changeset 10425:1c0cc3bbe07d jdk8u31-b09

8061210: Issues in TLS Reviewed-by: jnimeh, mullan, wetmore, ahgross, asmotrak
author xuelei
date Fri, 24 Oct 2014 11:49:24 +0000
parents 9efc28342891
children dcbdcc28d799
files src/share/classes/sun/security/ssl/Handshaker.java src/share/classes/sun/security/ssl/ProtocolVersion.java src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java src/share/classes/sun/security/ssl/SSLContextImpl.java src/share/lib/security/java.security-aix src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/sun/security/ec/TestEC.java test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
diffstat 20 files changed, 278 insertions(+), 97 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Fri Oct 24 11:49:24 2014 +0000
@@ -500,7 +500,9 @@
 
         if (activeProtocols.collection().isEmpty() ||
                 activeProtocols.max.v == ProtocolVersion.NONE.v) {
-            throw new SSLHandshakeException("No appropriate protocol");
+            throw new SSLHandshakeException(
+                    "No appropriate protocol (protocol is disabled or " +
+                    "cipher suites are inappropriate)");
         }
 
         if (activeCipherSuites == null) {
@@ -678,6 +680,16 @@
         if (activeProtocols == null) {
             ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
             for (ProtocolVersion protocol : enabledProtocols.collection()) {
+                if (!algorithmConstraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                        protocol.name, null)) {
+                    if (debug != null && Debug.isOn("verbose")) {
+                        System.out.println(
+                            "Ignoring disabled protocol: " + protocol);
+                    }
+
+                    continue;
+                }
                 boolean found = false;
                 for (CipherSuite suite : enabledCipherSuites.collection()) {
                     if (suite.isAvailable() && suite.obsoleted > protocol.v &&
--- a/src/share/classes/sun/security/ssl/ProtocolVersion.java	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/classes/sun/security/ssl/ProtocolVersion.java	Fri Oct 24 11:49:24 2014 +0000
@@ -25,6 +25,9 @@
 
 package sun.security.ssl;
 
+import java.util.*;
+import java.security.CryptoPrimitive;
+
 /**
  * Type safe enum for an SSL/TLS protocol version. Instances are obtained
  * using the static factory methods or by referencing the static members
@@ -86,6 +89,11 @@
     // Default version for hello messages (SSLv2Hello)
     final static ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;
 
+    // Available protocols
+    //
+    // Including all supported protocols except the disabled ones.
+    final static Set<ProtocolVersion> availableProtocols;
+
     // version in 16 bit MSB format as it appears in records and
     // messages, i.e. 0x0301 for TLS 1.0
     public final int v;
@@ -96,6 +104,24 @@
     // name used in JSSE (e.g. TLSv1 for TLS 1.0)
     final String name;
 
+    // Initialize the available protocols.
+    static {
+        Set<ProtocolVersion> protocols = new HashSet<>(5);
+
+        ProtocolVersion[] pvs = new ProtocolVersion[] {
+                SSL20Hello, SSL30, TLS10, TLS11, TLS12};
+        for (ProtocolVersion p : pvs) {
+            if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                    p.name, null)) {
+                protocols.add(p);
+            }
+        }
+
+        availableProtocols =
+                Collections.<ProtocolVersion>unmodifiableSet(protocols);
+    }
+
     // private
     private ProtocolVersion(int v, String name) {
         this.v = v;
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	Fri Oct 24 11:49:24 2014 +0000
@@ -55,6 +55,14 @@
 
     private boolean enabledX509DisabledAlgConstraints = true;
 
+    // the default algorithm constraints
+    final static AlgorithmConstraints DEFAULT =
+                        new SSLAlgorithmConstraints(null);
+
+    // the default SSL only algorithm constraints
+    final static AlgorithmConstraints DEFAULT_SSL_ONLY =
+                        new SSLAlgorithmConstraints((SSLSocket)null, false);
+
     SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
         userAlgConstraints = algorithmConstraints;
     }
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java	Fri Oct 24 11:49:24 2014 +0000
@@ -52,10 +52,6 @@
     private X509TrustManager trustManager;
     private SecureRandom secureRandom;
 
-    // The default algrithm constraints
-    private AlgorithmConstraints defaultAlgorithmConstraints =
-                                 new SSLAlgorithmConstraints(null);
-
     // supported and default protocols
     private ProtocolList defaultServerProtocolList;
     private ProtocolList defaultClientProtocolList;
@@ -350,7 +346,7 @@
                 if (suite.isAvailable() &&
                         suite.obsoleted > protocols.min.v &&
                         suite.supported <= protocols.max.v) {
-                    if (defaultAlgorithmConstraints.permits(
+                    if (SSLAlgorithmConstraints.DEFAULT.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                             suite.name, null)) {
                         suites.add(suite);
@@ -431,11 +427,16 @@
      */
     private abstract static class AbstractSSLContext extends SSLContextImpl {
         // parameters
-        private final static SSLParameters defaultServerSSLParams;
-        private final static SSLParameters supportedSSLParams;
+        private static final SSLParameters defaultServerSSLParams;
+        private static final SSLParameters supportedSSLParams;
 
         static {
+            // supported SSL parameters
             supportedSSLParams = new SSLParameters();
+
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+
             if (SunJSSE.isFIPS()) {
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.TLS10.name,
@@ -443,7 +444,11 @@
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             } else {
                 supportedSSLParams.setProtocols(new String[] {
                     ProtocolVersion.SSL20Hello.name,
@@ -453,8 +458,18 @@
                     ProtocolVersion.TLS12.name
                 });
 
-                defaultServerSSLParams = supportedSSLParams;
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL20Hello,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
             }
+
+            defaultServerSSLParams = new SSLParameters();
+            defaultServerSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -466,6 +481,22 @@
         SSLParameters getSupportedSSLParams() {
             return supportedSSLParams;
         }
+
+        static List<String> getAvailableProtocols(
+                ProtocolVersion[] protocolCandidates) {
+
+            List<String> availableProtocols = Collections.<String>emptyList();
+            if (protocolCandidates !=  null && protocolCandidates.length != 0) {
+                availableProtocols = new ArrayList<>(protocolCandidates.length);
+                for (ProtocolVersion p : protocolCandidates) {
+                    if (ProtocolVersion.availableProtocols.contains(p)) {
+                        availableProtocols.add(p.name);
+                    }
+                }
+            }
+
+            return availableProtocols;
+        }
     }
 
     /*
@@ -474,21 +505,25 @@
      * @see SSLContext
      */
     public static final class TLS10Context extends AbstractSSLContext {
-        private final static SSLParameters defaultClientSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
 
         static {
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+            if (SunJSSE.isFIPS()) {
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10
+                };
+            } else {
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10
+                };
+            }
+
             defaultClientSSLParams = new SSLParameters();
-            if (SunJSSE.isFIPS()) {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name
-                });
-
-            } else {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name
-                });
-            }
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -503,23 +538,27 @@
      * @see SSLContext
      */
     public static final class TLS11Context extends AbstractSSLContext {
-        private final static SSLParameters defaultClientSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
 
         static {
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+            if (SunJSSE.isFIPS()) {
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11
+                };
+            } else {
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11
+                };
+            }
+
             defaultClientSSLParams = new SSLParameters();
-            if (SunJSSE.isFIPS()) {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name
-                });
-
-            } else {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name
-                });
-            }
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -534,25 +573,29 @@
      * @see SSLContext
      */
     public static final class TLS12Context extends AbstractSSLContext {
-        private final static SSLParameters defaultClientSSLParams;
+        private static final SSLParameters defaultClientSSLParams;
 
         static {
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+            if (SunJSSE.isFIPS()) {
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
+            } else {
+                candidates = new ProtocolVersion[] {
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS12
+                };
+            }
+
             defaultClientSSLParams = new SSLParameters();
-            if (SunJSSE.isFIPS()) {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
-
-            } else {
-                defaultClientSSLParams.setProtocols(new String[] {
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
-            }
+            defaultClientSSLParams.setProtocols(
+                getAvailableProtocols(candidates).toArray(new String[0]));
         }
 
         @Override
@@ -567,8 +610,8 @@
      * @see SSLContext
      */
     private static class CustomizedSSLContext extends AbstractSSLContext {
-        private final static String PROPERTY_NAME = "jdk.tls.client.protocols";
-        private final static SSLParameters defaultClientSSLParams;
+        private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
+        private static final SSLParameters defaultClientSSLParams;
         private static IllegalArgumentException reservedException = null;
 
         // Don't want a java.lang.LinkageError for illegal system property.
@@ -578,60 +621,74 @@
         // the provider service. Instead, let's handle the initialization
         // exception in constructor.
         static {
+            // candidates for available protocols
+            ProtocolVersion[] candidates;
+
             String property = AccessController.doPrivileged(
                     new GetPropertyAction(PROPERTY_NAME));
-            defaultClientSSLParams = new SSLParameters();
             if (property == null || property.length() == 0) {
                 // the default enabled client TLS protocols
                 if (SunJSSE.isFIPS()) {
-                    defaultClientSSLParams.setProtocols(new String[] {
-                        ProtocolVersion.TLS10.name,
-                        ProtocolVersion.TLS11.name,
-                        ProtocolVersion.TLS12.name
-                    });
-
+                    candidates = new ProtocolVersion[] {
+                        ProtocolVersion.TLS10,
+                        ProtocolVersion.TLS11,
+                        ProtocolVersion.TLS12
+                    };
                 } else {
-                    defaultClientSSLParams.setProtocols(new String[] {
-                        ProtocolVersion.SSL30.name,
-                        ProtocolVersion.TLS10.name,
-                        ProtocolVersion.TLS11.name,
-                        ProtocolVersion.TLS12.name
-                    });
+                    candidates = new ProtocolVersion[] {
+                        ProtocolVersion.SSL30,
+                        ProtocolVersion.TLS10,
+                        ProtocolVersion.TLS11,
+                        ProtocolVersion.TLS12
+                    };
                 }
             } else {
                 // remove double quote marks from beginning/end of the property
-                if (property.charAt(0) == '"' &&
+                if (property.length() > 1 && property.charAt(0) == '"' &&
                         property.charAt(property.length() - 1) == '"') {
                     property = property.substring(1, property.length() - 1);
                 }
 
-                String[] protocols = property.split(",");
+                String[] protocols = null;
+                if (property != null && property.length() != 0) {
+                    protocols = property.split(",");
+                } else {
+                    reservedException = new IllegalArgumentException(
+                        "No protocol specified in " +
+                        PROPERTY_NAME + " system property");
+                    protocols = new String[0];
+                }
+
+                candidates = new ProtocolVersion[protocols.length];
                 for (int i = 0; i < protocols.length; i++) {
                     protocols[i] = protocols[i].trim();
                     // Is it a supported protocol name?
                     try {
-                        ProtocolVersion.valueOf(protocols[i]);
+                        candidates[i] = ProtocolVersion.valueOf(protocols[i]);
                     } catch (IllegalArgumentException iae) {
                         reservedException = new IllegalArgumentException(
-                                PROPERTY_NAME + ": " + protocols[i] +
-                                " is not a standard SSL protocol name", iae);
+                            PROPERTY_NAME + ": " + protocols[i] +
+                            " is not a standard SSL/TLS protocol name", iae);
+                        break;
                     }
                 }
 
                 if ((reservedException == null) && SunJSSE.isFIPS()) {
-                    for (String protocol : protocols) {
-                        if (ProtocolVersion.SSL20Hello.name.equals(protocol) ||
-                                ProtocolVersion.SSL30.name.equals(protocol)) {
+                    for (ProtocolVersion protocolVersion : candidates) {
+                        if (ProtocolVersion.SSL20Hello.v == protocolVersion.v ||
+                                ProtocolVersion.SSL30.v == protocolVersion.v) {
                             reservedException = new IllegalArgumentException(
-                                    PROPERTY_NAME + ": " + protocol +
+                                    PROPERTY_NAME + ": " + protocolVersion +
                                     " is not FIPS compliant");
                         }
                     }
                 }
+            }
 
-                if (reservedException == null) {
-                    defaultClientSSLParams.setProtocols(protocols);
-               }
+            defaultClientSSLParams = new SSLParameters();
+            if (reservedException == null) {
+                defaultClientSSLParams.setProtocols(
+                    getAvailableProtocols(candidates).toArray(new String[0]));
             }
         }
 
--- a/src/share/lib/security/java.security-aix	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/lib/security/java.security-aix	Fri Oct 24 11:49:24 2014 +0000
@@ -479,8 +479,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -495,4 +499,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-linux	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/lib/security/java.security-linux	Fri Oct 24 11:49:24 2014 +0000
@@ -479,8 +479,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -495,4 +499,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-macosx	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/lib/security/java.security-macosx	Fri Oct 24 11:49:24 2014 +0000
@@ -482,8 +482,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -498,4 +502,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-solaris	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/lib/security/java.security-solaris	Fri Oct 24 11:49:24 2014 +0000
@@ -481,8 +481,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -497,4 +501,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/src/share/lib/security/java.security-windows	Fri May 23 19:43:14 2014 +0400
+++ b/src/share/lib/security/java.security-windows	Fri Oct 24 11:49:24 2014 +0000
@@ -482,8 +482,12 @@
 #
 # In some environments, certain algorithms or key lengths may be undesirable
 # when using SSL/TLS.  This section describes the mechanism for disabling
-# algorithms during SSL/TLS security parameters negotiation, including cipher
-# suites selection, peer authentication and key exchange mechanisms.
+# algorithms during SSL/TLS security parameters negotiation, including
+# protocol version negotiation, cipher suites selection, peer authentication
+# and key exchange mechanisms.
+#
+# Disabled algorithms will not be negotiated for SSL/TLS connections, even
+# if they are enabled explicitly in an application.
 #
 # For PKI-based peer authentication and key exchange mechanisms, this list
 # of disabled algorithms will also be checked during certification path
@@ -498,4 +502,5 @@
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3
--- a/test/sun/security/ec/TestEC.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ec/TestEC.java	Fri Oct 24 11:49:24 2014 +0000
@@ -68,6 +68,10 @@
     }
 
     public static void main0(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         Provider p = Security.getProvider("SunEC");
 
         if (p == null) {
--- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Fri Oct 24 11:49:24 2014 +0000
@@ -43,6 +43,10 @@
     private static String[] cmdArgs;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         cmdArgs = args;
         main(new ClientJSSEServerJSSE());
     }
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ProtocolVersion/HttpsProtocols.java	Fri Oct 24 11:49:24 2014 +0000
@@ -32,6 +32,7 @@
 import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class HttpsProtocols implements HostnameVerifier {
 
@@ -177,6 +178,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/CustomizedDefaultProtocols.java	Fri Oct 24 11:49:24 2014 +0000
@@ -35,6 +35,7 @@
 import javax.net.*;
 import javax.net.ssl.*;
 import java.util.Arrays;
+import java.security.Security;
 
 public class CustomizedDefaultProtocols {
     static enum ContextVersion {
@@ -93,6 +94,10 @@
     }
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         boolean failed = false;
         for (ContextVersion cv : ContextVersion.values()) {
             System.out.println("Checking SSLContext of " + cv.contextVersion);
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/DefaultEnabledProtocols.java	Fri Oct 24 11:49:24 2014 +0000
@@ -34,6 +34,7 @@
 import javax.net.*;
 import javax.net.ssl.*;
 import java.util.Arrays;
+import java.security.Security;
 
 public class DefaultEnabledProtocols {
     static enum ContextVersion {
@@ -92,6 +93,10 @@
     }
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         boolean failed = false;
         for (ContextVersion cv : ContextVersion.values()) {
             System.out.println("Checking SSLContext of " + cv.contextVersion);
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NoOldVersionContext.java	Fri Oct 24 11:49:24 2014 +0000
@@ -35,6 +35,7 @@
 import javax.net.*;
 import javax.net.ssl.*;
 import java.util.Arrays;
+import java.security.Security;
 
 public class NoOldVersionContext {
     static enum ContextVersion {
@@ -93,6 +94,10 @@
     }
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         boolean failed = false;
         for (ContextVersion cv : ContextVersion.values()) {
             System.out.println("Checking SSLContext of " + cv.contextVersion);
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/DelegatedTaskWrongException.java	Fri Oct 24 11:49:24 2014 +0000
@@ -115,6 +115,9 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
 
         DelegatedTaskWrongException test;
 
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/testEnabledProtocols.java	Fri Oct 24 11:49:24 2014 +0000
@@ -21,6 +21,11 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 4416068 4478803 4479736
@@ -31,9 +36,6 @@
  *          4701722 protocol mismatch exceptions should be consistent between
  *                  SSLv3 and TLSv1
  * @run main/othervm testEnabledProtocols
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Ram Marti
  */
 
@@ -120,6 +122,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorer.java	Fri Oct 24 11:49:24 2014 +0000
@@ -44,6 +44,7 @@
 import java.net.*;
 import java.util.*;
 import java.nio.channels.*;
+import java.security.Security;
 
 public class SSLEngineExplorer extends SSLEngineService {
 
@@ -231,6 +232,10 @@
     volatile int serverPort = 0;
 
     public static void main(String args[]) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketExplorer.java	Fri Oct 24 11:49:24 2014 +0000
@@ -45,6 +45,7 @@
 import java.util.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class SSLSocketExplorer {
 
@@ -224,6 +225,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Fri May 23 19:43:14 2014 +0400
+++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Fri Oct 24 11:49:24 2014 +0000
@@ -29,9 +29,15 @@
  * @run main/othervm/timeout=300 ClientJSSEServerJSSE
  */
 
+import java.security.Security;
+
 public class ClientJSSEServerJSSE {
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         CipherTest.main(new JSSEFactory(), args);
     }