[英]Does TLS1.2 work with NSS in FIPS mode using JSSE configured with SunPKCS11-NSS provider
We are trying to get TLS1.2 working in FIPS mode in the following environment. 我们正试图在以下环境中使TLS1.2在FIPS模式下工作。 When attempting to write to an SSLSocket created with a SSLContext for protocol “TLSv1.2” it fails with the error java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSS .
当尝试写入使用SSLContext为协议“TLSv1.2”创建的SSLSocket时,它失败并出现错误java.security.NoSuchAlgorithmException:没有这样的算法:SunTls12RsaPremasterSecret用于提供者SunPKCS11-NSS 。
The environment: 环境:
I believe the answer is NO, TLS1.2 does not work with NSS 3.16+ in FIPS mode. 我相信答案是否定的,TLS1.2在FIPS模式下不适用于NSS 3.16+。 I need to determine decisively:
我需要果断地确定:
Here is the evidence collected so far: 以下是目前收集的证据:
The relevant javax.net.debug output follows: 相关的javax.net.debug输出如下:
*** ClientHello, TLSv1.2 RandomCookie: GMT: 1409235389 bytes = { 122, 104, 164, 187, 130, 152, 6, 95, 250, 230, 146, 99, 164, 228, 116, 203, 188, 51, 48, 140, 196, 35, 87, 33, 228, 67, 15, 120 } Session ID: {} Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA *** TRIMMED %% Negotiating: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256] *** ServerHello, TLSv1.2 RandomCookie: GMT: 1409235389 bytes = { 217, 13, 11, 142, 204, 139, 77, 178, 239, 246, 177, 116, 225, 208, 217, 77, 128, 106, 206, 72, 40, 229, 46, 232, 54, 172, 74, 41 } Session ID: {84, 255, 58, 189, 125, 207, 159, 166, 144, 6, 19, 157, 173, 113, 80, 88, 204, 69, 101, 231, 227, 242, 144, 59, 174, 147, 158, 65, 14, 78, 182, 52} Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Compression Method: 0 Extension renegotiation_info, renegotiated_connection: *** Cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 TRIMMED *** ServerHelloDone [read] MD5 and SHA1 hashes: len = 4 0000: 0E 00 00 00 .... Thread-0, handling exception: javax.net.ssl.SSLKeyException: RSA premaster secret error %% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256] 12:41:01.684 [Thread-0] ERROR c.p.p.c.i.SslContextTestContainer - unexpected Exception javax.net.ssl.SSLKeyException: RSA premaster secret error at sun.security.ssl.RSAClientKeyExchange.(RSAClientKeyExchange.java:86) ~[na:1.8.0_25] at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:880) ~[na:1.8.0_25] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:344) ~[na:1.8.0_25] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936) ~[na:1.8.0_25] at sun.security.ssl.Handshaker.process_record(Handshaker.java:871) ~[na:1.8.0_25] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) ~[na:1.8.0_25] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) ~[na:1.8.0_25] at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728) ~[na:1.8.0_25] at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) ~[na:1.8.0_25] at java.io.OutputStream.write(OutputStream.java:75) ~[na:1.8.0_25] at com.polycom.pillars.certificate.internal.SslContextTestContainer$ClientThread.doit(SslContextTestContainer.java:193) ~[bin/:na] at com.polycom.pillars.certificate.internal.SslContextTestContainer$SslConnectionThread.run(SslContextTestContainer.java:127) ~[bin/:na] Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSS at sun.security.jca.GetInstance.getService(GetInstance.java:101) ~[na:1.8.0_25] at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109) ~[na:1.8.0_25] at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287) ~[na:1.8.0_25] at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:274) ~[na:1.8.0_25] at sun.security.ssl.RSAClientKeyExchange.(RSAClientKeyExchange.java:77) ~[na:1.8.0_25]
Indeed the provider does not support TLS1.2. 实际上,提供商不支持TLS1.2。 The bug tracking this issue is: https://bugs.openjdk.java.net/browse/JDK-8029661
跟踪此问题的错误是: https : //bugs.openjdk.java.net/browse/JDK-8029661
The exceptions are coming since the server still attempts to negotiate in TLS1.2 even though it not supported by the provider NSS. 由于服务器仍然尝试在TLS1.2中进行协商,即使提供商NSS不支持,也会出现异常。 To avoid this exception and to proceed to use TLS1.1 add the following lines under java.security.
要避免此异常并继续使用TLS1.1,请在java.security下添加以下行。
jdk.tls.disabledAlgorithms=SSLv3,TLSv1.2 jdk.tls.disabledAlgorithms =的SSLv3,TLSv1.2工作
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.