Skip to content

Commit

Permalink
8256660: Disable DTLS 1.0
Browse files Browse the repository at this point in the history
Reviewed-by: mbaesken
Backport-of: 16744b34498e7aac59caef8c9b1a3d4d15f8c22e
  • Loading branch information
GoeLin committed Apr 16, 2024
1 parent 06cca19 commit b39a4d2
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1344,7 +1344,7 @@ List<CipherSuite> getClientDefaultCipherSuites() {
}

/*
* The SSLContext implementation for customized TLS protocols
* The SSLContext implementation for customized DTLS protocols
*
* @see SSLContext
*/
Expand Down Expand Up @@ -1402,13 +1402,11 @@ private static List<ProtocolVersion> customizedProtocols(boolean client,
ProtocolVersion.DTLS12,
ProtocolVersion.DTLS10
};
if (!client)
return Arrays.asList(candidates);
} else {
// Use the customized TLS protocols.
candidates =
new ProtocolVersion[customized.size()];
candidates = customized.toArray(candidates);
candidates = refactored.toArray(candidates);
}

return getAvailableProtocols(candidates);
Expand Down
4 changes: 2 additions & 2 deletions src/java.base/share/conf/security/java.security
Original file line number Diff line number Diff line change
Expand Up @@ -756,8 +756,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

#
Expand Down
3 changes: 3 additions & 0 deletions test/jdk/javax/net/ssl/DTLS/InvalidRecords.java
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@
import java.net.SocketAddress;
import java.util.concurrent.atomic.AtomicBoolean;

import jdk.test.lib.security.SecurityUtils;

/**
* Test that if handshake messages are changed, the handshake would fail
* because of handshaking hash verification.
Expand All @@ -46,6 +48,7 @@ public class InvalidRecords extends DTLSOverDatagram {
private static final AtomicBoolean needInvalidRecords = new AtomicBoolean(true);

public static void main(String[] args) throws Exception {
SecurityUtils.removeFromDisabledTlsAlgs("DTLSv1.0");
InvalidRecords testCase = new InvalidRecords();
testCase.runTest(testCase);

Expand Down
4 changes: 4 additions & 0 deletions test/jdk/javax/net/ssl/DTLS/NoMacInitialClientHello.java
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,17 @@
import java.net.DatagramPacket;
import java.net.SocketAddress;

import jdk.test.lib.security.SecurityUtils;


/**
* Test that a server is able to discard invalid initial ClientHello silently.
*/
public class NoMacInitialClientHello extends DTLSOverDatagram {
boolean needInvalidRecords = true;

public static void main(String[] args) throws Exception {
SecurityUtils.removeFromDisabledTlsAlgs("DTLSv1.0");
System.setProperty("jdk.tls.useExtendedMasterSecret", "false");
NoMacInitialClientHello testCase = new NoMacInitialClientHello();
testCase.runTest(testCase);
Expand Down
70 changes: 47 additions & 23 deletions test/jdk/sun/security/ssl/SSLContextImpl/SSLContextDefault.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2020, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -28,8 +28,9 @@

/*
* @test
* @bug 8202343
* @summary Check that SSLv3, TLSv1 and TLSv1.1 are disabled by default
* @bug 8202343 8256660
* @summary Check that SSLv3, TLSv1, TLSv1.1, and DTLSv1.0 are disabled
* by default
* @run main/othervm SSLContextDefault
*/

Expand All @@ -38,26 +39,43 @@

public class SSLContextDefault {

private final static String[] protocols = {
private static final String[] tlsProtocols = {
"", "SSL", "TLS", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
};

private final static List<String> disabledProtocols = List.<String>of(
private static final String[] dtlsProtocols = {
"DTLS", "DTLSv1.0", "DTLSv1.2"
};

private static final List<String> disabledTlsProtocols = List.<String>of(
"SSLv3", "TLSv1", "TLSv1.1"
);

private static final List<String> disabledDtlsProtocols = List.<String>of(
"DTLSv1.0"
);

public static void main(String[] args) throws Exception {
for (String protocol : protocols) {
System.out.println("//");
System.out.println("// " + "Testing for SSLContext of " +
(protocol.isEmpty() ? "<default>" : protocol));
System.out.println("//");
checkForProtocols(protocol);
System.out.println();
for (String tlsProtocol : tlsProtocols) {
testProtocol(tlsProtocol, disabledTlsProtocols);
}
for (String dtlsProtocol : dtlsProtocols) {
testProtocol(dtlsProtocol, disabledDtlsProtocols);
}
}

public static void checkForProtocols(String protocol) throws Exception {
private static void testProtocol(String protocol,
List<String> disabledProtocols) throws Exception {
System.out.println("//");
System.out.println("// " + "Testing for SSLContext of " +
(protocol.isEmpty() ? "<default>" : protocol));
System.out.println("//");
checkForProtocols(protocol, disabledProtocols);
System.out.println();
}

private static void checkForProtocols(String protocol,
List<String> disabledProtocols) throws Exception {
SSLContext context;
if (protocol.isEmpty()) {
context = SSLContext.getDefault();
Expand All @@ -68,32 +86,35 @@ public static void checkForProtocols(String protocol) throws Exception {

// check for the presence of supported protocols of SSLContext
SSLParameters parameters = context.getSupportedSSLParameters();
checkProtocols(parameters.getProtocols(),
checkProtocols(parameters.getProtocols(), disabledProtocols,
"Supported protocols in SSLContext", false);


// check for the presence of default protocols of SSLContext
parameters = context.getDefaultSSLParameters();
checkProtocols(parameters.getProtocols(),
checkProtocols(parameters.getProtocols(), disabledProtocols,
"Enabled protocols in SSLContext", true);

// check for the presence of supported protocols of SSLEngine
SSLEngine engine = context.createSSLEngine();
checkProtocols(engine.getSupportedProtocols(),
checkProtocols(engine.getSupportedProtocols(), disabledProtocols,
"Supported protocols in SSLEngine", false);

// Check for the presence of default protocols of SSLEngine
checkProtocols(engine.getEnabledProtocols(),
checkProtocols(engine.getEnabledProtocols(), disabledProtocols,
"Enabled protocols in SSLEngine", true);

if (protocol.startsWith("DTLS")) {
return;
}

SSLSocketFactory factory = context.getSocketFactory();
try (SSLSocket socket = (SSLSocket)factory.createSocket()) {
// check for the presence of supported protocols of SSLSocket
checkProtocols(socket.getSupportedProtocols(),
checkProtocols(socket.getSupportedProtocols(), disabledProtocols,
"Supported cipher suites in SSLSocket", false);

// Check for the presence of default protocols of SSLSocket
checkProtocols(socket.getEnabledProtocols(),
checkProtocols(socket.getEnabledProtocols(), disabledProtocols,
"Enabled protocols in SSLSocket", true);
}

Expand All @@ -102,16 +123,19 @@ public static void checkForProtocols(String protocol) throws Exception {
(SSLServerSocket)serverFactory.createServerSocket()) {
// check for the presence of supported protocols of SSLServerSocket
checkProtocols(serverSocket.getSupportedProtocols(),
"Supported cipher suites in SSLServerSocket", false);
disabledProtocols, "Supported cipher suites in SSLServerSocket",
false);

// Check for the presence of default protocols of SSLServerSocket
checkProtocols(serverSocket.getEnabledProtocols(),
"Enabled protocols in SSLServerSocket", true);
disabledProtocols, "Enabled protocols in SSLServerSocket",
true);
}
}

private static void checkProtocols(String[] protocols,
String title, boolean disabled) throws Exception {
List<String> disabledProtocols, String title, boolean disabled)
throws Exception {
showProtocols(protocols, title);

if (disabled) {
Expand Down

1 comment on commit b39a4d2

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.