changeset 12401:00688a471304

8043202: Prohibit RC4 cipher suites Reviewed-by: xuelei
author asmotrak
date Wed, 15 Apr 2015 13:15:16 +0300
parents 3881746a7745
children 62e470dd1f94
files src/java.base/share/classes/sun/security/ssl/CipherSuite.java test/javax/net/ssl/SSLEngine/ConnectionTest.java test/javax/net/ssl/SSLEngine/LargeBufs.java test/javax/net/ssl/TLSv11/GenericStreamCipher.java test/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java
diffstat 5 files changed, 31 insertions(+), 23 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/ssl/CipherSuite.java	Wed Apr 15 11:16:25 2015 +0200
+++ b/src/java.base/share/classes/sun/security/ssl/CipherSuite.java	Wed Apr 15 13:15:16 2015 +0300
@@ -1008,7 +1008,7 @@
          * 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be
          *    changed later, see below).
          * 2. Prefer the stronger bulk cipher, in the order of AES_256(GCM),
-         *    AES_128(GCM), AES_256, AES_128, 3DES-EDE, RC-4.
+         *    AES_128(GCM), AES_256, AES_128, 3DES-EDE.
          * 3. Prefer the stronger MAC algorithm, in the order of SHA384,
          *    SHA256, SHA, MD5.
          * 4. Prefer the better performance of key exchange and digital
@@ -1143,20 +1143,6 @@
         add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",        0x0013, --p,
             K_DHE_DSS,     B_3DES,        M_SHA,    N);
 
-        // RC-4
-        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",         0xC007, --p,
-            K_ECDHE_ECDSA, B_RC4_128,     M_SHA,    N);
-        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",           0xC011, --p,
-            K_ECDHE_RSA,   B_RC4_128,     M_SHA,    N);
-        add("SSL_RSA_WITH_RC4_128_SHA",                 0x0005, --p,
-            K_RSA,         B_RC4_128,     M_SHA,    N);
-        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",          0xC002, --p,
-            K_ECDH_ECDSA,  B_RC4_128,     M_SHA,    N);
-        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",            0xC00C, --p,
-            K_ECDH_RSA,    B_RC4_128,     M_SHA,    N);
-        add("SSL_RSA_WITH_RC4_128_MD5",                 0x0004, --p,
-            K_RSA,         B_RC4_128,     M_MD5,    N);
-
         // Renegotiation protection request Signalling Cipher Suite Value (SCSV)
         add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",        0x00ff, --p,
             K_SCSV,        B_NULL,        M_NULL,   T);
@@ -1206,6 +1192,20 @@
         add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",        0x001b, --p,
             K_DH_ANON,     B_3DES,        M_SHA,    N);
 
+        // RC-4
+        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",         0xC007, --p,
+            K_ECDHE_ECDSA, B_RC4_128,     M_SHA,    N);
+        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",           0xC011, --p,
+            K_ECDHE_RSA,   B_RC4_128,     M_SHA,    N);
+        add("SSL_RSA_WITH_RC4_128_SHA",                 0x0005, --p,
+            K_RSA,         B_RC4_128,     M_SHA,    N);
+        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",          0xC002, --p,
+            K_ECDH_ECDSA,  B_RC4_128,     M_SHA,    N);
+        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",            0xC00C, --p,
+            K_ECDH_RSA,    B_RC4_128,     M_SHA,    N);
+        add("SSL_RSA_WITH_RC4_128_MD5",                 0x0004, --p,
+            K_RSA,         B_RC4_128,     M_MD5,    N);
+
         add("TLS_ECDH_anon_WITH_RC4_128_SHA",           0xC016, --p,
             K_ECDH_ANON,   B_RC4_128,     M_SHA,    N);
         add("SSL_DH_anon_WITH_RC4_128_MD5",             0x0018, --p,
--- a/test/javax/net/ssl/SSLEngine/ConnectionTest.java	Wed Apr 15 11:16:25 2015 +0200
+++ b/test/javax/net/ssl/SSLEngine/ConnectionTest.java	Wed Apr 15 13:15:16 2015 +0300
@@ -81,6 +81,9 @@
         ssle1.setEnabledCipherSuites(new String [] {
             "SSL_RSA_WITH_RC4_128_MD5"});
 
+        ssle2.setEnabledCipherSuites(new String [] {
+            "SSL_RSA_WITH_RC4_128_MD5"});
+
         createBuffers();
     }
 
--- a/test/javax/net/ssl/SSLEngine/LargeBufs.java	Wed Apr 15 11:16:25 2015 +0200
+++ b/test/javax/net/ssl/SSLEngine/LargeBufs.java	Wed Apr 15 13:15:16 2015 +0300
@@ -93,6 +93,7 @@
         createSSLEngines();
 
         System.out.println("Using " + cipher);
+        ssle1.setEnabledCipherSuites(new String [] { cipher });
         ssle2.setEnabledCipherSuites(new String [] { cipher });
 
         createBuffers();
--- a/test/javax/net/ssl/TLSv11/GenericStreamCipher.java	Wed Apr 15 11:16:25 2015 +0200
+++ b/test/javax/net/ssl/TLSv11/GenericStreamCipher.java	Wed Apr 15 13:15:16 2015 +0300
@@ -93,6 +93,10 @@
         SSLServerSocket sslServerSocket =
             (SSLServerSocket) sslssf.createServerSocket(serverPort);
 
+        // enable a stream cipher
+        sslServerSocket.setEnabledCipherSuites(
+            new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
+
         serverPort = sslServerSocket.getLocalPort();
 
         /*
--- a/test/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Wed Apr 15 11:16:25 2015 +0200
+++ b/test/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	Wed Apr 15 13:15:16 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -94,13 +94,6 @@
         "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
         "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
 
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_MD5",
-
         "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 
         "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
@@ -114,6 +107,13 @@
         "TLS_DH_anon_WITH_AES_128_CBC_SHA",
         "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
         "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+        "SSL_RSA_WITH_RC4_128_MD5",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
         "SSL_DH_anon_WITH_RC4_128_MD5",