Skip to content
Permalink
Browse files

8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols

Reviewed-by: mullan, wetmore, xuelei
  • Loading branch information
Rajan Halade
Rajan Halade committed Dec 10, 2019
1 parent 63ba804 commit 5fc46f3c50a4b04808f1741a3f6e7a768b206cef
@@ -550,9 +550,7 @@ boolean isStaplingEnabled(boolean isClient) {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
ProtocolVersion.TLS10
});

supportedCipherSuites = getApplicableSupportedCipherSuites(
@@ -609,8 +607,7 @@ boolean isDTLS() {
static {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
ProtocolVersion.TLS10
});

clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -641,8 +638,7 @@ boolean isDTLS() {
clientDefaultProtocols = getAvailableProtocols(
new ProtocolVersion[] {
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
ProtocolVersion.TLS10
});

clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -675,8 +671,7 @@ boolean isDTLS() {
new ProtocolVersion[] {
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
ProtocolVersion.TLS10
});

clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -709,8 +704,7 @@ boolean isDTLS() {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
ProtocolVersion.TLS10
});

clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
@@ -853,18 +847,16 @@ private static void populate(String propname,
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30
ProtocolVersion.TLS10
};

} else {
// default server protocols
candidates = new ProtocolVersion[] {
ProtocolVersion.TLS13,
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
ProtocolVersion.TLS10,
ProtocolVersion.SSL30,
ProtocolVersion.SSL20Hello
ProtocolVersion.TLS10
};
}
} else {
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,7 @@

/*
* @test
* @bug 4495742
* @bug 4495742 8190492
* @summary Demonstrate SSLEngine switch from no client auth to client auth.
* @run main/othervm NoAuthClientAuth SSLv3
* @run main/othervm NoAuthClientAuth TLSv1
@@ -304,6 +304,11 @@ private void createSSLEngines() throws Exception {
serverEngine.setUseClientMode(false);
serverEngine.setNeedClientAuth(false);

// Enable all supported protocols on server side to test SSLv3
if ("SSLv3".equals(tlsProtocol)) {
serverEngine.setEnabledProtocols(serverEngine.getSupportedProtocols());
}

/*
* Similar to above, but using client mode instead.
*/
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,7 @@

/*
* @test
* @bug 7068321
* @bug 7068321 8190492
* @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server
* @library ../SSLEngine ../templates
* @build SSLEngineService SSLCapabilities SSLExplorer
@@ -80,6 +80,9 @@ void doServerSide() throws Exception {
// create SSLEngine.
SSLEngine ssle = createSSLEngine(false);

// Enable all supported protocols on server side to test SSLv3
ssle.setEnabledProtocols(ssle.getSupportedProtocols());

// Create a server socket channel.
InetSocketAddress isa =
new InetSocketAddress(InetAddress.getLocalHost(), serverPort);
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,7 @@

/**
* @test
* @bug 7068321
* @bug 7068321 8190492
* @summary Support TLS Server Name Indication (SNI) Extension in JSSE Server
* @library ../templates
* @build SSLCapabilities SSLExplorer
@@ -148,6 +148,9 @@ void doServerSide() throws Exception {
new ByteArrayInputStream(buffer, 0, position);
SSLSocket sslSocket = (SSLSocket)sslsf.createSocket(socket, bais, true);

// Enable all supported protocols on server side to test SSLv3
sslSocket.setEnabledProtocols(sslSocket.getSupportedProtocols());

InputStream sslIS = sslSocket.getInputStream();
OutputStream sslOS = sslSocket.getOutputStream();

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -51,6 +51,10 @@
serverSocket
= (SSLServerSocket) factory.createServerSocket(CipherTest.serverPort);
CipherTest.serverPort = serverSocket.getLocalPort();

// JDK-8190492: Enable all supported protocols on server side to test SSLv3
serverSocket.setEnabledProtocols(serverSocket.getSupportedProtocols());

serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
serverSocket.setWantClientAuth(true);
}
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -52,6 +52,10 @@
serverSocket = (SSLServerSocket)factory.createServerSocket(0);
serverSocket.setSoTimeout(CipherTest.TIMEOUT);
CipherTest.serverPort = serverSocket.getLocalPort();

// JDK-8190492: Enable all supported protocols on server side to test SSLv3
serverSocket.setEnabledProtocols(serverSocket.getSupportedProtocols());

serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
serverSocket.setWantClientAuth(true);
}
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@

/*
* @test
* @bug 4671289
* @bug 4671289 8190492
* @summary passing https.protocols from command line doesn't work.
* @run main/othervm -Dhttps.protocols=SSLv3 HttpsProtocols
* @author Brad Wetmore
@@ -88,6 +88,9 @@ void doServerSide() throws Exception {
SSLServerSocket sslServerSocket =
(SSLServerSocket) sslssf.createServerSocket(serverPort);

// Enable all supported protocols on server side to test SSLv3
sslServerSocket.setEnabledProtocols(sslServerSocket.getSupportedProtocols());

serverPort = sslServerSocket.getLocalPort();

/*

0 comments on commit 5fc46f3

Please sign in to comment.
You can’t perform that action at this time.