When OpenJDK runs on a FIPS-configured system, TLS 1.3 (implemented in the SunJSSE security provider) is disabled both on the server and client sides (RH1860986). The reason is that the PKCS#11 key derivation mechanism for TLS 1.3 is not supported in the SunPKCS11 security provider; and the SunJSSE code for key derivation would require to import plain secret keys into an NSS Software Token (blocked by RH1991003).
The goal of this task is to implement a solution to re-enable TLS 1.3 on both server and client sides when OpenJDK runs in FIPS mode.
Note: Removing the RH1860986 patch does NOT have the same net effect than applying RH2020290 patch on top of it. This is because the RH1860986 patch adds code (such as the 'SharedSecrets.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled()' API) upon which other RPM patches depend-on.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (java-17-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:6691