changeset 8153:24d4fdd0320c

8061210: Issues in TLS Reviewed-by: xuelei, wetmore, coffeys
author igerasim
date Tue, 04 Nov 2014 22:22:17 +0300
parents e1562d834e75
children f98b50b034f9
files src/share/classes/sun/security/ssl/Handshaker.java src/share/classes/sun/security/ssl/ProtocolVersion.java src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java src/share/classes/sun/security/ssl/SSLContextImpl.java src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/sun/security/ec/TestEC.java test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java test/sun/security/ssl/sanity/interop/CipherTest.java test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
diffstat 15 files changed, 249 insertions(+), 79 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Tue Nov 04 22:22:17 2014 +0300
@@ -467,7 +467,9 @@
 
         if (activeProtocols.collection().isEmpty() ||
                 activeProtocols.max.v == ProtocolVersion.NONE.v) {
-            throw new SSLHandshakeException("No appropriate protocol");
+            throw new SSLHandshakeException(
+                    "No appropriate protocol (protocol is disabled or " +
+                    "cipher suites are inappropriate)");
         }
 
         if (activeCipherSuites == null) {
@@ -636,14 +638,24 @@
     ProtocolList getActiveProtocols() {
         if (activeProtocols == null) {
             ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
+            EnumSet<CryptoPrimitive> cryptoPrimitives =
+                EnumSet.<CryptoPrimitive>of(CryptoPrimitive.KEY_AGREEMENT);
             for (ProtocolVersion protocol : enabledProtocols.collection()) {
+                if (!algorithmConstraints.permits(
+                        cryptoPrimitives, protocol.name, null)) {
+                    if (debug != null && Debug.isOn("verbose")) {
+                        System.out.println(
+                            "Ignoring disabled protocol: " + protocol);
+                    }
+
+                    continue;
+                }
                 boolean found = false;
                 for (CipherSuite suite : enabledCipherSuites.collection()) {
                     if (suite.isAvailable() && suite.obsoleted > protocol.v &&
                                                suite.supported <= protocol.v) {
                         if (algorithmConstraints.permits(
-                                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                                suite.name, null)) {
+                                cryptoPrimitives, suite.name, null)) {
                             protocols.add(protocol);
                             found = true;
                             break;
--- a/src/share/classes/sun/security/ssl/ProtocolVersion.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/classes/sun/security/ssl/ProtocolVersion.java	Tue Nov 04 22:22:17 2014 +0300
@@ -25,6 +25,9 @@
 
 package sun.security.ssl;
 
+import java.util.*;
+import java.security.CryptoPrimitive;
+
 /**
  * Type safe enum for an SSL/TLS protocol version. Instances are obtained
  * using the static factory methods or by referencing the static members
@@ -86,6 +89,11 @@
     // Default version for hello messages (SSLv2Hello)
     final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;
 
+    // Available protocols
+    //
+    // Including all supported protocols except the disabled ones.
+    final static Set<ProtocolVersion> availableProtocols;
+
     // version in 16 bit MSB format as it appears in records and
     // messages, i.e. 0x0301 for TLS 1.0
     public final int v;
@@ -96,6 +104,25 @@
     // name used in JSSE (e.g. TLSv1 for TLS 1.0)
     final String name;
 
+    // Initialize the available protocols.
+    static {
+        Set<ProtocolVersion> protocols = new HashSet<>(5);
+
+        ProtocolVersion[] pvs = new ProtocolVersion[] {
+                SSL20Hello, SSL30, TLS10, TLS11, TLS12};
+        EnumSet<CryptoPrimitive> cryptoPrimitives =
+            EnumSet.<CryptoPrimitive>of(CryptoPrimitive.KEY_AGREEMENT);
+        for (ProtocolVersion p : pvs) {
+            if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
+                    cryptoPrimitives, p.name, null)) {
+                protocols.add(p);
+            }
+        }
+
+        availableProtocols =
+                Collections.<ProtocolVersion>unmodifiableSet(protocols);
+    }
+
     // private
     private ProtocolVersion(int v, String name) {
         this.v = v;
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	Tue Nov 04 22:22:17 2014 +0300
@@ -55,6 +55,14 @@
 
     private boolean enabledX509DisabledAlgConstraints = true;
 
+    // the default algorithm constraints
+    final static AlgorithmConstraints DEFAULT =
+                        new SSLAlgorithmConstraints(null);
+
+    // the default SSL only algorithm constraints
+    final static AlgorithmConstraints DEFAULT_SSL_ONLY =
+                        new SSLAlgorithmConstraints((SSLSocket)null, false);
+
     SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
         userAlgConstraints = algorithmConstraints;
     }
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java	Tue Nov 04 22:22:17 2014 +0300
@@ -51,10 +51,6 @@
     private X509TrustManager trustManager;
     private SecureRandom secureRandom;
 
-    // The default algrithm constraints
-    private AlgorithmConstraints defaultAlgorithmConstraints =
-                                 new SSLAlgorithmConstraints(null);
-
     // supported and default protocols
     private ProtocolList defaultServerProtocolList;
     private ProtocolList defaultClientProtocolList;
@@ -342,7 +338,7 @@
                 if (suite.isAvailable() &&
                         suite.obsoleted > protocols.min.v &&
                         suite.supported <= protocols.max.v) {
-                    if (defaultAlgorithmConstraints.permits(
+                    if (SSLAlgorithmConstraints.DEFAULT.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                             suite.name, null)) {
                         suites.add(suite);
@@ -384,6 +380,22 @@
         }
     }
 
+    static String[] getAvailableProtocols(
+            ProtocolVersion[] protocolCandidates) {
+
+        List<String> availableProtocols = Collections.<String>emptyList();
+        if (protocolCandidates != null && protocolCandidates.length != 0) {
+            availableProtocols = new ArrayList<>(protocolCandidates.length);
+            for (ProtocolVersion p : protocolCandidates) {
+                if (ProtocolVersion.availableProtocols.contains(p)) {
+                    availableProtocols.add(p.name);
+                }
+            }
+        }
+
+        return availableProtocols.toArray(new String[0]);
+    }
+
     /*
      * The SSLContext implementation for TLS/SSL algorithm
      *
@@ -423,28 +435,35 @@
      */
     private static class ConservativeSSLContext extends SSLContextImpl {
         // parameters
-        private static SSLParameters defaultServerSSLParams;
-        private static SSLParameters defaultClientSSLParams;
-        private static SSLParameters supportedSSLParams;
+        private static final SSLParameters defaultServerSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
+        private static final SSLParameters supportedSSLParams;
 
         static {
+            // supported SSL parameters
+            supportedSSLParams = new SSLParameters();
+
+            // candidates for available protocols
+            ProtocolVersion[] serverCandidates;
+            ProtocolVersion[] clientCandidates;
+
             if (SunJSSE.isFIPS()) {
-                supportedSSLParams = new SSLParameters();
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.TLS10.name,
                     ProtocolVersion.TLS11.name,
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                serverCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
 
-                defaultClientSSLParams = new SSLParameters();
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name
-                });
-
+                clientCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10
+                };
             } else {
-                supportedSSLParams = new SSLParameters();
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.SSL20Hello.name,
                     ProtocolVersion.SSL30.name,
@@ -453,14 +472,27 @@
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                serverCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL20Hello,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
 
-                defaultClientSSLParams = new SSLParameters();
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name
-                });
+                clientCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10
+                };
             }
+
+            defaultClientSSLParams = new SSLParameters();
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(clientCandidates));
+
+            defaultServerSSLParams = new SSLParameters();
+            defaultServerSSLParams.setProtocols(
+                getAvailableProtocols(serverCandidates));
         }
 
         SSLParameters getDefaultServerSSLParams() {
@@ -651,29 +683,36 @@
      */
     public static final class TLS11Context extends SSLContextImpl {
         // parameters
-        private static SSLParameters defaultServerSSLParams;
-        private static SSLParameters defaultClientSSLParams;
-        private static SSLParameters supportedSSLParams;
+        private static final SSLParameters defaultServerSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
+        private static final SSLParameters supportedSSLParams;
 
         static {
+            // supported SSL parameters
+            supportedSSLParams = new SSLParameters();
+
+            // candidates for available protocols
+            ProtocolVersion[] serverCandidates;
+            ProtocolVersion[] clientCandidates;
+
             if (SunJSSE.isFIPS()) {
-                supportedSSLParams = new SSLParameters();
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.TLS10.name,
                     ProtocolVersion.TLS11.name,
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                serverCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
 
-                defaultClientSSLParams = new SSLParameters();
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name
-                });
-
+                clientCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11
+                };
             } else {
-                supportedSSLParams = new SSLParameters();
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.SSL20Hello.name,
                     ProtocolVersion.SSL30.name,
@@ -682,15 +721,28 @@
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                serverCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL20Hello,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
 
-                defaultClientSSLParams = new SSLParameters();
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name
-                });
+                clientCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11
+                };
             }
+
+            defaultClientSSLParams = new SSLParameters();
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(clientCandidates));
+
+            defaultServerSSLParams = new SSLParameters();
+            defaultServerSSLParams.setProtocols(
+                getAvailableProtocols(serverCandidates));
         }
 
         SSLParameters getDefaultServerSSLParams() {
@@ -713,30 +765,37 @@
      */
     public static final class TLS12Context extends SSLContextImpl {
         // parameters
-        private static SSLParameters defaultServerSSLParams;
-        private static SSLParameters defaultClientSSLParams;
-        private static SSLParameters supportedSSLParams;
+        private static final SSLParameters defaultServerSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
+        private static final SSLParameters supportedSSLParams;
 
         static {
+            // supported SSL parameters
+            supportedSSLParams = new SSLParameters();
+
+            // candidates for available protocols
+            ProtocolVersion[] serverCandidates;
+            ProtocolVersion[] clientCandidates;
+
             if (SunJSSE.isFIPS()) {
-                supportedSSLParams = new SSLParameters();
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.TLS10.name,
                     ProtocolVersion.TLS11.name,
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                serverCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
 
-                defaultClientSSLParams = new SSLParameters();
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
-
+                clientCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             } else {
-                supportedSSLParams = new SSLParameters();
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.SSL20Hello.name,
                     ProtocolVersion.SSL30.name,
@@ -745,16 +804,29 @@
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                serverCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL20Hello,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
 
-                defaultClientSSLParams = new SSLParameters();
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
+                clientCandidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             }
+
+            defaultClientSSLParams = new SSLParameters();
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(clientCandidates));
+
+            defaultServerSSLParams = new SSLParameters();
+            defaultServerSSLParams.setProtocols(
+                getAvailableProtocols(serverCandidates));
         }
 
         SSLParameters getDefaultServerSSLParams() {
--- a/src/share/lib/security/java.security-linux	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/lib/security/java.security-linux	Tue Nov 04 22:22:17 2014 +0300
@@ -412,8 +412,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -428,4 +432,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-macosx	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/lib/security/java.security-macosx	Tue Nov 04 22:22:17 2014 +0300
@@ -417,8 +417,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -433,4 +437,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-solaris	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/lib/security/java.security-solaris	Tue Nov 04 22:22:17 2014 +0300
@@ -416,8 +416,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -432,4 +436,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-windows	Mon Nov 03 12:42:41 2014 -0800
+++ b/src/share/lib/security/java.security-windows	Tue Nov 04 22:22:17 2014 +0300
@@ -417,8 +417,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -433,4 +437,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/test/sun/security/ec/TestEC.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/ec/TestEC.java	Tue Nov 04 22:22:17 2014 +0300
@@ -30,7 +30,7 @@
  * @library ../pkcs11/sslecc
  * @library ../../../java/security/testlibrary
  * @compile -XDignore.symbol.file TestEC.java
- * @run main TestEC
+ * @run main/othervm TestEC
  */
 
 import java.security.Provider;
@@ -53,6 +53,10 @@
 public class TestEC {
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         ProvidersSnapshot snapshot = ProvidersSnapshot.create();
         try {
             main0(args);
--- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Tue Nov 04 22:22:17 2014 +0300
@@ -28,6 +28,7 @@
  * @author Andreas Sterbenz
  * @library ..
  * @library ../../../../java/security/testlibrary
+ * @run main/othervm ClientJSSEServerJSSE
  */
 
 import java.security.*;
@@ -37,6 +38,10 @@
     private static String[] cmdArgs;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         cmdArgs = args;
         main(new ClientJSSEServerJSSE());
     }
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java	Tue Nov 04 22:22:17 2014 +0300
@@ -32,6 +32,7 @@
 import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class HttpsProtocols implements HostnameVerifier {
 
@@ -177,6 +178,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java	Tue Nov 04 22:22:17 2014 +0300
@@ -25,7 +25,7 @@
  * @test
  * @bug 4969459
  * @summary Delegated tasks are not reflecting the subclasses of SSLException
- *
+ * @run main/othervm DelegatedTaskWrongException
  */
 
 import javax.net.ssl.*;
@@ -110,6 +110,9 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
 
         DelegatedTaskWrongException test;
 
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java	Tue Nov 04 22:22:17 2014 +0300
@@ -122,6 +122,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/sanity/interop/CipherTest.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/ssl/sanity/interop/CipherTest.java	Tue Nov 04 22:22:17 2014 +0300
@@ -394,6 +394,10 @@
 
     public static void main(PeerFactory peerFactory, String[] args)
             throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         long time = System.currentTimeMillis();
         String relPath;
         if ((args != null) && (args.length > 0) && args[0].equals("sh")) {
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Mon Nov 03 12:42:41 2014 -0800
+++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Tue Nov 04 22:22:17 2014 +0300
@@ -29,9 +29,15 @@
  * @run main/othervm/timeout=300 ClientJSSEServerJSSE
  */
 
+import java.security.Security;
+
 public class ClientJSSEServerJSSE {
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         CipherTest.main(new JSSEFactory(), args);
     }