Remove 1.6 related code from ssl-config

README.md

@@ -27,9 +27,6 @@ Latest versions:
 ```
 // JDK8: 
 "com.typesafe" %% "ssl-config-akka" % "0.2.2"
-
-// JDK6/7 (some features may be backported here)
-"com.typesafe" %% "ssl-config-akka" % "0.1.3"
 ```
 
 State of this project
@@ -65,4 +62,4 @@ An excellent series by [Will Sargent](https://github.com/wsargent) about making
 License
 =======
 
-Lightbend 2015-2016, Apache 2.0
+Lightbend 2015-2018, Apache 2.0

build.sbt

@@ -50,6 +50,5 @@ lazy val root = project.in(file("."))
   .enablePlugins(CrossPerProjectPlugin)
 
 
-// JDK6: 1.2.0, Akka 2.4: 1.3.0
-def configImport(packageName: String = "com.typesafe.config.*") = versionedImport(packageName, "1.2.0", "1.4.0")
+def configImport(packageName: String = "com.typesafe.config.*") = versionedImport(packageName, "1.3.0", "1.4.0")
 def versionedImport(packageName: String, lower: String, upper: String) = s"""$packageName;version="[$lower,$upper)""""

documentation/src/paradox/CipherSuites.md

@@ -12,29 +12,7 @@ CBC mode for the stream cipher, and SHA for the message authentication.
 
 ## Configuring Enabled Ciphers
 
-The list of cipher suites has changed considerably between 1.6, 1.7 and
-1.8.
-
-In 1.7 and 1.8, the default [out of the
-box](http://sim.ivi.co/2011/07/jsse-oracle-provider-preference-of-tls.html)
-cipher suite list is used.
-
-In 1.6, the out of the box list is [out of
-order](http://op-co.de/blog/posts/android_ssl_downgrade/), with some
-weaker cipher suites configured in front of stronger ones, and contains
-a number of ciphers that are now considered weak. As such, the default
-list of enabled cipher suites is as follows:
-
-```
-"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
-"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-"TLS_RSA_WITH_AES_256_CBC_SHA",
-"TLS_RSA_WITH_AES_128_CBC_SHA",
-"SSL_RSA_WITH_RC4_128_SHA",
-"SSL_RSA_WITH_RC4_128_MD5",
-"TLS_EMPTY_RENEGOTIATION_INFO_SCSV" // per RFC 5746
-```
+The list of cipher suites is ordered by the [SunJSSE provider cipher suites](https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites).
 
 The list of cipher suites can be configured manually using the
 `ssl-config.enabledCipherSuites` setting:
@@ -51,11 +29,7 @@ only DHE and ECDHE cipher suites enable PFE.
 ## Recommendation: increase the DHE key size
 
 Diffie Hellman has been in the news recently because it offers perfect
-forward secrecy. However, in 1.6 and 1.7, the server handshake of DHE is
-set to 1024 at most, which is considered weak and can be compromised by
-attackers.
-
-If you have JDK 1.8, setting the system property
+forward secrecy. If you have JDK 1.8, setting the system property
 `-Djdk.tls.ephemeralDHKeySize=2048` is recommended to ensure stronger
 keysize in the handshake. Please see [Customizing Size of Ephemeral
 Diffie-Hellman

documentation/src/paradox/Protocols.md

@@ -1,11 +1,8 @@
 # Configuring Protocols
 
 By default, WS SSL will use the most secure version of the TLS protocol
-available in the JVM.
-
- * On JDK 1.7 and later, the default protocol is "TLSv1.2".
- * On JDK 1.6, the default protocol is "TLSv1".
-
+available in the JVM.  On JDK 1.7 and later, the default protocol is "TLSv1.2".
+
 The full protocol list in JSSE is available in the [Standard Algorithm Name Documentation](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#jssenames).
 
 ## Defining the default protocol

project/Common.scala

@@ -39,12 +39,12 @@ object Common extends AutoPlugin {
       scalacOptions ++= {
         CrossVersion.partialVersion(scalaVersion.value) match {
           case Some((2, v)) if v <= 11 =>
-            Seq("-target:jvm-1.6")
+            Seq("-target:jvm-1.8")
           case _ =>
             Nil
         }
       },
-      javacOptions ++= Seq("-encoding", "UTF-8", "-source", "1.6", "-target", "1.6"),
+      javacOptions ++= Seq("-encoding", "UTF-8", "-source", "1.8", "-target", "1.8"),
       // Scalariform settings
       ScalariformKeys.preferences := ScalariformKeys.preferences.value
         .setPreference(AlignSingleLineCaseStatements, true)

project/Dependencies.scala

@@ -1,7 +1,7 @@
 import sbt._
 
 object Version {
-  val typesafeConfig = "1.2.0" // last Java 6 version of it
+  val typesafeConfig = "1.3.3"
 
   val jodaTime       = "2.9.9"
   val jodaTimeConvert = "1.9.2"

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/Algorithms.scala

@@ -4,13 +4,13 @@
 
 package com.typesafe.sslconfig.ssl
 
-import javax.crypto.SecretKey
 import java.security.interfaces._
+import java.security.{ Key, KeyFactory }
+
+import javax.crypto.SecretKey
 import javax.crypto.interfaces.DHKey
 
 import scala.util.parsing.combinator.RegexParsers
-import java.security.{ KeyFactory, Key }
-import scala.Some
 
 /**
  * This singleton object provides the code needed to check for minimum standards of an X.509 certificate.  Over 95% of trusted leaf certificates and 95% of trusted signing certificates use <a href="http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf">NIST recommended key sizes</a>.  Play supports Java 1.6, which does not have built in <a href="http://sim.ivi.co/2013/11/harness-ssl-and-jsse-key-size-control.html">certificate strength checking</a>, so we roll our own here.
@@ -104,22 +104,8 @@ object Algorithms {
 
   def translateKey(pubk: Key): Key = {
     val keyAlgName = getKeyAlgorithmName(pubk)
-    foldVersion(
-      run16 = {
-        keyAlgName match {
-          case "EC" =>
-            // If we are on 1.6, then we can't use the EC factory and have to pull it directly.
-            translateECKey(pubk)
-          case _ =>
-            val keyFactory = KeyFactory.getInstance(keyAlgName)
-            keyFactory.translateKey(pubk)
-        }
-      },
-      runHigher = {
-        val keyFactory = KeyFactory.getInstance(keyAlgName)
-        keyFactory.translateKey(pubk)
-      }
-    )
+    val keyFactory = KeyFactory.getInstance(keyAlgName)
+    keyFactory.translateKey(pubk)
   }
 
   def translateECKey(pubk: Key): Key = {

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/Ciphers.scala

@@ -21,24 +21,10 @@ object Ciphers {
   // using OpenJDK, you're out of luck.
   // http://armoredbarista.blogspot.com/2013/10/how-to-use-ecc-with-openjdk.html
 
-  def recommendedCiphers: Seq[String] = foldVersion(
-    run16 = java16RecommendedCiphers,
-    runHigher = java17RecommendedCiphers)
-
-  lazy val java17RecommendedCiphers: Seq[String] = {
+  def recommendedCiphers: Seq[String] = {
     SSLContext.getDefault.getDefaultSSLParameters.getCipherSuites
   }.filterNot(deprecatedCiphers.contains(_))
 
-  val java16RecommendedCiphers: Seq[String] = Seq(
-    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
-    "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-    "TLS_RSA_WITH_AES_256_CBC_SHA",
-    "TLS_RSA_WITH_AES_128_CBC_SHA",
-    "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-    "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" // per RFC 5746
-  )
-
   // Suite B profile for TLS (requires 1.2): http://tools.ietf.org/html/rfc6460
   // http://adambard.com/blog/the-new-ssl-basics/
 

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/CompositeX509TrustManager.scala

@@ -36,7 +36,6 @@ class CompositeX509TrustManager(mkLogger: LoggerFactory, trustManagers: Seq[X509
     certificates.toArray
   }
 
-  // In 1.6, sun.security.ssl.X509TrustManagerImpl extends from com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager
   // In 1.7, sun.security.ssl.X509TrustManagerImpl extends from javax.net.ssl.X509ExtendedTrustManager.
   // The two X509ExtendedTrustManager contain different method signatures, and both are available in 1.7, which means
   // it's really hard to keep something backwards compatible if something is calling trustManager.asInstanceOf[X509ExtendedTrustManager]

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/KeyStore.scala

@@ -4,21 +4,17 @@
 
 package com.typesafe.sslconfig.ssl
 
-import java.security.KeyStore
-
 import java.io._
+import java.security.KeyStore
 import java.security.cert._
 
-import com.typesafe.sslconfig.util.NoDepsLogger
-
 trait KeyStoreBuilder {
   def build(): KeyStore
 }
 
 object KeystoreFormats {
 
   def loadCertificates(certs: TraversableOnce[Certificate]): KeyStore = {
-    // Must be JKS internally, to enable trusted certificates in JDK 1.6
     val keystore = KeyStore.getInstance(KeyStore.getDefaultType)
     keystore.load(null)
     certs.foreach { cert =>
@@ -30,7 +26,7 @@ object KeystoreFormats {
 
 }
 
-import KeystoreFormats._
+import com.typesafe.sslconfig.ssl.KeystoreFormats._
 
 /**
  * Builds a keystore from a string containing PEM encoded certificates, using CertificateFactory internally.

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/Protocols.scala

@@ -13,8 +13,8 @@ object Protocols {
 
   val recommendedProtocols = Array("TLSv1.2", "TLSv1.1", "TLSv1")
 
-  // Use 1.2 as a default in 1.7, use 1.0 in 1.6
+  // Use 1.2 as a default in 1.7
   // https://docs.fedoraproject.org/en-US/Fedora_Security_Team//html/Defensive_Coding/sect-Defensive_Coding-TLS-Client-OpenJDK.html
-  def recommendedProtocol = foldVersion(run16 = "TLSv1", runHigher = "TLSv1.2")
+  def recommendedProtocol = "TLSv1.2"
 
 }

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/SSLContextBuilder.scala

@@ -4,13 +4,13 @@
 
 package com.typesafe.sslconfig.ssl
 
-import javax.net.ssl._
-import java.security._
-import java.security.cert._
 import java.io._
 import java.net.URL
+import java.security._
+import java.security.cert._
 
-import com.typesafe.sslconfig.util.{ LoggerFactory, NoDepsLogger }
+import com.typesafe.sslconfig.util.LoggerFactory
+import javax.net.ssl._
 
 trait SSLContextBuilder {
   def build(): SSLContext
@@ -202,19 +202,6 @@ class ConfigSSLContextBuilder(mkLogger: LoggerFactory,
     val keyStore = try {
       keyStoreBuilder(ksc).build()
     } catch {
-      case e: java.lang.ArithmeticException =>
-        // This bug only exists in 1.6: we'll only check on 1.6 and explain after the exception.
-        val willExplodeOnEmptyPassword = foldVersion(run16 = warnOnPKCS12EmptyPasswordBug(ksc), runHigher = false)
-        if (willExplodeOnEmptyPassword) {
-          val msg =
-            """You are running JDK 1.6, have a PKCS12 keystore with a null or empty password, and have run into a JSSE bug.
-              |The bug is closed in JDK 1.8, and backported to 1.7u4 / b13, so upgrading will fix this.
-              |Please see: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6879539
-            """.stripMargin
-          throw new IllegalStateException(msg, e)
-        } else {
-          throw e
-        }
       case bpe: javax.crypto.BadPaddingException =>
         // http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6415637
         // http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6974037

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/debug/FixInternalDebugLogging.scala

@@ -4,15 +4,14 @@
 
 package com.typesafe.sslconfig.ssl.debug
 
-import com.typesafe.sslconfig.ssl._
-
 import java.security.AccessController
-import com.typesafe.sslconfig.util.{ LoggerFactory, NoDepsLogger }
+
+import com.typesafe.sslconfig.util.LoggerFactory
 
 import scala.util.control.NonFatal
 
 /**
- * This fixes logging for the SSL Debug class. It will worth for both Java 1.6 and Java 1.7 VMs.
+ * This fixes logging for the SSL Debug class.
  */
 class FixInternalDebugLogging(mkLogger: LoggerFactory) {
 
@@ -22,15 +21,9 @@ class FixInternalDebugLogging(mkLogger: LoggerFactory) {
 
     override val logger = mkLogger("com.typesafe.sslconfig.ssl.debug.FixInternalDebugLogging.MonkeyPatchInternalSslDebugAction")
 
-    val initialResource = foldRuntime(
-      older = "/javax/net/ssl/SSLContext.class", // in 1.6 the JSSE classes are in rt.jar
-      newer = "/sun/security/ssl/Debug.class" // in 1.7 the JSSE classes are in jsse.jar
-    )
+    val initialResource = "/sun/security/ssl/Debug.class"
 
-    val debugClassName = foldRuntime(
-      older = "com.sun.net.ssl.internal.ssl.Debug",
-      newer = "sun.security.ssl.Debug"
-    )
+    val debugClassName = "sun.security.ssl.Debug"
 
     /**
      * Returns true if this class has an instance of the class returned by debugClassName, false otherwise.

ssl-config-core/src/main/scala/com/typesafe/sslconfig/ssl/package.scala

@@ -4,8 +4,9 @@
 
 package com.typesafe.sslconfig
 
-import java.security.cert.{ PKIXCertPathValidatorResult, CertPathValidatorResult, Certificate, X509Certificate }
-import scala.util.Properties.{ isJavaAtLeast, javaVmName }
+import java.security.cert.{ CertPathValidatorResult, Certificate, PKIXCertPathValidatorResult, X509Certificate }
+
+import scala.util.Properties.javaVmName
 
 package object ssl {
 
@@ -31,20 +32,6 @@ package object ssl {
     }
   }
 
-  def foldVersion[T](run16: => T, runHigher: => T): T = {
-    System.getProperty("java.specification.version") match {
-      case "1.6" =>
-        run16
-      case higher =>
-        runHigher
-    }
-  }
-
   def isOpenJdk: Boolean = javaVmName contains "OpenJDK"
 
-  // NOTE: Some SSL classes in OpenJDK 6 are in the same locations as JDK 7
-  def foldRuntime[T](older: => T, newer: => T): T = {
-    if (isJavaAtLeast("1.7") || isOpenJdk) newer else older
-  }
-
 }