diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index e9a7aaddba5..54fbe7fc72f 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -746,7 +746,8 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \ # rsa_pkcs1_sha1, secp224r1 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \ - MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL + MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + ECDH # # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) diff --git a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java index 1c4b1c6d84f..7ad8206a37e 100644 --- a/test/jdk/javax/net/ssl/DTLS/CipherSuite.java +++ b/test/jdk/javax/net/ssl/DTLS/CipherSuite.java @@ -43,10 +43,10 @@ * @run main/othervm CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * @run main/othervm CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm CipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256 - * @run main/othervm CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + * @run main/othervm CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 re-enable * @run main/othervm CipherSuite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * @run main/othervm CipherSuite TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - * @run main/othervm CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + * @run main/othervm CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 re-enable */ import javax.net.ssl.SSLEngine; diff --git a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java index 441f6bdff48..4f0d4de210c 100644 --- a/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java +++ b/test/jdk/javax/net/ssl/ciphersuites/DisabledAlgorithms.java @@ -23,7 +23,7 @@ /* * @test - * @bug 8076221 8211883 8163327 + * @bug 8076221 8211883 8163327 8279164 * @summary Check if weak cipher suites are disabled * @modules jdk.crypto.ec * @run main/othervm DisabledAlgorithms default @@ -60,9 +60,8 @@ public class DisabledAlgorithms { System.getProperty("test.src", "./") + "/" + pathToStores + "/" + trustStoreFile; - // supported 3DES, DES, RC4, NULL, and anon cipher suites - // it does not contain KRB5 cipher suites because they need a KDC - private static final String[] desede_des_rc4_null_anon_ciphersuites + // disabled 3DES, DES, RC4, NULL, anon, and ECDH cipher suites + private static final String[] disabled_ciphersuites = new String[] { "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", @@ -109,7 +108,19 @@ public class DisabledAlgorithms { "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA" + "SSL_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" }; public static void main(String[] args) throws Exception { @@ -128,9 +139,8 @@ public class DisabledAlgorithms { System.out.println("jdk.tls.disabledAlgorithms = " + Security.getProperty("jdk.tls.disabledAlgorithms")); - // check if 3DES, DES, RC4, NULL, and anon cipher suites - // can't be used by default - checkFailure(desede_des_rc4_null_anon_ciphersuites); + // check that disabled cipher suites can't be used by default + checkFailure(disabled_ciphersuites); break; case "empty": // reset jdk.tls.disabledAlgorithms @@ -144,9 +154,9 @@ public class DisabledAlgorithms { System.out.println("jdk.certpath.disabledAlgorithms = " + Security.getProperty("jdk.certpath.disabledAlgorithms")); - // check if 3DES, DES, RC4, NULL, and anon cipher suites - // can be used if jdk.{tls,certpath}.disabledAlgorithms is empty - checkSuccess(desede_des_rc4_null_anon_ciphersuites); + // check that disabled cipher suites can be used if + // jdk.{tls,certpath}.disabledAlgorithms is empty + checkSuccess(disabled_ciphersuites); break; default: throw new RuntimeException("Wrong parameter: " + args[0]); @@ -172,11 +182,12 @@ public class DisabledAlgorithms { throw new RuntimeException("Expected SSLHandshakeException " + "not thrown"); } catch (SSLHandshakeException e) { - System.out.println("Expected exception on client side: " + System.out.println("Got expected exception on client side: " + e); } } + server.stop(); while (server.isRunning()) { sleep(); } @@ -272,7 +283,6 @@ public class DisabledAlgorithms { } catch (SSLHandshakeException e) { System.out.println("Server: run: " + e); sslError = true; - stopped = true; } catch (IOException e) { if (!stopped) { System.out.println("Server: run: unexpected exception: " diff --git a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java index 0fc9c02f2d0..caa96cdb224 100644 --- a/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java +++ b/test/jdk/javax/net/ssl/sanity/ciphersuites/CheckCipherSuites.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 4750141 4895631 8217579 8163326 + * @bug 4750141 4895631 8217579 8163326 8279164 * @summary Check enabled and supported ciphersuites are correct * @run main/othervm CheckCipherSuites default * @run main/othervm CheckCipherSuites limited @@ -50,54 +50,38 @@ public class CheckCipherSuites { // Not suite B, but we want it to position the suite early "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - // AES_256(GCM) - ECDHE - forward screcy + // AES_256(GCM) - ECDHE - forward secrecy "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - // AES_128(GCM) - ECDHE - forward screcy + // AES_128(GCM) - ECDHE - forward secrecy "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - // AES_256(GCM) - DHE - forward screcy + // AES_256(GCM) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", - // AES_128(GCM) - DHE - forward screcy + // AES_128(GCM) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", - // AES_256(CBC) - ECDHE - forward screcy + // AES_256(CBC) - ECDHE - forward secrecy "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - // AES_256(CBC) - ECDHE - forward screcy + // AES_256(CBC) - ECDHE - forward secrecy "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - // AES_256(CBC) - DHE - forward screcy + // AES_256(CBC) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", - // AES_128(CBC) - DHE - forward screcy + // AES_128(CBC) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - // AES_256(GCM) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", - - // AES_128(GCM) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", - - // AES_256(CBC) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", - - // AES_128(CBC) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", - // AES_256(CBC) - ECDHE - using SHA "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", @@ -114,14 +98,6 @@ public class CheckCipherSuites { "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - // AES_256(CBC) - using SHA, not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - - // AES_128(CBC) - using SHA, not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - // deprecated "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", @@ -144,16 +120,10 @@ public class CheckCipherSuites { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", @@ -175,54 +145,38 @@ public class CheckCipherSuites { // Not suite B, but we want it to position the suite early "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - // AES_256(GCM) - ECDHE - forward screcy + // AES_256(GCM) - ECDHE - forward secrecy "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - // AES_128(GCM) - ECDHE - forward screcy + // AES_128(GCM) - ECDHE - forward secrecy "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - // AES_256(GCM) - DHE - forward screcy + // AES_256(GCM) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", - // AES_128(GCM) - DHE - forward screcy + // AES_128(GCM) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", - // AES_256(CBC) - ECDHE - forward screcy + // AES_256(CBC) - ECDHE - forward secrecy "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - // AES_256(CBC) - ECDHE - forward screcy + // AES_256(CBC) - ECDHE - forward secrecy "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - // AES_256(CBC) - DHE - forward screcy + // AES_256(CBC) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", - // AES_128(CBC) - DHE - forward screcy + // AES_128(CBC) - DHE - forward secrecy "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - // AES_256(GCM) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", - - // AES_128(GCM) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", - - // AES_256(CBC) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", - - // AES_128(CBC) - not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", - // AES_256(CBC) - ECDHE - using SHA "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", @@ -239,14 +193,6 @@ public class CheckCipherSuites { "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - // AES_256(CBC) - using SHA, not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - - // AES_128(CBC) - using SHA, not forward screcy - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - // deprecated "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", @@ -269,16 +215,10 @@ public class CheckCipherSuites { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA",