[8u] RFR 8202343: Disable TLS 1.0 and 1.1

Martin Balao mbalao at redhat.com
Thu Jan 21 14:15:29 UTC 2021 

Hi,

I'd like to propose an 8u backport of JDK-8202343 [1].

Webrev.00:

 *
http://cr.openjdk.java.net/~mbalao/webrevs/8202343/8202343.webrev.8u.jdk.00/

The 11u patch does not apply cleanly because of the following conflicts:

 * src/share/conf/security/java.security
  * In 8u, there is one java.security file per supported operating
system. Manually added 'TLSv1' and 'TLSv1.1' to the
'jdk.tls.disabledAlgorithms' property for each file.

 * test/javax/net/ssl/TLS/TLSClientPropertyTest.java
  * 8u has JDK-8251478 which introduced a change to this test consistent
with the decision of having TLSv1.2 as the default choice for the TLS
client. This conflict affects the context only; so I manually added the
change.
  * It's important to notice that HUNK #3 succeeded when applying the
patch but the change was not correct and should have been a conflict.
Removed "TLSv1" and "TLSv1.1" in the 'NoProperty' case.

 * test/javax/net/ssl/TLSCommon/interop/JdkProcClient.java
  * 8u does not have JDK-8243029 which introduces this test file.
JDK-8243029 is a massive patch which does not apply cleanly. If
JDK-8243029 is backported to 8u, tests using this class will fail until
the change in JDK-8202343 (re-enabling TLSv1 and TLSv1.1) is applied.
Because of the previous, and the fact that JDK-8243029 is not
fundamental to JDK-8202343, I propose to skip the changes on this file
at this time.

 * test/javax/net/ssl/TLSv11/GenericBlockCipher.java
  * 8u does not have JDK-8166032, which changes the copyright date to
2016 and adds the '@modules' jtreg tag. JDK-8166032 does not apply to
8u, so I manually update the copyright date and the '@library /test/lib'
line. See more on '@library /test/lib' below.

 * test/javax/net/ssl/sanity/ciphersuites/SystemPropCipherSuitesOrder.java
  * 8u does not have JDK-8234728 which introduces this test file. This
case is similar to the JdkProcClient.java one, so I propose the same
action now.

 * test/javax/net/ssl/sanity/ciphersuites/TLSCipherSuitesOrder.java
  * 8u does not have JDK-8234728 which introduces this test file. This
case is similar to the JdkProcClient.java one, so I propose the same
action now.

 * test/sun/security/ssl/CipherSuite/DisabledCurve.java
  * 8u does not have JDK-8246330 which introduces this test file.
JDK-8246330 is not as large as JDK-8243029, but it does not apply
cleanly and is not fundamental to JDK-8202343; so I propose the same
action now.

 * test/sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java
  * 8u does not have JDK-8224650 which introduces this test file.
JDK-8224650 does not apply to 8u, unless the JDK-8171279 enhancement is
backported first. This is not fundamental to JDK-8202343 so I propose
this not to be a dependency.

 * test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java
  * 8u has JDK-8251478 which removes the '@modules' jtreg tag. The
conflict is because of the context. Manually added the new '@library'
jtreg tag. See more on '@library' below.

 * test/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java
  * 8u does not have JDK-8234728 which changes the copyright date to
2019. Manually adjusted the copyright date.

 * test/sun/security/util/HostnameMatcher/NullHostnameCheck.java
  * JDK-8228967 is not in 8u so there is a context conflict while adding
the import. JDK-8228967 also causes a context conflict when adding the
line that re-enables TLS 1.0 and 1.1. However, these changes are not
needed in 8u as the test works for TLS 1.2 only (so there is no need to
re-enable TLS 1.0 and 1.1). If JDK-8228967 is ever backported to 8u,
this test will fail until TLS 1.0 and 1.1 are enabled.

 * test/lib/security/SecurityUtils.java
  * For an unknown reason, the 8u backport of 8207258 has copyright date
2019 (instead of 2018, as the original file). This has been this way
from the first proposed 8u backport webrev
(http://cr.openjdk.java.net/~phh/8207258/webrev.8u.00/raw_files/new/test/lib/security/SecurityUtils.java).
I've manually update the copyright date to go between 2018 and 2020, so
we hopefully avoid a future conflict here.

In addition to static file-patching conflicts, I had to make changes for
this patch to run in 8u:

 * test/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.java
  * '@library /test/lib' replaced with '@library /lib/security'
  * 'import jdk.test.lib.security.SecurityUtils;' removed
  * OutputAnalyzer and ProcessTools imports changed to 8u's locations
  * Added /lib to @library for OutputAnalyzer and ProcessTools imports

 * test/lib/security/SecurityUtils.java
  * 'List.<String>of' is not available in 8u. Found a replacement.

 * test/sun/security/ssl/HandshakeHash/HandshakeHashCloneExhaustion.java
 * test/sun/security/ssl/SSLContextImpl/IllegalProtocolProperty.java
 * test/sun/security/ssl/SSLContextImpl/SSLContextVersion.java
 * test/sun/security/ssl/SSLEngineImpl/EmptyExtensionData.java
 * test/sun/security/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java
 * test/sun/security/ssl/ClientHandshaker/LengthCheckTest.java
 * test/javax/net/ssl/TLSv11/GenericBlockCipher.java
 * test/javax/net/ssl/SSLEngine/Arrays.java
  * '@library /test/lib' replaced with '@library /lib/security'
  * 'import jdk.test.lib.security.SecurityUtils;' removed

 * sun/security/ssl/SSLContextImpl/SSLContextDefault.java
  * 'List.<String>of' is not available in 8u. Found replacements.

No regressions found in sun/security/ssl and javax/net/ssl. Also tested
that NullHostnameCheck.java test passes.

Thanks,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8202343

More information about the jdk8u-dev mailing list