stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

7093640: Enable client-side TLS 1.2 by default

Browse Source 
Reviewed-by: weijun, mullan, wetmore
This commit is contained in:
Xue-Lei Andrew Fan 2013-12-19 02:27:25 -08:00
parent 5735b16807
commit ffe3f52e17
10 changed files with 1076 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
jdk/src/share/classes/sun/security/ssl/ProtocolVersion.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -80,8 +80,8 @@ public final class ProtocolVersion implements Comparable<ProtocolVersion> {
// maximum version we implement (TLS 1.2)
final static ProtocolVersion MAX = TLS12;
// ProtocolVersion to use by default (TLS 1.0)
final static ProtocolVersion DEFAULT = TLS10;
// ProtocolVersion to use by default (TLS 1.2)
final static ProtocolVersion DEFAULT = TLS12;
// Default version for hello messages (SSLv2Hello)
final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;

369
jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -36,6 +36,7 @@ import java.security.cert.Certificate;
import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.action.GetPropertyAction;
public abstract class SSLContextImpl extends SSLContextSpi {
@ -421,22 +422,21 @@ public abstract class SSLContextImpl extends SSLContextSpi {
*/
/*
* The conservative SSLContext implementation for TLS, SSL, SSLv3 and
* TLS10 algorithm.
* The base abstract SSLContext implementation.
*
* This is a super class of DefaultSSLContext and TLS10Context.
* This abstract class encapsulates supported and the default server
* SSL parameters.
*
* @see SSLContext
*/
private static class ConservativeSSLContext extends SSLContextImpl {
private abstract static class AbstractSSLContext extends SSLContextImpl {
// parameters
private static SSLParameters defaultServerSSLParams;
private static SSLParameters defaultClientSSLParams;
private static SSLParameters supportedSSLParams;
private final static SSLParameters defaultServerSSLParams;
private final static SSLParameters supportedSSLParams;
static {
supportedSSLParams = new SSLParameters();
if (SunJSSE.isFIPS()) {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
@ -444,14 +444,7 @@ public abstract class SSLContextImpl extends SSLContextSpi {
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name
});
} else {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
@ -461,12 +454,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name
});
}
}
@ -475,11 +462,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
return defaultServerSSLParams;
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
@Override
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
@ -487,11 +469,199 @@ public abstract class SSLContextImpl extends SSLContextSpi {
}
/*
* The SSLContext implementation for default algorithm
* The SSLContext implementation for SSLv3 and TLS10 algorithm
*
* @see SSLContext
*/
public static final class DefaultSSLContext extends ConservativeSSLContext {
public static final class TLS10Context extends AbstractSSLContext {
private final static SSLParameters defaultClientSSLParams;
static {
defaultClientSSLParams = new SSLParameters();
if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name
});
} else {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name
});
}
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
}
/*
* The SSLContext implementation for TLS11 algorithm
*
* @see SSLContext
*/
public static final class TLS11Context extends AbstractSSLContext {
private final static SSLParameters defaultClientSSLParams;
static {
defaultClientSSLParams = new SSLParameters();
if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name
});
} else {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name
});
}
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
}
/*
* The SSLContext implementation for TLS12 algorithm
*
* @see SSLContext
*/
public static final class TLS12Context extends AbstractSSLContext {
private final static SSLParameters defaultClientSSLParams;
static {
defaultClientSSLParams = new SSLParameters();
if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
} else {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
}
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
}
/*
* The SSLContext implementation for customized TLS protocols
*
* @see SSLContext
*/
private static class CustomizedSSLContext extends AbstractSSLContext {
private final static String PROPERTY_NAME = "jdk.tls.client.protocols";
private final static SSLParameters defaultClientSSLParams;
private static IllegalArgumentException reservedException = null;
// Don't want a java.lang.LinkageError for illegal system property.
//
// Please don't throw exception in this static block. Otherwise,
// java.lang.LinkageError may be thrown during the instantiation of
// the provider service. Instead, let's handle the initialization
// exception in constructor.
static {
String property = AccessController.doPrivileged(
new GetPropertyAction(PROPERTY_NAME));
defaultClientSSLParams = new SSLParameters();
if (property == null || property.length() == 0) {
// the default enabled client TLS protocols
if (SunJSSE.isFIPS()) {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
} else {
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
}
} else {
// remove double quote marks from beginning/end of the property
if (property.charAt(0) == '"' &&
property.charAt(property.length() - 1) == '"') {
property = property.substring(1, property.length() - 1);
}
String[] protocols = property.split(",");
for (int i = 0; i < protocols.length; i++) {
protocols[i] = protocols[i].trim();
// Is it a supported protocol name?
try {
ProtocolVersion.valueOf(protocols[i]);
} catch (IllegalArgumentException iae) {
reservedException = new IllegalArgumentException(
PROPERTY_NAME + ": " + protocols[i] +
" is not a standard SSL protocol name", iae);
}
}
if ((reservedException == null) && SunJSSE.isFIPS()) {
for (String protocol : protocols) {
if (ProtocolVersion.SSL20Hello.name.equals(protocol) ||
ProtocolVersion.SSL30.name.equals(protocol)) {
reservedException = new IllegalArgumentException(
PROPERTY_NAME + ": " + protocol +
" is not FIPS compliant");
}
}
}
if (reservedException == null) {
defaultClientSSLParams.setProtocols(protocols);
}
}
}
protected CustomizedSSLContext() {
if (reservedException != null) {
throw reservedException;
}
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
}
/*
* The SSLContext implementation for default "TLS" algorithm
*
* @see SSLContext
*/
public static final class TLSContext extends CustomizedSSLContext {
// use the default constructor and methods
}
/*
* The SSLContext implementation for default "Default" algorithm
*
* @see SSLContext
*/
public static final class DefaultSSLContext extends CustomizedSSLContext {
private static final String NONE = "NONE";
private static final String P11KEYSTORE = "PKCS11";
@ -652,147 +822,6 @@ public abstract class SSLContextImpl extends SSLContextSpi {
}
}
/*
* The SSLContext implementation for TLS, SSL, SSLv3 and TLS10 algorithm
*
* @see SSLContext
*/
public static final class TLS10Context extends ConservativeSSLContext {
// use the default constructor and methods
}
/*
* The SSLContext implementation for TLS11 algorithm
*
* @see SSLContext
*/
public static final class TLS11Context extends SSLContextImpl {
// parameters
private static SSLParameters defaultServerSSLParams;
private static SSLParameters defaultClientSSLParams;
private static SSLParameters supportedSSLParams;
static {
if (SunJSSE.isFIPS()) {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name
});
} else {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name
});
}
}
@Override
SSLParameters getDefaultServerSSLParams() {
return defaultServerSSLParams;
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
@Override
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
}
}
/*
* The SSLContext implementation for TLS12 algorithm
*
* @see SSLContext
*/
public static final class TLS12Context extends SSLContextImpl {
// parameters
private static SSLParameters defaultServerSSLParams;
private static SSLParameters defaultClientSSLParams;
private static SSLParameters supportedSSLParams;
static {
if (SunJSSE.isFIPS()) {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
} else {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
}
}
@Override
SSLParameters getDefaultServerSSLParams() {
return defaultServerSSLParams;
}
@Override
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
@Override
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
}
}
}

16
jdk/src/share/classes/sun/security/ssl/SunJSSE.java
View File

@ -60,7 +60,8 @@ public abstract class SunJSSE extends java.security.Provider {
private static final long serialVersionUID = 3231825739635378733L;
private static String info = "Sun JSSE provider" +
"(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)";
"(PKCS12, SunX509/PKIX key/trust factories, " +
"SSLv3/TLSv1/TLSv1.1/TLSv1.2)";
private static String fipsInfo =
"Sun JSSE provider (FIPS mode, crypto provider ";
@ -208,16 +209,17 @@ public abstract class SunJSSE extends java.security.Provider {
put("SSLContext.TLSv1",
"sun.security.ssl.SSLContextImpl$TLS10Context");
put("Alg.Alias.SSLContext.TLS", "TLSv1");
if (isfips == false) {
put("Alg.Alias.SSLContext.SSL", "TLSv1");
put("Alg.Alias.SSLContext.SSLv3", "TLSv1");
}
put("SSLContext.TLSv1.1",
"sun.security.ssl.SSLContextImpl$TLS11Context");
put("SSLContext.TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context");
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {
put("Alg.Alias.SSLContext.SSL", "TLS");
put("Alg.Alias.SSLContext.SSLv3", "TLSv1");
}
put("SSLContext.Default",
"sun.security.ssl.SSLContextImpl$DefaultSSLContext");

2
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
View File

@ -443,7 +443,7 @@ public class DHEKeySizing {
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
SSLContext sslCtx = SSLContext.getInstance("TLS");
SSLContext sslCtx = SSLContext.getInstance("TLSv1");
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return sslCtx;

4
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/EngineArgs/DebugReportsOneExtraByte.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -159,7 +159,7 @@ public class DebugReportsOneExtraByte {
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
SSLContext sslCtx = SSLContext.getInstance("TLS");
SSLContext sslCtx = SSLContext.getInstance("TLSv1");
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

239
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java Normal file
View File

@ -0,0 +1,239 @@
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 7093640
* @summary Enable TLS 1.1 and TLS 1.2 by default in client side of SunJSSE
* @run main/othervm -Djdk.tls.client.protocols="SSLv3,TLSv1,TLSv1.1"
* CustomizedDefaultProtocols
*/
import javax.net.*;
import javax.net.ssl.*;
import java.util.Arrays;
public class CustomizedDefaultProtocols {
static enum ContextVersion {
TLS_CV_01("SSL",
new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
TLS_CV_02("TLS",
new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
TLS_CV_03("SSLv3",
new String[] {"SSLv3", "TLSv1"}),
TLS_CV_04("TLSv1",
new String[] {"SSLv3", "TLSv1"}),
TLS_CV_05("TLSv1.1",
new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
TLS_CV_06("TLSv1.2",
new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_07("Default",
new String[] {"SSLv3", "TLSv1", "TLSv1.1"});
final String contextVersion;
final String[] enabledProtocols;
final static String[] supportedProtocols = new String[] {
"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"};
ContextVersion(String contextVersion, String[] enabledProtocols) {
this.contextVersion = contextVersion;
this.enabledProtocols = enabledProtocols;
}
}
private static boolean checkProtocols(String[] target, String[] expected) {
boolean success = true;
if (target.length == 0) {
System.out.println("\tError: No protocols");
success = false;
}
if (!Arrays.equals(target, expected)) {
System.out.println("\tError: Expected to get protocols " +
Arrays.toString(expected));
System.out.println("\tError: The actual protocols " +
Arrays.toString(target));
success = false;
}
return success;
}
private static boolean checkCipherSuites(String[] target) {
boolean success = true;
if (target.length == 0) {
System.out.println("\tError: No cipher suites");
success = false;
}
return success;
}
public static void main(String[] args) throws Exception {
boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
SSLContext context = SSLContext.getInstance(cv.contextVersion);
// Default SSLContext is initialized automatically.
if (!cv.contextVersion.equals("Default")) {
// Use default TK, KM and random.
context.init((KeyManager[])null, (TrustManager[])null, null);
}
//
// Check SSLContext
//
// Check default SSLParameters of SSLContext
System.out.println("\tChecking default SSLParameters");
SSLParameters parameters = context.getDefaultSSLParameters();
String[] protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
String[] ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
// Check supported SSLParameters of SSLContext
System.out.println("\tChecking supported SSLParameters");
parameters = context.getSupportedSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLEngine
//
// Check SSLParameters of SSLEngine
System.out.println();
System.out.println("\tChecking SSLEngine of this SSLContext");
System.out.println("\tChecking SSLEngine.getSSLParameters()");
SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true);
parameters = engine.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = engine.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = engine.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = engine.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = engine.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLSocket
//
// Check SSLParameters of SSLSocket
System.out.println();
System.out.println("\tChecking SSLSocket of this SSLContext");
System.out.println("\tChecking SSLSocket.getSSLParameters()");
SocketFactory fac = context.getSocketFactory();
SSLSocket socket = (SSLSocket)fac.createSocket();
parameters = socket.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = socket.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = socket.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = socket.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = socket.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLServerSocket
//
// Check SSLParameters of SSLServerSocket
System.out.println();
System.out.println("\tChecking SSLServerSocket of this SSLContext");
System.out.println("\tChecking SSLServerSocket.getSSLParameters()");
SSLServerSocketFactory sf = context.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)sf.createServerSocket();
parameters = ssocket.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = ssocket.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = ssocket.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = ssocket.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = ssocket.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
}
if (failed) {
throw new Exception("Run into problems, see log for more details");
} else {
System.out.println("\t... Success");
}
}
}

238
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java Normal file
View File

@ -0,0 +1,238 @@
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 7093640
* @summary Enable TLS 1.1 and TLS 1.2 by default in client side of SunJSSE
* @run main/othervm DefaultEnabledProtocols
*/
import javax.net.*;
import javax.net.ssl.*;
import java.util.Arrays;
public class DefaultEnabledProtocols {
static enum ContextVersion {
TLS_CV_01("SSL",
new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_02("TLS",
new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_03("SSLv3",
new String[] {"SSLv3", "TLSv1"}),
TLS_CV_04("TLSv1",
new String[] {"SSLv3", "TLSv1"}),
TLS_CV_05("TLSv1.1",
new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
TLS_CV_06("TLSv1.2",
new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_07("Default",
new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"});
final String contextVersion;
final String[] enabledProtocols;
final static String[] supportedProtocols = new String[] {
"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"};
ContextVersion(String contextVersion, String[] enabledProtocols) {
this.contextVersion = contextVersion;
this.enabledProtocols = enabledProtocols;
}
}
private static boolean checkProtocols(String[] target, String[] expected) {
boolean success = true;
if (target.length == 0) {
System.out.println("\tError: No protocols");
success = false;
}
if (!Arrays.equals(target, expected)) {
System.out.println("\tError: Expected to get protocols " +
Arrays.toString(expected));
System.out.println("\tError: The actual protocols " +
Arrays.toString(target));
success = false;
}
return success;
}
private static boolean checkCipherSuites(String[] target) {
boolean success = true;
if (target.length == 0) {
System.out.println("\tError: No cipher suites");
success = false;
}
return success;
}
public static void main(String[] args) throws Exception {
boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
SSLContext context = SSLContext.getInstance(cv.contextVersion);
// Default SSLContext is initialized automatically.
if (!cv.contextVersion.equals("Default")) {
// Use default TK, KM and random.
context.init((KeyManager[])null, (TrustManager[])null, null);
}
//
// Check SSLContext
//
// Check default SSLParameters of SSLContext
System.out.println("\tChecking default SSLParameters");
SSLParameters parameters = context.getDefaultSSLParameters();
String[] protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
String[] ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
// Check supported SSLParameters of SSLContext
System.out.println("\tChecking supported SSLParameters");
parameters = context.getSupportedSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLEngine
//
// Check SSLParameters of SSLEngine
System.out.println();
System.out.println("\tChecking SSLEngine of this SSLContext");
System.out.println("\tChecking SSLEngine.getSSLParameters()");
SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true);
parameters = engine.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = engine.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = engine.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = engine.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = engine.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLSocket
//
// Check SSLParameters of SSLSocket
System.out.println();
System.out.println("\tChecking SSLSocket of this SSLContext");
System.out.println("\tChecking SSLSocket.getSSLParameters()");
SocketFactory fac = context.getSocketFactory();
SSLSocket socket = (SSLSocket)fac.createSocket();
parameters = socket.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = socket.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = socket.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = socket.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = socket.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLServerSocket
//
// Check SSLParameters of SSLServerSocket
System.out.println();
System.out.println("\tChecking SSLServerSocket of this SSLContext");
System.out.println("\tChecking SSLServerSocket.getSSLParameters()");
SSLServerSocketFactory sf = context.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)sf.createServerSocket();
parameters = ssocket.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = ssocket.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = ssocket.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = ssocket.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = ssocket.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
}
if (failed) {
throw new Exception("Run into problems, see log for more details");
} else {
System.out.println("\t... Success");
}
}
}

138
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/IllegalProtocolProperty.java Normal file
View File

@ -0,0 +1,138 @@
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 7093640
* @summary Enable TLS 1.1 and TLS 1.2 by default in client side of SunJSSE
* @run main/othervm -Djdk.tls.client.protocols="XSLv3,TLSv1"
* IllegalProtocolProperty
*/
import javax.net.ssl.*;
import java.security.NoSuchAlgorithmException;
public class IllegalProtocolProperty {
static enum ContextVersion {
TLS_CV_01("SSL", "TLSv1", "TLSv1.2", true),
TLS_CV_02("TLS", "TLSv1", "TLSv1.2", true),
TLS_CV_03("SSLv3", "TLSv1", "TLSv1.2", false),
TLS_CV_04("TLSv1", "TLSv1", "TLSv1.2", false),
TLS_CV_05("TLSv1.1", "TLSv1.1", "TLSv1.2", false),
TLS_CV_06("TLSv1.2", "TLSv1.2", "TLSv1.2", false),
TLS_CV_07("Default", "TLSv1", "TLSv1.2", true);
final String contextVersion;
final String defaultProtocolVersion;
final String supportedProtocolVersion;
final boolean impacted;
ContextVersion(String contextVersion, String defaultProtocolVersion,
String supportedProtocolVersion, boolean impacted) {
this.contextVersion = contextVersion;
this.defaultProtocolVersion = defaultProtocolVersion;
this.supportedProtocolVersion = supportedProtocolVersion;
this.impacted = impacted;
}
}
public static void main(String[] args) throws Exception {
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
SSLContext context;
try {
context = SSLContext.getInstance(cv.contextVersion);
if (cv.impacted) {
throw new Exception(
"illegal system property jdk.tls.client.protocols: " +
System.getProperty("jdk.tls.client.protocols"));
}
} catch (NoSuchAlgorithmException nsae) {
if (cv.impacted) {
System.out.println(
"\tIgnore: illegal system property " +
"jdk.tls.client.protocols=" +
System.getProperty("jdk.tls.client.protocols"));
continue;
} else {
throw nsae;
}
}
// Default SSLContext is initialized automatically.
if (!cv.contextVersion.equals("Default")) {
// Use default TK, KM and random.
context.init((KeyManager[])null, (TrustManager[])null, null);
}
SSLParameters parameters = context.getDefaultSSLParameters();
String[] protocols = parameters.getProtocols();
String[] ciphers = parameters.getCipherSuites();
if (protocols.length == 0 || ciphers.length == 0) {
throw new Exception("No default protocols or cipher suites");
}
boolean isMatch = false;
for (String protocol : protocols) {
System.out.println("\tdefault protocol version " + protocol);
if (protocol.equals(cv.defaultProtocolVersion)) {
isMatch = true;
break;
}
}
if (!isMatch) {
throw new Exception("No matched default protocol");
}
parameters = context.getSupportedSSLParameters();
protocols = parameters.getProtocols();
ciphers = parameters.getCipherSuites();
if (protocols.length == 0 || ciphers.length == 0) {
throw new Exception("No supported protocols or cipher suites");
}
isMatch = false;
for (String protocol : protocols) {
System.out.println("\tsupported protocol version " + protocol);
if (protocol.equals(cv.supportedProtocolVersion)) {
isMatch = true;
break;
}
}
if (!isMatch) {
throw new Exception("No matched supported protocol");
}
System.out.println("\t... Success");
}
}
}

239
jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java Normal file
View File

@ -0,0 +1,239 @@
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 7093640
* @summary Enable TLS 1.1 and TLS 1.2 by default in client side of SunJSSE
* @run main/othervm -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
* NoOldVersionContext
*/
import javax.net.*;
import javax.net.ssl.*;
import java.util.Arrays;
public class NoOldVersionContext {
static enum ContextVersion {
TLS_CV_01("SSL",
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_02("TLS",
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_03("SSLv3",
new String[] {"SSLv3", "TLSv1"}),
TLS_CV_04("TLSv1",
new String[] {"SSLv3", "TLSv1"}),
TLS_CV_05("TLSv1.1",
new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
TLS_CV_06("TLSv1.2",
new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
TLS_CV_07("Default",
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
final String contextVersion;
final String[] enabledProtocols;
final static String[] supportedProtocols = new String[] {
"SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"};
ContextVersion(String contextVersion, String[] enabledProtocols) {
this.contextVersion = contextVersion;
this.enabledProtocols = enabledProtocols;
}
}
private static boolean checkProtocols(String[] target, String[] expected) {
boolean success = true;
if (target.length == 0) {
System.out.println("\tError: No protocols");
success = false;
}
if (!Arrays.equals(target, expected)) {
System.out.println("\tError: Expected to get protocols " +
Arrays.toString(expected));
System.out.println("\tError: The actual protocols " +
Arrays.toString(target));
success = false;
}
return success;
}
private static boolean checkCipherSuites(String[] target) {
boolean success = true;
if (target.length == 0) {
System.out.println("\tError: No cipher suites");
success = false;
}
return success;
}
public static void main(String[] args) throws Exception {
boolean failed = false;
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
SSLContext context = SSLContext.getInstance(cv.contextVersion);
// Default SSLContext is initialized automatically.
if (!cv.contextVersion.equals("Default")) {
// Use default TK, KM and random.
context.init((KeyManager[])null, (TrustManager[])null, null);
}
//
// Check SSLContext
//
// Check default SSLParameters of SSLContext
System.out.println("\tChecking default SSLParameters");
SSLParameters parameters = context.getDefaultSSLParameters();
String[] protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
String[] ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
// Check supported SSLParameters of SSLContext
System.out.println("\tChecking supported SSLParameters");
parameters = context.getSupportedSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLEngine
//
// Check SSLParameters of SSLEngine
System.out.println();
System.out.println("\tChecking SSLEngine of this SSLContext");
System.out.println("\tChecking SSLEngine.getSSLParameters()");
SSLEngine engine = context.createSSLEngine();
engine.setUseClientMode(true);
parameters = engine.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = engine.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = engine.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = engine.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = engine.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLSocket
//
// Check SSLParameters of SSLSocket
System.out.println();
System.out.println("\tChecking SSLSocket of this SSLContext");
System.out.println("\tChecking SSLSocket.getSSLParameters()");
SocketFactory fac = context.getSocketFactory();
SSLSocket socket = (SSLSocket)fac.createSocket();
parameters = socket.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = socket.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.enabledProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = socket.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = socket.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = socket.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
//
// Check SSLServerSocket
//
// Check SSLParameters of SSLServerSocket
System.out.println();
System.out.println("\tChecking SSLServerSocket of this SSLContext");
System.out.println("\tChecking SSLServerSocket.getSSLParameters()");
SSLServerSocketFactory sf = context.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)sf.createServerSocket();
parameters = ssocket.getSSLParameters();
protocols = parameters.getProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
ciphers = parameters.getCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getEnabledProtocols()");
protocols = ssocket.getEnabledProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println("\tChecking SSLEngine.getEnabledCipherSuites()");
ciphers = ssocket.getEnabledCipherSuites();
failed |= !checkCipherSuites(ciphers);
System.out.println("\tChecking SSLEngine.getSupportedProtocols()");
protocols = ssocket.getSupportedProtocols();
failed |= !checkProtocols(protocols, cv.supportedProtocols);
System.out.println(
"\tChecking SSLEngine.getSupportedCipherSuites()");
ciphers = ssocket.getSupportedCipherSuites();
failed |= !checkCipherSuites(ciphers);
}
if (failed) {
throw new Exception("Run into problems, see log for more details");
} else {
System.out.println("\t... Success");
}
}
}

12
jdk/test/sun/security/ssl/javax/net/ssl/SSLContextVersion.java → jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/SSLContextVersion.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -21,24 +21,28 @@
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 6976117
* @summary SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets
* without TLSv1.1 enabled
* @run main/othervm SSLContextVersion
*/
import javax.net.ssl.*;
public class SSLContextVersion {
static enum ContextVersion {
TLS_CV_01("SSL", "TLSv1", "TLSv1.2"),
TLS_CV_02("TLS", "TLSv1", "TLSv1.2"),
TLS_CV_01("SSL", "TLSv1.2", "TLSv1.2"),
TLS_CV_02("TLS", "TLSv1.2", "TLSv1.2"),
TLS_CV_03("SSLv3", "TLSv1", "TLSv1.2"),
TLS_CV_04("TLSv1", "TLSv1", "TLSv1.2"),
TLS_CV_05("TLSv1.1", "TLSv1.1", "TLSv1.2"),
TLS_CV_06("TLSv1.2", "TLSv1.2", "TLSv1.2"),
TLS_CV_07("Default", "TLSv1", "TLSv1.2");
TLS_CV_07("Default", "TLSv1.2", "TLSv1.2");
final String contextVersion;
final String defaultProtocolVersion;