8202343: Disable TLS 1.0 and 1.1

Reviewed-by: xuelei, dfuchs, coffeys, sgehwolf
openjdk · Nov 19, 2020 · da35e89 · da35e89
1 parent 11b047b
commit da35e89
Show file tree

Hide file tree

Showing 20 changed files with 264 additions and 129 deletions.
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
@@ -680,8 +680,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
@@ -680,8 +680,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
@@ -683,8 +683,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
@@ -681,8 +681,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
@@ -683,8 +683,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)

diff --git a/jdk/test/javax/net/ssl/SSLEngine/Arrays.java b/jdk/test/javax/net/ssl/SSLEngine/Arrays.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
  * @test
  * @bug 5019096
  * @summary Add scatter/gather APIs for SSLEngine
+ * @library /lib/security
  * @run main/othervm Arrays SSL
  * @run main/othervm Arrays TLS
  * @run main/othervm Arrays SSLv3
@@ -182,6 +183,14 @@ private void runTest() throws Exception {
     private static String contextVersion;
     public static void main(String args[]) throws Exception {
         contextVersion = args[0];
+        // Re-enable context version if it is disabled.
+        // If context version is SSLv3, TLSv1 needs to be re-enabled.
+        if (contextVersion.equals("SSLv3")) {
+            SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
+        } else if (contextVersion.equals("TLSv1") ||
+                   contextVersion.equals("TLSv1.1")) {
+            SecurityUtils.removeFromDisabledTlsAlgs(contextVersion);
+        }
 
         Arrays test;
 

diff --git a/jdk/test/javax/net/ssl/TLS/TLSClientPropertyTest.java b/jdk/test/javax/net/ssl/TLS/TLSClientPropertyTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8049432 8069038 8234723
+ * @bug 8049432 8069038 8234723 8202343
  * @summary New tests for TLS property jdk.tls.client.protocols
  * @summary javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be
  *     updated for JDK-8061210
@@ -71,7 +71,7 @@ public static void main(String[] args) throws Exception {
             }
             contextProtocol = null;
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1", "TLSv1.2"
+                    "TLSv1.2"
             };
             break;
         case "SSLv3":
@@ -82,26 +82,24 @@ public static void main(String[] args) throws Exception {
         case "TLSv1":
             contextProtocol = "TLSv1";
             expectedDefaultProtos = new String[] {
-                    "TLSv1"
             };
             break;
         case "TLSv11":
             contextProtocol = "TLSv1.1";
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1"
             };
             break;
         case "TLSv12":
         case "TLS":
             contextProtocol = "TLSv1.2";
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1", "TLSv1.2"
+                    "TLSv1.2"
             };
             break;
         case "TLSv13":
             contextProtocol = "TLSv1.3";
             expectedDefaultProtos = new String[] {
-                    "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
+                    "TLSv1.2", "TLSv1.3"
             };
             break;
         case "WrongProperty":

diff --git a/jdk/test/javax/net/ssl/TLSv11/GenericBlockCipher.java b/jdk/test/javax/net/ssl/TLSv11/GenericBlockCipher.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
  * @test
  * @bug 4873188
  * @summary Support TLS 1.1
+ * @library /lib/security
  * @run main/othervm GenericBlockCipher
  *
  *     SunJSSE does not support dynamic system properties, no way to re-use
@@ -160,6 +161,9 @@ void doClientSide() throws Exception {
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // Re-enable TLSv1.1 since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;

diff --git a/jdk/test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java b/jdk/test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
  * @bug 8234728
  * @library /javax/net/ssl/templates
  *          /javax/net/ssl/TLSCommon
+ *          /lib/security
  * @summary Test TLS ciphersuites order set through System properties
  * @run main/othervm
  *      -Djdk.tls.client.cipherSuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
@@ -98,6 +99,10 @@ public static void main(String[] args) {
 
     private SystemPropCipherSuitesOrder(String protocol) {
         this.protocol = protocol;
+        // Re-enable protocol if disabled.
+        if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
+            SecurityUtils.removeFromDisabledTlsAlgs(protocol);
+        }
     }
 
     // Servers are configured before clients, increment test case after.

diff --git a/jdk/test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java b/jdk/test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
  * @bug 8234728
  * @library /javax/net/ssl/templates
  *          /javax/net/ssl/TLSCommon
+ *          /lib/security
  * @summary Test TLS ciphersuites order.
  *      Parameter order: <protocol> <client cipher order> <server cipher order>
  * @run main/othervm TLSCipherSuitesOrder TLSv13 ORDERED default
@@ -67,6 +68,10 @@ public static void main(String[] args) {
 
     private TLSCipherSuitesOrder(String protocol, String[] clientcipherSuites,
             String[] servercipherSuites) {
+        // Re-enable protocol if it is disabled.
+        if (protocol.equals("TLSv1") || protocol.equals("TLSv1.1")) {
+            SecurityUtils.removeFromDisabledTlsAlgs(protocol);
+        }
         this.protocol = protocol;
         this.clientcipherSuites = clientcipherSuites;
         this.servercipherSuites = servercipherSuites;

diff --git a/jdk/test/lib/security/SecurityUtils.java b/jdk/test/lib/security/SecurityUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,11 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.security.KeyStore;
+import java.security.Security;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * Common library for various security test helper functions.
@@ -52,5 +57,25 @@ public static KeyStore getCacertsKeyStore() throws Exception {
         return ks;
     }
 
+    /**
+     * Removes the specified protocols from the jdk.tls.disabledAlgorithms
+     * security property.
+     */
+    public static void removeFromDisabledTlsAlgs(String... protocols) {
+        List<String> protocolsList = Arrays.asList(protocols);
+        protocolsList = Collections.unmodifiableList(protocolsList);
+        removeFromDisabledAlgs("jdk.tls.disabledAlgorithms",
+                               protocolsList);
+    }
+
+    private static void removeFromDisabledAlgs(String prop, List<String> algs) {
+        String value = Security.getProperty(prop);
+        value = Arrays.stream(value.split(","))
+                      .map(s -> s.trim())
+                      .filter(s -> !algs.contains(s))
+                      .collect(Collectors.joining(","));
+        Security.setProperty(prop, value);
+    }
+
     private SecurityUtils() {}
 }
diff --git a/jdk/test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java b/jdk/test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
  * @bug 8044860
  * @summary Vectors and fixed length fields should be verified
  *          for allowed sizes.
+ * @library /lib/security
  * @run main/othervm LengthCheckTest
  * @key randomness
  */
@@ -299,6 +300,9 @@ public void execTest() throws Exception {
      * Main entry point for this test.
      */
     public static void main(String args[]) throws Exception {
+        // Re-enable TLSv1 since test depends on it.
+        SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
+
         List<LengthCheckTest> ccsTests = new ArrayList<>();
 
         if (debug) {

diff --git a/jdk/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java b/jdk/test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -22,10 +22,13 @@
  */
 
 /*
- * test
+ * @test
  * @bug 7126889
  * @summary Incorrect SSLEngine debug output
- *
+ * @library /lib /lib/security
+ * @run main DebugReportsOneExtraByte
+ */
+/*
  * Debug output was reporting n+1 bytes of data was written when it was
  * really was n.
  *
@@ -75,24 +78,16 @@
 import java.security.*;
 import java.nio.*;
 
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.process.ProcessTools;
+
 public class DebugReportsOneExtraByte {
 
     /*
      * Enables logging of the SSLEngine operations.
      */
     private static boolean logging = true;
 
-    /*
-     * Enables the JSSE system debugging system property:
-     *
-     *     -Djavax.net.debug=all
-     *
-     * This gives a lot of low-level information about operations underway,
-     * including specific handshake messages, and might be best examined
-     * after gaining some familiarity with this application.
-     */
-    private static boolean debug = false;
-
     private SSLContext sslc;
 
     private SSLEngine clientEngine;     // client Engine
@@ -130,14 +125,21 @@ public class DebugReportsOneExtraByte {
      * Main entry point for this test.
      */
     public static void main(String args[]) throws Exception {
-        if (debug) {
-            System.setProperty("javax.net.debug", "all");
-        }
 
-        DebugReportsOneExtraByte test = new DebugReportsOneExtraByte();
-        test.runTest();
+        if (args.length == 0) {
+            OutputAnalyzer output = ProcessTools.executeTestJvm(
+                "-Dtest.src=" + System.getProperty("test.src"),
+                "-Djavax.net.debug=all", "DebugReportsOneExtraByte", "p");
+            output.shouldContain("WRITE: TLS10 application_data, length = 8");
 
-        System.out.println("Test Passed.");
+            System.out.println("Test Passed.");
+        } else {
+            // Re-enable TLSv1 since test depends on it
+            SecurityUtils.removeFromDisabledTlsAlgs("TLSv1");
+
+            DebugReportsOneExtraByte test = new DebugReportsOneExtraByte();
+            test.runTest();
+        }
     }
 
     /*