Bug 2029660

Summary: Support TLS 1.3 in FIPS mode [rhel-8, openjdk-11]
Product: Red Hat Enterprise Linux 8 Reporter: Andrew John Hughes <ahughes>
Component: java-11-openjdkAssignee: Francisco Ferrari Bihurriet <fferrari>
Status: ASSIGNED --- QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: asosedki, fferrari, jvanek
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2029653, 1991003, 2102430    
Bug Blocks:    

Description Andrew John Hughes 2021-12-07 01:53:22 UTC 
This bug was initially created as a copy of Bug #2020290

I am copying this bug because: 

Support needed in java-11-openjdk too.

When OpenJDK runs on a FIPS-configured system, TLS 1.3 (implemented in the SunJSSE security provider) is disabled both on the server and client sides (RH1860986). The reason is that the PKCS#11 key derivation mechanism for TLS 1.3 is not supported in the SunPKCS11 security provider; and the SunJSSE code for key derivation would require to import plain secret keys into an NSS Software Token (blocked by RH1991003).

The goal of this task is to implement a solution to re-enable TLS 1.3 on both server and client sides when OpenJDK runs in FIPS mode.