Does TLS 1.2 with SunPKCS11-NSS provider work in FIPS mode
Xuelei Fan
xuelei.fan at oracle.com
Tue Mar 31 23:35:08 UTC 2015
Hi Jenny,
As there is no PKCS#11 spec to support the mechanism, it is a known
issue to us:
https://bugs.openjdk.java.net/browse/JDK-8029661
Need to look into the new development of PKCS11 standards.
Regards,
Xuelei
On 4/1/2015 1:09 AM, Lighthart, Jenny wrote:
> Hello Java Security Devs,
>
>
>
> The following exception occurs while processing serverHelloDone during
> an attempt at TLS1.2 with NSS in FIPS mode (via modutil) .
>
>
>
> java.security.NoSuchAlgorithmException: no such algorithm:
> SunTls12RsaPremasterSecret for provider SunPKCS11-NSS
>
>
>
> Both the client and the server are running from a unit test using:
>
> · JDK 1.8.0_31-b13
>
> · nss-3.16.2.3-3
>
>
>
> The same test runs fine in FIPS mode using TLS1.1 or TLS1.0. The same
> test also runs with TLS1.2 when the keystore is not in FIPS mode.
>
>
>
> I am thinking that it is not supported. SunPKCS11-NSS provider needs to
> be updated with the SunTLS12* algorithms before this will work. The
> JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator
> specific to TLS1.2. When in FIPS mode, the crypto provider is
> SunPKCS11-NSS and it does not have the requested algorithm.
>
>
>
> Can anyone confirm or deny this? Any ideas as to when it will be supported?
>
>
>
> I've been all over the map trying to figure this one out. I am pretty
> sure at this point that it is not a problem with the NSS library. I can
> provide full stack trace and debug output as needed, but am hoping
> someone can answer first whether this configuration should be expected
> to work.
>
>
>
> Thanks for your help,
>
> Jenny
>
More information about the security-dev
mailing list