FIPS 140.2 enabled TLS server rejects clients sending SSLv3 as record version in ClientHello

Mon Oct 14 15:51:40 UTC 2019

On 10/14/19 4:41 AM, Christian Schaefer wrote:
> Hi all,
> 
> We have TLS connection issues when the server (openjdk version 
> "1.8.0_222") runs in FIPS 140.2 mode. The error thrown on the server is:
> 
> “javax.net.ssl.SSLException: Unsupported record version SSLv3” (which 
> originates from: sun.security.ssl.InputRecord.checkRecordVersion(…))
> 
> This error only happens when the server JRE runs in FIPS 140.2 mode. 
> This is because of the following code in class 
> sun.security.ssl.ProtocolVersion:
> 
> “
> 
>      // minimum version we implement (SSL 3.0)
> 
>      final static ProtocolVersion MIN = FIPS ? TLS10 : SSL30;
> 
> “
> 
> Our server **only** allows TLS 1.2 as TLS protocol version, however, If 
> I have the correct understanding of the TLS 1.2 specification enforcing 
> a record version of (at least ) TLS10 seems to violate the specification 
> (https://tools.ietf.org/html/rfc5246#appendix-E.1):
> 
> “
> 
>     […] Thus, TLS servers compliant with this specification MUST accept 
> any value {03,XX} as
> 
>     the record layer version number for ClientHello. […]
> 
> (Appendix E.  Backward Compatibility - E.1.  Compatibility with TLS 
> 1.0/1.1 and SSL 3.0)
> 
> “
> 
> Is this something which should be fixed in the JRE? Or is the behavior 
> of the client wrong?

Are you referring to the "FIPS 140 Compliant Mode for SunJSSE"? Note 
that this was documented as an "experimental" feature and has since been 
removed from the JDK [1]. However, one of the behavior differences of 
this mode was documented as:

"Only TLS 1.0 and later can be used. SSL 2.0 and SSL 3.0 are not 
available. Any attempt to enable SSL 2.0 or 3.0 will fail with an 
exception."

Can you give more info as to why SSLv3.0 is being used since it has well 
documented security weaknesses and should really no longer be used anymore?

Thanks,
Sean

[1] https://bugs.openjdk.java.net/browse/JDK-8217907