8202343: Disable TLS 1.0 and 1.1

Reviewed-by: xuelei, dfuchs, coffeys

Author: seanjmullan

src/java.base/share/conf/security/java.security

@@ -731,8 +731,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
 #       rsa_pkcs1_sha1, secp224r1
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

test/jdk/java/net/httpclient/TlsContextTest.java

@@ -42,6 +42,7 @@
 import static java.net.http.HttpClient.Version.HTTP_2;
 import static java.net.http.HttpResponse.BodyHandlers.ofString;
 import static org.testng.Assert.assertEquals;
+import jdk.test.lib.security.SecurityUtils;
 
 /*
  * @test
@@ -72,6 +73,9 @@ public class TlsContextTest implements HttpServerAdapters {
 
     @BeforeTest
     public void setUp() throws Exception {
+        // Re-enable TLSv1 and TLSv1.1 since test depends on them
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
+
         server = SimpleSSLContext.getContext("TLS");
         final ExecutorService executor = Executors.newCachedThreadPool();
         https2Server = HttpTestServer.of(

test/jdk/javax/net/ssl/SSLEngine/Arrays.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
  * @test
  * @bug 5019096
  * @summary Add scatter/gather APIs for SSLEngine
+ * @library /test/lib
  * @run main/othervm Arrays SSL
  * @run main/othervm Arrays TLS
  * @run main/othervm Arrays SSLv3
@@ -41,6 +42,8 @@
 import java.security.*;
 import java.nio.*;
 
+import jdk.test.lib.security.SecurityUtils;
+
 public class Arrays {
 
     private static boolean debug = false;
@@ -182,6 +185,14 @@ private void runTest() throws Exception {
     private static String contextVersion;
     public static void main(String args[]) throws Exception {
         contextVersion = args[0];
+        // Re-enable context version if it is disabled.
+        // If context version is SSLv3, TLSv1 needs to be re-enabled.
+        if (contextVersion.equals("SSLv3")) {
+            SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
+        } else if (contextVersion.equals("TLSv1") ||
+                   contextVersion.equals("TLSv1.1")) {
+            SecurityUtils.removeFromDisabledTlsAlgs(contextVersion);
+        }
 
         Arrays test;
 

test/jdk/javax/net/ssl/TLS/TLSClientPropertyTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8049432 8069038 8234723
+ * @bug 8049432 8069038 8234723 8202343
  * @summary New tests for TLS property jdk.tls.client.protocols
  * @summary javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be
  *     updated for JDK-8061210
@@ -79,7 +79,7 @@ public static void main(String[] args) throws Exception {
             }
             contextProtocol = null;
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
+                    "TLSv1.2", "TLSv1.3"
             };
             break;
         case "SSLv3":
@@ -90,26 +90,24 @@ public static void main(String[] args) throws Exception {
         case "TLSv1":
             contextProtocol = "TLSv1";
             expectedDefaultProtos = new String[] {
-                    "TLSv1"
             };
             break;
         case "TLSv11":
             contextProtocol = "TLSv1.1";
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1"
             };
             break;
         case "TLSv12":
             contextProtocol = "TLSv1.2";
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1", "TLSv1.2"
+                    "TLSv1.2"
             };
             break;
         case "TLSv13":
         case "TLS":
             contextProtocol = "TLSv1.3";
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
+                    "TLSv1.2", "TLSv1.3"
             };
             break;
         case "WrongProperty":

test/jdk/javax/net/ssl/TLSCommon/interop/JdkProcClient.java

@@ -27,6 +27,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import jdk.test.lib.security.SecurityUtils;
+
 /*
  * A JDK client process.
  */
@@ -158,6 +160,9 @@ public static void main(String[] args) throws Exception {
         String serverNamesStr = System.getProperty(JdkProcUtils.PROP_SERVER_NAMES);
         String appProtocolsStr = System.getProperty(JdkProcUtils.PROP_APP_PROTOCOLS);
 
+        // Re-enable TLSv1 and TLSv1.1 since client depends on them
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
+
         JdkClient.Builder builder = new JdkClient.Builder();
         builder.setCertTuple(JdkProcUtils.createCertTuple(
                 trustedCertsStr, eeCertsStr));

test/jdk/javax/net/ssl/TLSv11/GenericBlockCipher.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
  * @test
  * @bug 4873188
  * @summary Support TLS 1.1
+ * @library /test/lib
  * @modules java.security.jgss
  *          java.security.jgss/sun.security.jgss.krb5
  *          java.security.jgss/sun.security.krb5:+open
@@ -50,6 +51,8 @@
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
+import jdk.test.lib.security.SecurityUtils;
+
 public class GenericBlockCipher {
 
     /*
@@ -171,6 +174,9 @@ void doClientSide() throws Exception {
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // Re-enable TLSv1.1 since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;

test/jdk/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,11 +24,14 @@
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLSocket;
 
+import jdk.test.lib.security.SecurityUtils;
+
 /*
  * @test
  * @bug 8234728
  * @library /javax/net/ssl/templates
  *          /javax/net/ssl/TLSCommon
+ *          /test/lib
  * @summary Test TLS ciphersuites order set through System properties
  * @run main/othervm
  *      -Djdk.tls.client.cipherSuites=TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
@@ -95,6 +98,10 @@ public static void main(String[] args) {
 
     private SystemPropCipherSuitesOrder(String protocol) {
         this.protocol = protocol;
+        // Re-enable protocol if disabled.
+        if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
+            SecurityUtils.removeFromDisabledTlsAlgs(protocol);
+        }
     }
 
     // Servers are configured before clients, increment test case after.

test/jdk/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,11 +24,14 @@
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLSocket;
 
+import jdk.test.lib.security.SecurityUtils;
+
 /*
  * @test
  * @bug 8234728
  * @library /javax/net/ssl/templates
  *          /javax/net/ssl/TLSCommon
+ *          /test/lib
  * @summary Test TLS ciphersuites order.
  *      Parameter order: <protocol> <client cipher order> <server cipher order>
  * @run main/othervm TLSCipherSuitesOrder TLSv13 ORDERED default
@@ -67,6 +70,10 @@ public static void main(String[] args) {
 
     private TLSCipherSuitesOrder(String protocol, String[] clientcipherSuites,
             String[] servercipherSuites) {
+        // Re-enable protocol if it is disabled.
+        if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
+            SecurityUtils.removeFromDisabledTlsAlgs(protocol);
+        }
         this.protocol = protocol;
         this.clientcipherSuites = clientcipherSuites;
         this.servercipherSuites = servercipherSuites;

test/jdk/sun/security/ssl/CipherSuite/DisabledCurve.java

@@ -24,7 +24,7 @@
 /*
  * @test
  * @bug 8246330
- * @library /javax/net/ssl/templates
+ * @library /javax/net/ssl/templates /test/lib
  * @run main/othervm -Djdk.tls.namedGroups="secp384r1"
         DisabledCurve DISABLE_NONE PASS
  * @run main/othervm -Djdk.tls.namedGroups="secp384r1"
@@ -37,6 +37,8 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 
+import jdk.test.lib.security.SecurityUtils;
+
 public class DisabledCurve extends SSLSocketTemplate {
 
     private static volatile int index;
@@ -97,6 +99,9 @@ public static void main(String[] args) throws Exception {
             Security.setProperty("jdk.certpath.disabledAlgorithms", "secp384r1");
         }
 
+        // Re-enable TLSv1 and TLSv1.1 since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
+
         for (index = 0; index < protocols.length; index++) {
             try {
                 (new DisabledCurve()).run();

test/jdk/sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java

@@ -25,11 +25,14 @@
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLSocket;
 
+import jdk.test.lib.security.SecurityUtils;
+
 /*
   * @test
   * @bug 8224650 8242929
   * @library /javax/net/ssl/templates
   *          /javax/net/ssl/TLSCommon
+  *          /test/lib
   * @summary Test TLS ciphersuite with each individual supported group
   * @run main/othervm NamedGroupsWithCipherSuite x25519
   * @run main/othervm NamedGroupsWithCipherSuite X448
@@ -145,6 +148,9 @@ public static void main(String[] args) throws Exception {
         System.setProperty("jdk.tls.namedGroups", namedGroup);
         System.out.println("NamedGroup: " + namedGroup);
 
+        // Re-enable TLSv1 and TLSv1.1 since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1", "TLSv1.1");
+
         for (Protocol protocol : PROTOCOLS) {
             for (CipherSuite cipherSuite : CIPHER_SUITES) {
                 // Named group converted to lower case just