Security Manager disables ECDH/ECDHE cipher suites

[knn-k]

Enabling Security Manager with a custom policy file disables ECDH/ECDHE cipher suites with OpenJ9 v0.40 Java 11.0.20.1.
It did not happen with OpenJ9 v0.38 Java 11.0.19.

[ Steps to reproduce ]

1. Comment out the "os.name" line in the default java.policy file in jdk-11.0.20.1+1/conf/security.

    // permission java.util.PropertyPermission "os.name", "read";

2. Run the following program with and without the option -Djava.security.manager. It lists the supported cipher suites.

import javax.net.ssl.*;

public class PrintCipherSuites {
	public static void main(String[] args) {
		SSLSocketFactory ssf = (SSLSocketFactory)SSLSocketFactory.getDefault();
		String[] scs = ssf.getSupportedCipherSuites();

		System.out.println("-- Supported cipher suites --");
		for (String cipher : scs) {
			System.out.println(cipher);
		}
	}
}

[ Result ]

• java PrintCipherSuites prints 49 cipher suites
• java -Djava.security.manager PrintCipherSuites prints only 23 cipher suites
• The difference between the two is TLS_ECDH_ and TLS_ECDHE_ cipher suites.

It was introduced by ibmruntimes/openj9-openjdk-jdk11#650, which calls System.getProperty("os.name").

[keithc-ca]

The system property os.name is supposed to be readable by all code, but I noticed some tests apply a security policy that disallows that. I'll fix this via appropriate use of doPrivileged().

[keithc-ca]

Fixed via:

• jdknext - Assert privilege accessing os.name ibmruntimes/openj9-openjdk-jdk#656
• jdk21 - Assert privilege accessing os.name ibmruntimes/openj9-openjdk-jdk21#36
• jdk17 - Assert privilege accessing os.name ibmruntimes/openj9-openjdk-jdk17#251
• jdk11 - Assert privilege accessing os.name ibmruntimes/openj9-openjdk-jdk11#698

[knn-k]

@keithc-ca Thank you.
I would like the fix to be in the v0.41 branch, too.

[pshipton]

I would like the fix to be in the v0.41 branch, too.

I'll take care of that.