Bug 2029660 - Support TLS 1.3 in FIPS mode [rhel-8, openjdk-11]
Summary: Support TLS 1.3 in FIPS mode [rhel-8, openjdk-11]
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: java-11-openjdk
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Francisco Ferrari Bihurriet
QA Contact: OpenJDK QA
URL:
Whiteboard:
Depends On: 2029653 1991003 2102430
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-07 01:53 UTC by Andrew John Hughes
Modified: 2023-08-01 14:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rh-openjdk jdk11u pull 7 0 None open RH2020290: Support TLS 1.3 in FIPS mode 2022-10-28 18:59:52 UTC
Red Hat Issue Tracker RHELPLAN-104927 0 None None None 2021-12-07 01:54:15 UTC
openjdk bug system JDK-8278640 0 None None None 2022-10-28 19:52:27 UTC

Description Andrew John Hughes 2021-12-07 01:53:22 UTC 
This bug was initially created as a copy of Bug #2020290

I am copying this bug because: 

Support needed in java-11-openjdk too.

When OpenJDK runs on a FIPS-configured system, TLS 1.3 (implemented in the SunJSSE security provider) is disabled both on the server and client sides (RH1860986). The reason is that the PKCS#11 key derivation mechanism for TLS 1.3 is not supported in the SunPKCS11 security provider; and the SunJSSE code for key derivation would require to import plain secret keys into an NSS Software Token (blocked by RH1991003).

The goal of this task is to implement a solution to re-enable TLS 1.3 on both server and client sides when OpenJDK runs in FIPS mode.
Note You need to log in before you can comment on or make changes to this bug.