protocol specified in " +
+ PROPERTY_NAME + " system property");
+ protocols = new String[0];
+ }
+
+ candidates = new ProtocolVersion[protocols.length];
for (int i = 0; i < protocols.length; i++) {
protocols[i] = protocols[i].trim();
// Is it a supported protocol name?
try {
- ProtocolVersion.valueOf(protocols[i]);
+ candidates[i] = ProtocolVersion.valueOf(protocols[i]);
} catch (IllegalArgumentException iae) {
reservedException = new IllegalArgumentException(
- PROPERTY_NAME + ": " + protocols[i] +
- " is not a standard SSL protocol name", iae);
+ PROPERTY_NAME + ": " + protocols[i] +
+ " is not a standard SSL/TLS protocol name", iae);
+ break;
}
}
if ((reservedException == null) && SunJSSE.isFIPS()) {
- for (String protocol : protocols) {
- if (ProtocolVersion.SSL20Hello.name.equals(protocol) ||
- ProtocolVersion.SSL30.name.equals(protocol)) {
+ for (ProtocolVersion protocolVersion : candidates) {
+ if (ProtocolVersion.SSL20Hello.v == protocolVersion.v ||
+ ProtocolVersion.SSL30.v == protocolVersion.v) {
reservedException = new IllegalArgumentException(
- PROPERTY_NAME + ": " + protocol +
+ PROPERTY_NAME + ": " + protocolVersion +
" is not FIPS compliant");
}
}
}
+ }
- if (reservedException == null) {
- defaultClientSSLParams.setProtocols(protocols);
- }
+ defaultClientSSLParams = new SSLParameters();
+ if (reservedException == null) {
+ defaultClientSSLParams.setProtocols(
+ getAvailableProtocols(candidates).toArray(new String[0]));
}
}
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index bb71a15..81ce1d7 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -479,8 +479,12 @@
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
@@ -495,4 +499,5 @@
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
-# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index bb71a15..81ce1d7 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -479,8 +479,12 @@
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
@@ -495,4 +499,5 @@
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
-# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index 78eeb8e..d72511b 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -482,8 +482,12 @@
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
@@ -498,4 +502,5 @@
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
-# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index e153e15..92d0358 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -481,8 +481,12 @@
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
@@ -497,4 +501,5 @@
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
-# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index e10b953..41907ee 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -482,8 +482,12 @@
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
@@ -498,4 +502,5 @@
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
-# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
diff --git a/jdk/test/sun/security/ec/TestEC.java b/jdk/test/sun/security/ec/TestEC.java
index 155e06a..1542c7d 100644
--- a/jdk/test/sun/security/ec/TestEC.java
+++ b/jdk/test/sun/security/ec/TestEC.java
@@ -68,6 +68,10 @@
}
public static void main0(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
Provider p = Security.getProvider("SunEC");
if (p == null) {
diff --git a/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java b/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
index 2788f03..d6d788a 100644
--- a/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
+++ b/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
@@ -43,6 +43,10 @@
private static String[] cmdArgs;
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
cmdArgs = args;
main(new ClientJSSEServerJSSE());
}
diff --git a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java
index bcdc16d..78774f7 100644
--- a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java
@@ -32,6 +32,7 @@
import java.io.*;
import java.net.*;
import javax.net.ssl.*;
+import java.security.Security;
public class HttpsProtocols implements HostnameVerifier {
@@ -177,6 +178,10 @@
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;
diff --git a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java
index 3045064..9505b58 100644
--- a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java
@@ -35,6 +35,7 @@
import javax.net.*;
import javax.net.ssl.*;
import java.util.Arrays;
+import java.security.Security;
public class CustomizedDefaultProtocols {
static enum ContextVersion {
@@ -93,6 +94,10 @@
}
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
diff --git a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java
index 20381c6..3915d22 100644
--- a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java
@@ -34,6 +34,7 @@
import javax.net.*;
import javax.net.ssl.*;
import java.util.Arrays;
+import java.security.Security;
public class DefaultEnabledProtocols {
static enum ContextVersion {
@@ -92,6 +93,10 @@
}
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
diff --git a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java
index d7b1abd..dd85c22 100644
--- a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java
@@ -35,6 +35,7 @@
import javax.net.*;
import javax.net.ssl.*;
import java.util.Arrays;
+import java.security.Security;
public class NoOldVersionContext {
static enum ContextVersion {
@@ -93,6 +94,10 @@
}
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
diff --git a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java
index 06366eb..7d57c3f 100644
--- a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java
@@ -115,6 +115,9 @@
}
public static void main(String args[]) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
DelegatedTaskWrongException test;
diff --git a/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java b/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java
index 5774049..9aa1859 100644
--- a/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java
+++ b/jdk/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java
@@ -21,6 +21,11 @@
* questions.
*/
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
/*
* @test
* @bug 4416068 4478803 4479736
@@ -31,9 +36,6 @@
* 4701722 protocol mismatch exceptions should be consistent between
* SSLv3 and TLSv1
* @run main/othervm testEnabledProtocols
- *
- * SunJSSE does not support dynamic system properties, no way to re-use
- * system properties in samevm/agentvm mode.
* @author Ram Marti
*/
@@ -120,6 +122,10 @@
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
String keyFilename =
System.getProperty("test.src", "./") + "/" + pathToStores +
"/" + keyStoreFile;
diff --git a/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java b/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java
index 2cd4635..f84b15b 100644
--- a/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java
+++ b/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java
@@ -44,6 +44,7 @@
import java.net.*;
import java.util.*;
import java.nio.channels.*;
+import java.security.Security;
public class SSLEngineExplorer extends SSLEngineService {
@@ -231,6 +232,10 @@
volatile int serverPort = 0;
public static void main(String args[]) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
if (debug)
System.setProperty("javax.net.debug", "all");
diff --git a/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java b/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java
index 27e2b6a..f35cf0d 100644
--- a/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java
+++ b/jdk/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java
@@ -45,6 +45,7 @@
import java.util.*;
import java.net.*;
import javax.net.ssl.*;
+import java.security.Security;
public class SSLSocketExplorer {
@@ -224,6 +225,10 @@
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
String keyFilename =
System.getProperty("test.src", ".") + "/" + pathToStores +
"/" + keyStoreFile;
diff --git a/jdk/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java b/jdk/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
index 953d2ea..e83a6b4 100644
--- a/jdk/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
+++ b/jdk/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
@@ -29,9 +29,15 @@
* @run main/othervm/timeout=300 ClientJSSEServerJSSE
*/
+import java.security.Security;
+
public class ClientJSSEServerJSSE {
public static void main(String[] args) throws Exception {
+ // reset the security property to make sure that the algorithms
+ // and keys used in this test are not disabled.
+ Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
CipherTest.main(new JSSEFactory(), args);
}