Bug 1145490

Summary: FIPS 140-2 compliant mode doesn't work in JDK-8
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Josef Cacek <jcacek>
Component: SecurityAssignee: eap-docs <eap-docs>
Status: CLOSED EOL QA Contact: Pavel Slavicek <pslavice>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: anmiller, bdawidow, cdewolf, jdoyle, myarboro
Target Milestone: ---   
Target Release: TBD EAP 6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
This release of JBoss EAP 6 carries the following JDK8 issue: When using an RSA client key exchange in SSL/TLS protocols, the SunJSSE provider cannot work in FIPS 140 compliant mode. This issue does not impact the default mode of SunJSSE. More information can be found at: http://www.oracle.com/technetwork/java/javase/8-known-issues-2157115.html
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:45:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josef Cacek 2014-09-23 08:02:32 UTC 
Oracle JDK8 has some issues, which prevents using EAP 6.x in FIPS 140-2 compliant mode. 
Look at JDK known issues page for more details:
http://www.oracle.com/technetwork/java/javase/8-known-issues-2157115.html

Namely sections:
Area: Security Libs / javax.crypto / Solaris
Area: Security Libs / javax.net.ssl 

Workaround which worked for us:
- disable TLS 1.2 on both server and client side
Comment 1 Dominik Pospisil 2014-10-14 17:06:33 UTC 
From JDK release notes:
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8036970

Synopsis
When using RSA client key exchange in SSL/TLS protocols, SunJSSE provider cannot work in FIPS 140 compliant mode. This issue does not impact the default mode of SunJSSE.

A straightforward workaround is to disable FIPS mode of SunJSSE provider. For more information see, FIPS 140 Compliant Mode for SunJSSE.

An alternative workaround is to disable the use of RSA key exchange in SSL/TLS protocols. This issue only happens to RSA key exchange based SSL/TLS cipher suites. To workaround this issue, applications can use DHE/ECDHE cipher suites instead (for example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, etc.). See JSSE Reference Guide for information about customizing SSL/TLS cipher suites.
Comment 2 Dominik Pospisil 2014-10-14 17:18:21 UTC 
My understanding of the issue is that it a JDK bug with known workaround and as such will need to fall into known-issues category.
Comment 3 Boleslaw Dawidowicz 2014-10-20 15:18:59 UTC 
Dominik, could you write a doc proposal for the known issue?
Comment 4 John Doyle 2014-10-28 13:21:44 UTC 
Please document as a known issue for 6.4 release.