From Fedora Project Wiki

Description

CryptoPolicies Java: https://bugzilla.redhat.com/show_bug.cgi?id=1249083


How to test

We will test java respects current policy

  1. initially you need:
    1. java (even with devel, to compile testcase. )
      $ sudo dnf install java-1.8.0-openjdk-devel
    2. if you run only icedtea-web tests, feel free to isntal only jre:
      $ sudo dnf install java-1.8.0-openjdk
    3. https://gitlab.com/nmav/fedora-crypto-policies
      git clone https://gitlab.com/nmav/fedora-crypto-policies
      cd fedora-crypto-policies/
      pushd ./tests/java/
      javac CipherList.java
  2. then check :
    cat /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/java.security | grep security.useSystemPropertiesFile
    1. if it is false, then systemsettings are not honored. If it is true, then system setings are honoured
    2. f26 must have it true by default
    3. feel free to change it to false, and experiment with all test in this testcase and monitro differences
    4. if something works with useSystemPropertiesFile=false, and not with useSystemPropertiesFile=true, it should be reported
  3. then:
    sudo update-crypto-policies --set FUTURE
    java CipherList
  4. should give you a different (more strict) set than the following:
    sudo update-crypto-policies --set DEFAULT
    java CipherList
  5. Dont forget to play with java settings
    /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/java.security useSystemPropertiesFile=true or useSystemPropertiesFile=false
  6. Secondly you need:
    1. icedtea-web - open implementation of javaws and java plugin for browsers
      $ sudo dnf install icedtea-web
    2. and some stabile test browser
      $ sudo dnf install midori firefox epiphany
  7. Now feel free to run all https tests in the following list:
  8. note, dont get scared, there is jsut about 10 https tests, and eluminate seems to be correctly broken
    1. http://icedtea.classpath.org/wiki/IcedTea-Web-Tests
    2. of course feel free to test any jaavws application/applet favourite of yours
    3. for javaws follow: http://icedtea.classpath.org/wiki/IcedTea-Web-Tests#IcedTea-Web_webstart_.28javaws.29_test_applications
      $ javaws some_url
    4. for plugin be sure plugin is recognized (eg close and start firefox/midori/epiphany after install). See it in about:plugins and be aware, that it requres click-and-play (yes, it is legacy technology)
    5. for plugin follow: http://icedtea.classpath.org/wiki/IcedTea-Web-Tests#IcedTea-Web_plugin_test_sites:
    6. WARNING firefox may have ISSUES in f26 wayland (default) install midori and test with it
      $ firefox some_url
      $ midori some_url
    7. Dont forget to play with java settings and global settings
      /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/java.security useSystemPropertiesFile=true or useSystemPropertiesFile=false
      and
      update-crypto-policies --set FUTURE/DEFAULT/WHATEVER

Expected Results

  1. https works fine
  2. global policy is honored if enabled/is not when disabled