Merge pull request #366 from lutkerd/enable_dtls10

Enable DTLS1.0
corretto · May 14, 2024 · d2e3022 · d2e3022
2 parents a83ede6 + 164355b
commit d2e3022
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 29 deletions.
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -1344,7 +1344,7 @@ List<CipherSuite> getClientDefaultCipherSuites() {
     }
 
     /*
-     * The SSLContext implementation for customized TLS protocols
+     * The SSLContext implementation for customized DTLS protocols
      *
      * @see SSLContext
      */
@@ -1402,13 +1402,11 @@ private static List<ProtocolVersion> customizedProtocols(boolean client,
                         ProtocolVersion.DTLS12,
                         ProtocolVersion.DTLS10
                 };
-                if (!client)
-                    return Arrays.asList(candidates);
             } else {
                 // Use the customized TLS protocols.
                 candidates =
                         new ProtocolVersion[customized.size()];
-                candidates = customized.toArray(candidates);
+                candidates = refactored.toArray(candidates);
             }
 
             return getAvailableProtocols(candidates);

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -755,8 +755,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+#       rsa_pkcs1_sha1, secp224r1
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, \
+    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 #

diff --git a/test/jdk/javax/net/ssl/DTLS/InvalidRecords.java b/test/jdk/javax/net/ssl/DTLS/InvalidRecords.java
@@ -38,6 +38,8 @@
 import java.net.SocketAddress;
 import java.util.concurrent.atomic.AtomicBoolean;
 
+import jdk.test.lib.security.SecurityUtils;
+
 /**
  * Test that if handshake messages are changed, the handshake would fail
  * because of handshaking hash verification.
@@ -46,6 +48,7 @@ public class InvalidRecords extends DTLSOverDatagram {
     private static final AtomicBoolean needInvalidRecords = new AtomicBoolean(true);
 
     public static void main(String[] args) throws Exception {
+        SecurityUtils.removeFromDisabledTlsAlgs("DTLSv1.0");
         InvalidRecords testCase = new InvalidRecords();
         testCase.runTest(testCase);
 

diff --git a/test/jdk/javax/net/ssl/DTLS/NoMacInitialClientHello.java b/test/jdk/javax/net/ssl/DTLS/NoMacInitialClientHello.java
@@ -38,13 +38,17 @@
 import java.net.DatagramPacket;
 import java.net.SocketAddress;
 
+import jdk.test.lib.security.SecurityUtils;
+
+
 /**
  * Test that a server is able to discard invalid initial ClientHello silently.
  */
 public class NoMacInitialClientHello extends DTLSOverDatagram {
     boolean needInvalidRecords = true;
 
     public static void main(String[] args) throws Exception {
+        SecurityUtils.removeFromDisabledTlsAlgs("DTLSv1.0");
         System.setProperty("jdk.tls.useExtendedMasterSecret", "false");
         NoMacInitialClientHello testCase = new NoMacInitialClientHello();
         testCase.runTest(testCase);

diff --git a/test/jdk/sun/security/ssl/SSLContextImpl/SSLContextDefault.java b/test/jdk/sun/security/ssl/SSLContextImpl/SSLContextDefault.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,8 +28,9 @@
 
 /*
  * @test
- * @bug 8202343
- * @summary Check that SSLv3, TLSv1 and TLSv1.1 are disabled by default
+ * @bug 8202343 8256660
+ * @summary Check that SSLv3, TLSv1, TLSv1.1, and DTLSv1.0 are disabled
+ *          by default
  * @run main/othervm SSLContextDefault
  */
 
@@ -38,26 +39,42 @@
 
 public class SSLContextDefault {
 
-    private final static String[] protocols = {
+    private static final String[] tlsProtocols = {
         "", "SSL", "TLS", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"
     };
 
-    private final static List<String> disabledProtocols = List.<String>of(
+    private static final String[] dtlsProtocols = {
+        "DTLS", "DTLSv1.0", "DTLSv1.2"
+    };
+
+    private static final List<String> disabledTlsProtocols = List.<String>of(
         "SSLv3"
     );
 
+    private static final List<String> disabledDtlsProtocols = List.<String>of(
+    );
+
     public static void main(String[] args) throws Exception {
-        for (String protocol : protocols) {
-            System.out.println("//");
-            System.out.println("// " + "Testing for SSLContext of " +
-                    (protocol.isEmpty() ? "<default>" : protocol));
-            System.out.println("//");
-            checkForProtocols(protocol);
-            System.out.println();
+        for (String tlsProtocol : tlsProtocols) {
+            testProtocol(tlsProtocol, disabledTlsProtocols);
+        }
+        for (String dtlsProtocol : dtlsProtocols) {
+            testProtocol(dtlsProtocol, disabledDtlsProtocols);
         }
     }
 
-    public static void checkForProtocols(String protocol) throws Exception {
+    private static void testProtocol(String protocol,
+            List<String> disabledProtocols) throws Exception {
+        System.out.println("//");
+        System.out.println("// " + "Testing for SSLContext of " +
+                (protocol.isEmpty() ? "<default>" : protocol));
+        System.out.println("//");
+        checkForProtocols(protocol, disabledProtocols);
+        System.out.println();
+    }
+
+    private static void checkForProtocols(String protocol,
+            List<String> disabledProtocols) throws Exception {
         SSLContext context;
         if (protocol.isEmpty()) {
             context = SSLContext.getDefault();
@@ -68,32 +85,35 @@ public static void checkForProtocols(String protocol) throws Exception {
 
         // check for the presence of supported protocols of SSLContext
         SSLParameters parameters = context.getSupportedSSLParameters();
-        checkProtocols(parameters.getProtocols(),
+        checkProtocols(parameters.getProtocols(), disabledProtocols,
                 "Supported protocols in SSLContext", false);
 
-
         // check for the presence of default protocols of SSLContext
         parameters = context.getDefaultSSLParameters();
-        checkProtocols(parameters.getProtocols(),
+        checkProtocols(parameters.getProtocols(), disabledProtocols,
                 "Enabled protocols in SSLContext", true);
 
         // check for the presence of supported protocols of SSLEngine
         SSLEngine engine = context.createSSLEngine();
-        checkProtocols(engine.getSupportedProtocols(),
+        checkProtocols(engine.getSupportedProtocols(), disabledProtocols,
                 "Supported protocols in SSLEngine", false);
 
         // Check for the presence of default protocols of SSLEngine
-        checkProtocols(engine.getEnabledProtocols(),
+        checkProtocols(engine.getEnabledProtocols(), disabledProtocols,
                 "Enabled protocols in SSLEngine", true);
 
+        if (protocol.startsWith("DTLS")) {
+            return;
+        }
+
         SSLSocketFactory factory = context.getSocketFactory();
         try (SSLSocket socket = (SSLSocket)factory.createSocket()) {
             // check for the presence of supported protocols of SSLSocket
-            checkProtocols(socket.getSupportedProtocols(),
+            checkProtocols(socket.getSupportedProtocols(), disabledProtocols,
                 "Supported cipher suites in SSLSocket", false);
 
             // Check for the presence of default protocols of SSLSocket
-            checkProtocols(socket.getEnabledProtocols(),
+            checkProtocols(socket.getEnabledProtocols(), disabledProtocols,
                 "Enabled protocols in SSLSocket", true);
         }
 
@@ -102,16 +122,19 @@ public static void checkForProtocols(String protocol) throws Exception {
                 (SSLServerSocket)serverFactory.createServerSocket()) {
             // check for the presence of supported protocols of SSLServerSocket
             checkProtocols(serverSocket.getSupportedProtocols(),
-                "Supported cipher suites in SSLServerSocket", false);
+                disabledProtocols, "Supported cipher suites in SSLServerSocket",
+                false);
 
             // Check for the presence of default protocols of SSLServerSocket
             checkProtocols(serverSocket.getEnabledProtocols(),
-                "Enabled protocols in SSLServerSocket", true);
+                disabledProtocols, "Enabled protocols in SSLServerSocket",
+                true);
         }
     }
 
     private static void checkProtocols(String[] protocols,
-            String title, boolean disabled) throws Exception {
+            List<String> disabledProtocols, String title, boolean disabled)
+            throws Exception {
         showProtocols(protocols, title);
 
         if (disabled) {