8168261: Use server cipher suites preference by default

Reviewed-by: mullan

src/java.base/share/classes/javax/net/ssl/SSLContextSpi.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -194,10 +194,9 @@ public abstract class SSLContextSpi {
      */
     protected SSLParameters engineGetSupportedSSLParameters() {
         SSLSocket socket = getDefaultSocket();
-        SSLParameters params = new SSLParameters();
+        SSLParameters params = socket.getSSLParameters();
         params.setCipherSuites(socket.getSupportedCipherSuites());
         params.setProtocols(socket.getSupportedProtocols());
         return params;
     }
-
 }

src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java

@@ -126,7 +126,7 @@ final class SSLConfiguration implements Cloneable {
         this.identificationProtocol = null;
         this.serverNames = Collections.<SNIServerName>emptyList();
         this.sniMatchers = Collections.<SNIMatcher>emptyList();
-        this.preferLocalCipherSuites = false;
+        this.preferLocalCipherSuites = true;
 
         this.applicationProtocols = new String[0];
         this.enableRetransmissions = sslContext.isDTLS();

test/jdk/sun/security/ssl/SSLContextImpl/DefaultCipherSuitePreference.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+
+/*
+ * @test
+ * @bug 8168261
+ * @summary Use server cipher suites preference by default
+ * @run main/othervm DefaultCipherSuitePreference
+ */
+
+import javax.net.SocketFactory;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+
+public class DefaultCipherSuitePreference {
+    private static final String[] contextAlgorithms = {
+            "Default", "SSL", "TLS", "SSLv3", "TLSv1",
+            "TLSv1.1", "TLSv1.2", "TLSv1.3"
+        };
+
+    public static void main(String[] args) throws Exception {
+        for (String algorithm : contextAlgorithms) {
+            System.out.println("Checking SSLContext of " + algorithm);
+            SSLContext sslContext = SSLContext.getInstance(algorithm);
+
+            // Default SSLContext is initialized automatically.
+            if (!algorithm.equals("Default")) {
+                // Use default TK, KM and random.
+                sslContext.init((KeyManager[])null, (TrustManager[])null, null);
+            }
+
+            //
+            // Check SSLContext
+            //
+            // Check default SSLParameters of SSLContext
+            checkDefaultCipherSuitePreference(
+                    sslContext.getDefaultSSLParameters(),
+                    "SSLContext.getDefaultSSLParameters()");
+
+            // Check supported SSLParameters of SSLContext
+            checkDefaultCipherSuitePreference(
+                    sslContext.getSupportedSSLParameters(),
+                    "SSLContext.getSupportedSSLParameters()");
+
+            //
+            // Check SSLEngine
+            //
+            // Check SSLParameters of SSLEngine
+            SSLEngine engine = sslContext.createSSLEngine();
+            engine.setUseClientMode(true);
+            checkDefaultCipherSuitePreference(
+                    engine.getSSLParameters(),
+                    "client mode SSLEngine.getSSLParameters()");
+
+            engine.setUseClientMode(false);
+            checkDefaultCipherSuitePreference(
+                    engine.getSSLParameters(),
+                    "server mode SSLEngine.getSSLParameters()");
+
+            //
+            // Check SSLSocket
+            //
+            // Check SSLParameters of SSLSocket
+            SocketFactory fac = sslContext.getSocketFactory();
+            SSLSocket socket = (SSLSocket)fac.createSocket();
+            checkDefaultCipherSuitePreference(
+                    socket.getSSLParameters(),
+                    "SSLSocket.getSSLParameters()");
+
+            //
+            // Check SSLServerSocket
+            //
+            // Check SSLParameters of SSLServerSocket
+            SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
+            SSLServerSocket ssocket = (SSLServerSocket)sf.createServerSocket();
+            checkDefaultCipherSuitePreference(
+                    ssocket.getSSLParameters(),
+                    "SSLServerSocket.getSSLParameters()");
+        }
+    }
+
+    private static void checkDefaultCipherSuitePreference(
+            SSLParameters parameters, String context) throws Exception {
+        if (!parameters.getUseCipherSuitesOrder()) {
+            throw new Exception(
+                    "The local cipher suite preference is not honored " +
+                    "in the connection populated SSLParameters object (" +
+                    context + ")");
+        }
+    }
+}