Bug 2020290

Summary: Support TLS 1.3 in FIPS mode [rhel-8, openjdk-17]
Product: Red Hat Enterprise Linux 8 Reporter: Martin Balao <mbalao>
Component: java-17-openjdkAssignee: Martin Balao <mbalao>
Status: CLOSED ERRATA QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: ahughes, fferrari, jandrlik, jvanek, mmillson
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-17-openjdk-17.0.4.1.1-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2123572 2123573 (view as bug list) Environment:
Last Closed: 2022-11-08 09:30:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1994661, 2007331, 2023467    
Bug Blocks: 2123572, 2123573    

Description Martin Balao 2021-11-04 14:26:19 UTC 
When OpenJDK runs on a FIPS-configured system, TLS 1.3 (implemented in the SunJSSE security provider) is disabled both on the server and client sides (RH1860986). The reason is that the PKCS#11 key derivation mechanism for TLS 1.3 is not supported in the SunPKCS11 security provider; and the SunJSSE code for key derivation would require to import plain secret keys into an NSS Software Token (blocked by RH1991003).

The goal of this task is to implement a solution to re-enable TLS 1.3 on both server and client sides when OpenJDK runs in FIPS mode.
Comment 1 Martin Balao 2021-11-15 19:55:28 UTC 
RH2023467 is a pre-requisite for this enhancement, in addition to RH1991003.
Comment 3 Martin Balao 2021-11-15 20:30:53 UTC 
Note: Removing the RH1860986 patch does NOT have the same net effect than applying RH2020290 patch on top of it. This is because the RH1860986 patch adds code (such as the 'SharedSecrets.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled()' API) upon which other RPM patches depend-on.
Comment 16 Mike Millson 2022-06-28 18:32:53 UTC 
*** Bug 2084209 has been marked as a duplicate of this bug. ***
Comment 29 errata-xmlrpc 2022-11-08 09:30:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-17-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6691