[英]KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
i use custom DummySocketFactory and DummyTrustMAnager to connect to smtp over TLS.我使用自定义DummySocketFactory和DummyTrustMANager通过 TLS 连接到 smtp。 DummySocketFactory:
虚拟套接字工厂:
package XMailMessenger;
public class DummySSLSocketFactory extends SSLSocketFactory {
private SSLSocketFactory factory;
public DummySSLSocketFactory() {
try {
SSLContext sslcontext = SSLContext.getInstance("TLS");
//Security.removeProvider("SunJSSE");
sslcontext.init(null,
new TrustManager[] { new DummyTrustManager()},
null );
factory = (SSLSocketFactory)sslcontext.getSocketFactory();
} catch(Exception ex) {
System.out.println(ex.toString());
}
}
public static SocketFactory getDefault() {
SocketFactory a = new DummySSLSocketFactory();
if ( a == null ) { System.out.println("1"); }
return a;
}
...
DummyTrustManager:虚拟信任管理器:
public class DummyTrustManager implements X509TrustManager{
public void checkClientTrusted(X509Certificate[] cert, String authType) {
// everything is trusted
}
public void checkServerTrusted(X509Certificate[] cert, String authType) {
// everything is trusted
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
//return null;
}
}
in sending e-mail i receive exception as in subject, this exception goes from function sslcontext.init in DummySSLSocketFactory .在发送电子邮件时,我收到主题中的异常,此异常来自DummySSLSocketFactory中的函数sslcontext.init 。 I debug it and noticed , that in code:
我调试它并注意到,在代码中:
private X509TrustManager chooseTrustManager(TrustManager[] tm)
throws KeyManagementException {
// We only use the first instance of X509TrustManager passed to us.
for (int i = 0; tm != null && i < tm.length; i++) {
if (tm[i] instanceof X509TrustManager) {
if (SunJSSE.isFIPS() &&
!(tm[i] instanceof X509TrustManagerImpl)) {
throw new KeyManagementException
("FIPS mode: only SunJSSE TrustManagers may be used");
}
if (tm[i] instanceof X509ExtendedTrustManager) {
return (X509TrustManager)tm[i];
} else {
return new AbstractTrustManagerWrapper(
(X509TrustManager)tm[i]);
}
}
}
// nothing found, return a dummy X509TrustManager.
return DummyX509TrustManager.INSTANCE;
}
exception occures in if (SunJSSE.isFIPS() && !(tm[i] instanceof X509TrustManagerImpl)) expression. if (SunJSSE.isFIPS() && !(tm[i] instanceof X509TrustManagerImpl))表达式中发生异常。
I suppose that tm[i] contains my DummyTrustManager , it can not be extended from X509TrustManagerImpl so my question is : How to disable Fips in SunJSSE ?我想 tm[i] 包含我的DummyTrustManager ,它不能从 X509TrustManagerImpl 扩展,所以我的问题是:如何在 SunJSSE 中禁用 Fips ?
SunJSSE can be configured to run on FIPS-140 compliant mode as long as it uses a FIPS-140 certified cryptographic hardware or software provider that implements all cryptographic algorithms required by JSSE (ex. Network Security Services – NSS, Sun Cryptographic Accelerator 6000, nCipher, etc). SunJSSE 可以配置为在 FIPS-140 兼容模式下运行,只要它使用 FIPS-140 认证的加密硬件或软件提供程序来实现 JSSE 所需的所有加密算法(例如网络安全服务 – NSS、Sun Cryptographic Accelerator 6000、nCipher , 等等)。
To enable FIPS mode, edit the file ${java.home}/lib/security/java.security and modify the line that lists com.sun.net.ssl.internal.ssl.Provider and associate the name of the FIPS-140 cryptographic provider (ex. SunPKCS11-NSS).要启用 FIPS 模式,请编辑文件 ${java.home}/lib/security/java.security 并修改列出 com.sun.net.ssl.internal.ssl.Provider 的行并关联 FIPS-140 的名称加密提供程序(例如 SunPKCS11-NSS)。 The name of the provider is a string that concatenates the prefix SunPKCS11- with the name of the specified PKCS#11 provider in its configuration file.
提供程序的名称是一个字符串,它将前缀 SunPKCS11- 与其配置文件中指定的 PKCS#11 提供程序的名称连接起来。
security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
In case of using NSS as cryptographic software token (Make use of NSS 3.1.1. or above), assuming the libraries are located under the /opt/nss/lib directory and its key database files (with the suffix .db) are under the /opt/nss/fipsdb directory, the sample configuration for representing NSS will be as follows:如果使用 NSS 作为加密软件令牌(使用 NSS 3.1.1 或更高版本),假设库位于 /opt/nss/lib 目录下,其关键数据库文件(后缀为 .db)在在 /opt/nss/fipsdb 目录下,代表 NSS 的示例配置如下:
# Use NSS as a FIPS-140 compliant cryptographic token # SunPKCS11-NSS name = NSS nssLibraryDirectory = /opt/nss/lib nssSecmodDirectory = /opt/nss/fipsdb nssModule = fips
In FIPS mode, SunJSSE will perform SSL/TLS 1.0 based communication and cryptographic operations including symmetric and asymmetric encryption, signature generation and verification, message digests and message authentication codes, key generation and key derivation, random number generation, etc.在 FIPS 模式下,SunJSSE 将执行基于 SSL/TLS 1.0 的通信和密码操作,包括对称和非对称加密、签名生成和验证、消息摘要和消息验证代码、密钥生成和密钥派生、随机数生成等。
To anyone having a giant headache when you need to install a tomcat webapp on a third party server, I lost 1 hour trying to bypass this damn thing...对于需要在第三方服务器上安装 tomcat webapp 时头疼的人来说,我花了 1 个小时试图绕过这个该死的东西......
I solved in this way, without touching anything in the webapp.我就是这样解决的,没有触及webapp中的任何东西。
-Djava.security.disableSystemPropertiesFile=true -Djava.security.disableSystemPropertiesFile=true
Source: https://access.redhat.com/documentation/en-us/openjdk/8/pdf/configuring_openjdk_8_on_rhel_with_fips/OpenJDK-8-Configuring_OpenJDK_8_on_RHEL_with_FIPS-en-US.pdf来源: https : //access.redhat.com/documentation/en-us/openjdk/8/pdf/configuring_openjdk_8_on_rhel_with_fips/OpenJDK-8-Configuring_OpenJDK_8_on_RHEL_with_FIPS-en-US.pdf
(bonus) If you want to uninstall FIPS from the server, follow this giude (I didn't test it): (奖金)如果你想从服务器上卸载 FIPS,请按照这个 giude(我没有测试过):
https://www.bggofurther.com/2021/02/disable-fips-mode-on-centos-7/ https://www.bggofurther.com/2021/02/disable-fips-mode-on-centos-7/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.