Bug 2029665

Summary: Support TLS 1.3 in FIPS mode [rhel-9, openjdk-17]
Product: Red Hat Enterprise Linux 9 Reporter: Andrew John Hughes <ahughes>
Component: java-17-openjdkAssignee: Martin Balao <mbalao>
Status: CLOSED ERRATA QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: fferrari, jandrlik, jvanek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: ahughes: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-17-openjdk-17.0.4.1.1-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2123584 (view as bug list) Environment:
Last Closed: 2022-11-15 10:01:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1994682, 2029657, 2102433    
Bug Blocks: 2123584    

Description Andrew John Hughes 2021-12-07 01:59:21 UTC 
This bug was initially created as a copy of Bug #2020290

I am copying this bug because: 

RHEL 9 needs to be kept in sync.

When OpenJDK runs on a FIPS-configured system, TLS 1.3 (implemented in the SunJSSE security provider) is disabled both on the server and client sides (RH1860986). The reason is that the PKCS#11 key derivation mechanism for TLS 1.3 is not supported in the SunPKCS11 security provider; and the SunJSSE code for key derivation would require to import plain secret keys into an NSS Software Token (blocked by RH1991003).

The goal of this task is to implement a solution to re-enable TLS 1.3 on both server and client sides when OpenJDK runs in FIPS mode.
Comment 18 errata-xmlrpc 2022-11-15 10:01:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-17-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6709