changeset 7653:b57a21af9f6d jdk7u72-b06

8043200: Decrease the preference mode of RC4 in the enabled cipher suite list 8050158: Introduce system property to maintain RC4 preference order Reviewed-by: xuelei
author coffeys
date Tue, 15 Jul 2014 16:50:52 +0100
parents cca558daa199
children 7df00d7cfa0b
files src/share/classes/sun/security/ssl/CipherSuite.java test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
diffstat 3 files changed, 376 insertions(+), 68 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/CipherSuite.java	Tue Jul 22 08:49:13 2014 -0700
+++ b/src/share/classes/sun/security/ssl/CipherSuite.java	Tue Jul 15 16:50:52 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -82,6 +82,10 @@
     private final static boolean ALLOW_ECC = Debug.getBooleanProperty
         ("com.sun.net.ssl.enableECC", true);
 
+    // preserve the old order of RC4 preference
+    private final static boolean PRESERVE_RC4 = Debug.getBooleanProperty
+        ("jdk.tls.preserveRC4CipherSuites", false);
+
     // Map Integer(id) -> CipherSuite
     // contains all known CipherSuites
     private final static Map<Integer,CipherSuite> idMap;
@@ -963,16 +967,18 @@
         add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
             0x0032, --p, K_DHE_DSS,     B_AES_128, T);
 
-        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-            0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
-        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-            0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
-        add("SSL_RSA_WITH_RC4_128_SHA",
-            0x0005, --p, K_RSA,         B_RC4_128, N);
-        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-            0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
-        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
-            0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
+        if (PRESERVE_RC4) {
+            add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+                0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
+            add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+                0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
+            add("SSL_RSA_WITH_RC4_128_SHA",
+                0x0005, --p, K_RSA,         B_RC4_128, N);
+            add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+                0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
+            add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
+                0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
+        }
 
         add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
             0xC008, --p, K_ECDHE_ECDSA, B_3DES,    T);
@@ -989,6 +995,18 @@
         add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
             0x0013, --p, K_DHE_DSS,     B_3DES,    N);
 
+        if (!PRESERVE_RC4) {
+            add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+                0xC007, --p, K_ECDHE_ECDSA, B_RC4_128, N);
+            add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+                0xC011, --p, K_ECDHE_RSA,   B_RC4_128, N);
+            add("SSL_RSA_WITH_RC4_128_SHA",
+                0x0005, --p, K_RSA,         B_RC4_128, N);
+            add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+                0xC002, --p, K_ECDH_ECDSA,  B_RC4_128, N);
+            add("TLS_ECDH_RSA_WITH_RC4_128_SHA",
+                0xC00C, --p, K_ECDH_RSA,    B_RC4_128, N);
+        }
         add("SSL_RSA_WITH_RC4_128_MD5",
             0x0004, --p, K_RSA,         B_RC4_128, N);
 
@@ -1008,7 +1026,7 @@
          * 2. If a cipher suite has been obsoleted, we put it at the end of
          *    the list.
          * 3. Prefer the stronger bulk cipher, in the order of AES_256,
-         *    AES_128, RC-4, 3DES-EDE, DES, RC4_40, DES40, NULL.
+         *    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
          * 4. Prefer the stronger MAC algorithm, in the order of SHA384,
          *    SHA256, SHA, MD5.
          * 5. Prefer the better performance of key exchange and digital
@@ -1031,15 +1049,51 @@
         add("TLS_DH_anon_WITH_AES_128_CBC_SHA",
             0x0034, --p, K_DH_ANON,     B_AES_128, N);
 
+        if (!PRESERVE_RC4) {
+            add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+                0xC017, --p, K_ECDH_ANON,   B_3DES,    T);
+            add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+                0x001b, --p, K_DH_ANON,     B_3DES,    N);
+        }
+
         add("TLS_ECDH_anon_WITH_RC4_128_SHA",
             0xC016, --p, K_ECDH_ANON,   B_RC4_128, N);
         add("SSL_DH_anon_WITH_RC4_128_MD5",
             0x0018, --p, K_DH_ANON,     B_RC4_128, N);
 
-        add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
-            0xC017, --p, K_ECDH_ANON,   B_3DES,    T);
-        add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
-            0x001b, --p, K_DH_ANON,     B_3DES,    N);
+        if (!PRESERVE_RC4) {
+            // weak cipher suites obsoleted in TLS 1.2
+            add("SSL_RSA_WITH_DES_CBC_SHA",
+                0x0009, --p, K_RSA,         B_DES,     N, tls12);
+            add("SSL_DHE_RSA_WITH_DES_CBC_SHA",
+                0x0015, --p, K_DHE_RSA,     B_DES,     N, tls12);
+            add("SSL_DHE_DSS_WITH_DES_CBC_SHA",
+                0x0012, --p, K_DHE_DSS,     B_DES,     N, tls12);
+            add("SSL_DH_anon_WITH_DES_CBC_SHA",
+                0x001a, --p, K_DH_ANON,     B_DES,     N, tls12);
+
+            // weak cipher suites obsoleted in TLS 1.1
+            add("SSL_RSA_EXPORT_WITH_RC4_40_MD5",
+                0x0003, --p, K_RSA_EXPORT,  B_RC4_40,  N, tls11);
+            add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
+                0x0017, --p, K_DH_ANON,     B_RC4_40,  N, tls11);
+
+            add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                0x0008, --p, K_RSA_EXPORT,  B_DES_40,  N, tls11);
+            add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                0x0014, --p, K_DHE_RSA,     B_DES_40,  N, tls11);
+            add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+                0x0011, --p, K_DHE_DSS,     B_DES_40,  N, tls11);
+            add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+                0x0019, --p, K_DH_ANON,     B_DES_40,  N, tls11);
+        }
+
+        if (PRESERVE_RC4) {
+            add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+                0xC017, --p, K_ECDH_ANON,   B_3DES,    T);
+            add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+                0x001b, --p, K_DH_ANON,     B_3DES,    N);
+        }
 
         add("TLS_RSA_WITH_NULL_SHA256",
             0x003b, --p, K_RSA,         B_NULL,    N, max, tls12, P_SHA256);
@@ -1058,52 +1112,70 @@
         add("SSL_RSA_WITH_NULL_MD5",
             0x0001, --p, K_RSA,         B_NULL,    N);
 
-        // weak cipher suites obsoleted in TLS 1.2
-        add("SSL_RSA_WITH_DES_CBC_SHA",
-            0x0009, --p, K_RSA,         B_DES,     N, tls12);
-        add("SSL_DHE_RSA_WITH_DES_CBC_SHA",
-            0x0015, --p, K_DHE_RSA,     B_DES,     N, tls12);
-        add("SSL_DHE_DSS_WITH_DES_CBC_SHA",
-            0x0012, --p, K_DHE_DSS,     B_DES,     N, tls12);
-        add("SSL_DH_anon_WITH_DES_CBC_SHA",
-            0x001a, --p, K_DH_ANON,     B_DES,     N, tls12);
+        if (PRESERVE_RC4) {
+            // weak cipher suites obsoleted in TLS 1.2
+            add("SSL_RSA_WITH_DES_CBC_SHA",
+                0x0009, --p, K_RSA,         B_DES,     N, tls12);
+            add("SSL_DHE_RSA_WITH_DES_CBC_SHA",
+                0x0015, --p, K_DHE_RSA,     B_DES,     N, tls12);
+            add("SSL_DHE_DSS_WITH_DES_CBC_SHA",
+                0x0012, --p, K_DHE_DSS,     B_DES,     N, tls12);
+            add("SSL_DH_anon_WITH_DES_CBC_SHA",
+                0x001a, --p, K_DH_ANON,     B_DES,     N, tls12);
 
-        // weak cipher suites obsoleted in TLS 1.1
-        add("SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-            0x0003, --p, K_RSA_EXPORT,  B_RC4_40,  N, tls11);
-        add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
-            0x0017, --p, K_DH_ANON,     B_RC4_40,  N, tls11);
+            // weak cipher suites obsoleted in TLS 1.1
+            add("SSL_RSA_EXPORT_WITH_RC4_40_MD5",
+                0x0003, --p, K_RSA_EXPORT,  B_RC4_40,  N, tls11);
+            add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
+                0x0017, --p, K_DH_ANON,     B_RC4_40,  N, tls11);
 
-        add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-            0x0008, --p, K_RSA_EXPORT,  B_DES_40,  N, tls11);
-        add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-            0x0014, --p, K_DHE_RSA,     B_DES_40,  N, tls11);
-        add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-            0x0011, --p, K_DHE_DSS,     B_DES_40,  N, tls11);
-        add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-            0x0019, --p, K_DH_ANON,     B_DES_40,  N, tls11);
+            add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                0x0008, --p, K_RSA_EXPORT,  B_DES_40,  N, tls11);
+            add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+                0x0014, --p, K_DHE_RSA,     B_DES_40,  N, tls11);
+            add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+                0x0011, --p, K_DHE_DSS,     B_DES_40,  N, tls11);
+            add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+                0x0019, --p, K_DH_ANON,     B_DES_40,  N, tls11);
+        }
 
         // Supported Kerberos ciphersuites from RFC2712
+        if (!PRESERVE_RC4) {
+            add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+                0x001f, --p, K_KRB5,        B_3DES,    N);
+            add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+                0x0023, --p, K_KRB5,        B_3DES,    N);
+        }
         add("TLS_KRB5_WITH_RC4_128_SHA",
             0x0020, --p, K_KRB5,        B_RC4_128, N);
         add("TLS_KRB5_WITH_RC4_128_MD5",
             0x0024, --p, K_KRB5,        B_RC4_128, N);
-        add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
-            0x001f, --p, K_KRB5,        B_3DES,    N);
-        add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
-            0x0023, --p, K_KRB5,        B_3DES,    N);
+        if (PRESERVE_RC4) {
+            add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+                0x001f, --p, K_KRB5,        B_3DES,    N);
+            add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+                0x0023, --p, K_KRB5,        B_3DES,    N);
+        }
         add("TLS_KRB5_WITH_DES_CBC_SHA",
             0x001e, --p, K_KRB5,        B_DES,     N, tls12);
         add("TLS_KRB5_WITH_DES_CBC_MD5",
             0x0022, --p, K_KRB5,        B_DES,     N, tls12);
+        if (!PRESERVE_RC4) {
+            add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+                0x0026, --p, K_KRB5_EXPORT, B_DES_40,  N, tls11);
+            add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+                0x0029, --p, K_KRB5_EXPORT, B_DES_40,  N, tls11);
+        }
         add("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
             0x0028, --p, K_KRB5_EXPORT, B_RC4_40,  N, tls11);
         add("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
             0x002b, --p, K_KRB5_EXPORT, B_RC4_40,  N, tls11);
-        add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-            0x0026, --p, K_KRB5_EXPORT, B_DES_40,  N, tls11);
-        add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
-            0x0029, --p, K_KRB5_EXPORT, B_DES_40,  N, tls11);
+        if (PRESERVE_RC4) {
+            add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+                0x0026, --p, K_KRB5_EXPORT, B_DES_40,  N, tls11);
+            add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+                0x0029, --p, K_KRB5_EXPORT, B_DES_40,  N, tls11);
+        }
 
         /*
          * Other values from the TLS Cipher Suite Registry, as of August 2010.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOldOrder.java	Tue Jul 15 16:50:52 2014 +0100
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7174244 8043200 8050158
+ * @summary NPE in Krb5ProxyImpl.getServerKeys()
+ *
+ *     SunJSSE does not support dynamic system properties, no way to re-use
+ *     system properties in samevm/agentvm mode.
+ * @run main/othervm -Djdk.tls.preserveRC4CipherSuites=true CipherSuitesInOldOrder
+ */
+
+import java.util.*;
+import javax.net.ssl.*;
+
+public class CipherSuitesInOldOrder {
+
+    // supported ciphersuites
+    private final static List<String> supportedCipherSuites =
+            Arrays.<String>asList(
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+        "TLS_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+        "TLS_RSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+        "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
+
+        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
+
+        "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_ECDH_anon_WITH_RC4_128_SHA",
+        "SSL_DH_anon_WITH_RC4_128_MD5",
+        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+        "TLS_RSA_WITH_NULL_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDHE_RSA_WITH_NULL_SHA",
+        "SSL_RSA_WITH_NULL_SHA",
+        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDH_RSA_WITH_NULL_SHA",
+        "TLS_ECDH_anon_WITH_NULL_SHA",
+        "SSL_RSA_WITH_NULL_MD5",
+        "SSL_RSA_WITH_DES_CBC_SHA",
+        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
+        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
+        "SSL_DH_anon_WITH_DES_CBC_SHA",
+        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
+        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
+        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+        "TLS_KRB5_WITH_RC4_128_SHA",
+        "TLS_KRB5_WITH_RC4_128_MD5",
+        "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+        "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+        "TLS_KRB5_WITH_DES_CBC_SHA",
+        "TLS_KRB5_WITH_DES_CBC_MD5",
+        "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+        "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"
+    );
+
+    private final static String[] protocols = {
+        "", "SSL", "TLS", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"
+    };
+
+
+    public static void main(String[] args) throws Exception {
+        // show all of the supported cipher suites
+        showSuites(supportedCipherSuites.toArray(new String[0]),
+                                "All supported cipher suites");
+
+        for (String protocol : protocols) {
+            System.out.println("//");
+            System.out.println("// " +
+                        "Testing for SSLContext of " + protocol);
+            System.out.println("//");
+            checkForProtocols(protocol);
+        }
+    }
+
+    public static void checkForProtocols(String protocol) throws Exception {
+        SSLContext context;
+        if (protocol.isEmpty()) {
+            context = SSLContext.getDefault();
+        } else {
+            context = SSLContext.getInstance(protocol);
+            context.init(null, null, null);
+        }
+
+        // check the order of default cipher suites of SSLContext
+        SSLParameters parameters = context.getDefaultSSLParameters();
+        checkSuites(parameters.getCipherSuites(),
+                "Default cipher suites in SSLContext");
+
+        // check the order of supported cipher suites of SSLContext
+        parameters = context.getSupportedSSLParameters();
+        checkSuites(parameters.getCipherSuites(),
+                "Supported cipher suites in SSLContext");
+
+
+        //
+        // Check the cipher suites order of SSLEngine
+        //
+        SSLEngine engine = context.createSSLEngine();
+
+        // check the order of endabled cipher suites
+        String[] ciphers = engine.getEnabledCipherSuites();
+        checkSuites(ciphers,
+                "Enabled cipher suites in SSLEngine");
+
+        // check the order of supported cipher suites
+        ciphers = engine.getSupportedCipherSuites();
+        checkSuites(ciphers,
+                "Supported cipher suites in SSLEngine");
+
+        //
+        // Check the cipher suites order of SSLSocket
+        //
+        SSLSocketFactory factory = context.getSocketFactory();
+        try (SSLSocket socket = (SSLSocket)factory.createSocket()) {
+
+            // check the order of endabled cipher suites
+            ciphers = socket.getEnabledCipherSuites();
+            checkSuites(ciphers,
+                "Enabled cipher suites in SSLSocket");
+
+            // check the order of supported cipher suites
+            ciphers = socket.getSupportedCipherSuites();
+            checkSuites(ciphers,
+                "Supported cipher suites in SSLSocket");
+        }
+
+        //
+        // Check the cipher suites order of SSLServerSocket
+        //
+        SSLServerSocketFactory serverFactory = context.getServerSocketFactory();
+        try (SSLServerSocket serverSocket =
+                (SSLServerSocket)serverFactory.createServerSocket()) {
+            // check the order of endabled cipher suites
+            ciphers = serverSocket.getEnabledCipherSuites();
+            checkSuites(ciphers,
+                "Enabled cipher suites in SSLServerSocket");
+
+            // check the order of supported cipher suites
+            ciphers = serverSocket.getSupportedCipherSuites();
+            checkSuites(ciphers,
+                "Supported cipher suites in SSLServerSocket");
+        }
+    }
+
+    private static void checkSuites(String[] suites, String title) {
+        showSuites(suites, title);
+
+        int loc = -1;
+        int index = 0;
+        for (String suite : suites) {
+            index = supportedCipherSuites.indexOf(suite);
+            if (index <= loc) {
+                throw new RuntimeException(suite + " is not in order");
+            }
+
+            loc = index;
+        }
+    }
+
+    private static void showSuites(String[] suites, String title) {
+        System.out.println(title + "[" + suites.length + "]:");
+        for (String suite : suites) {
+            System.out.println("  " + suite);
+        }
+    }
+}
--- a/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Tue Jul 22 08:49:13 2014 -0700
+++ b/test/sun/security/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Tue Jul 15 16:50:52 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 7174244
+ * @bug 7174244 8043200
  * @summary NPE in Krb5ProxyImpl.getServerKeys()
  *
  *     SunJSSE does not support dynamic system properties, no way to re-use
@@ -67,11 +67,6 @@
         "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
@@ -79,6 +74,11 @@
         "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "SSL_RSA_WITH_RC4_128_MD5",
 
         "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
@@ -89,18 +89,10 @@
         "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
         "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
         "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
         "SSL_DH_anon_WITH_RC4_128_MD5",
-        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
-        "TLS_RSA_WITH_NULL_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
-        "TLS_ECDHE_RSA_WITH_NULL_SHA",
-        "SSL_RSA_WITH_NULL_SHA",
-        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-        "TLS_ECDH_RSA_WITH_NULL_SHA",
-        "TLS_ECDH_anon_WITH_NULL_SHA",
-        "SSL_RSA_WITH_NULL_MD5",
         "SSL_RSA_WITH_DES_CBC_SHA",
         "SSL_DHE_RSA_WITH_DES_CBC_SHA",
         "SSL_DHE_DSS_WITH_DES_CBC_SHA",
@@ -111,16 +103,24 @@
         "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
         "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
         "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+        "TLS_RSA_WITH_NULL_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDHE_RSA_WITH_NULL_SHA",
+        "SSL_RSA_WITH_NULL_SHA",
+        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDH_RSA_WITH_NULL_SHA",
+        "TLS_ECDH_anon_WITH_NULL_SHA",
+        "SSL_RSA_WITH_NULL_MD5",
+        "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+        "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
         "TLS_KRB5_WITH_RC4_128_SHA",
         "TLS_KRB5_WITH_RC4_128_MD5",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
         "TLS_KRB5_WITH_DES_CBC_SHA",
         "TLS_KRB5_WITH_DES_CBC_MD5",
+        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
         "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"
+        "TLS_KRB5_EXPORT_WITH_RC4_40_MD5"
     );
 
     private final static String[] protocols = {