在 FIPS 模式下禁用 HTTPS 证书验证
[英]Disable HTTPS Certificate Validation in FIPS mode
问题描述
There is a code in java which performs HTTPS call and then ignores the incoming certificate validation. 
java 中有一个代码执行 HTTPS 调用,然后忽略传入的证书验证。 In order to do this the custom trust manager is implemented.为了做到这一点,实现了自定义信任管理器。 But now we need to switch to FIPS mode.但是现在我们需要切换到 FIPS 模式。 And in fips mode the following exception is received when the custom trustmanager is used by SSL Socket.在 fips 模式下,当 SSL Socket 使用自定义 trustmanager 时,会收到以下异常。
FIPS mode: only SunJSSE TrustManagers may be used FIPS 模式:只能使用 SunJSSE 信任管理器
So is there a way to bypass the incoming certificate verification in a FIPS mode?那么有没有办法在 FIPS 模式下绕过传入的证书验证?
2 个解决方案
解决方案1
3 已采纳 2020-06-28 20:47:04
You are basically asking if you can enable a specific security level (FIPS) while disabling some of the security required in this level.您基本上是在询问是否可以启用特定安全级别 (FIPS),同时禁用此级别所需的一些安全性。 No - the whole point of this security level is to ensure that specific security requirements are met, and proper certificate validation is an essential requirement.否 - 此安全级别的重点是确保满足特定的安全要求,并且适当的证书验证是一项基本要求。
解决方案2
0 2021-09-03 12:16:16
This behavior of NOT allowing non-SunJSSE trust or key manager seems specific to Sun/Oracle JRE.这种不允许非 SunJSSE 信任或密钥管理器的行为似乎特定于 Sun/Oracle JRE。 Don't think it's a FIPS compliance mandate.不要认为这是 FIPS 合规要求。 Apparently, openSSL with FIPS enabled and libcurl doesn't have this limitation.显然,启用 FIPS 和 libcurl 的 openSSL 没有此限制。
I am also facing issues due to this.我也因此面临问题。
We have some HTTPS API calls happening in our Java application.我们的 Java 应用程序中发生了一些 HTTPS API 调用。 These API calls are actually about fetching the CA certificate of remote end, displaying finger print and other details to end-user and when use accepts, persist this certificate in trust store.这些 API 调用实际上是关于获取远程端的 CA 证书,向最终用户显示指纹和其他详细信息,当使用接受时,将此证书保存在信任库中。 From then on, for subsequent HTTPS call in the workflow, will use this trust store.此后,对于工作流中的后续 HTTPS 调用,将使用此信任库。
So, the HTTPS call from our app to fetch the CA certificate, I have used a "trust-all" trust manager but apparently that's NOT acceptable in FIPS mode.因此,从我们的应用程序调用 HTTPS 以获取 CA 证书,我使用了“全部信任”信任管理器,但显然这在 FIPS 模式下是不可接受的。
I agree FIPS requires tighter security and thus disabling certificate validation isn't a great idea and should NOT be done ideally.我同意 FIPS 需要更严格的安全性,因此禁用证书验证不是一个好主意,也不应该在理想情况下完成。 But exceptional cases like this (and probably where we wanted to perform more validations such as custom host name verification, certificate revocation status check, etc.) there should have been some provision with Sun JSSE to override this FIPS mode behavior.但是像这样的特殊情况(可能是我们想要执行更多验证,例如自定义主机名验证、证书撤销状态检查等),Sun JSSE 应该有一些规定来覆盖这种 FIPS 模式行为。
Most probably, we need to implement SSLContextSpi and hook in our custom SSL context.很可能,我们需要在我们的自定义 SSL 上下文中实现 SSLContextSpi 和挂钩。 The implementation would look very similar to SSLContextImpl below but with probably FIPS limitations relaxed.该实现看起来与下面的 SSLContextImpl 非常相似,但可能放宽了 FIPS 限制。 (Needless to say, this needs to be used judiciously, specially with FIPS.) (不用说,这需要谨慎使用,特别是 FIPS。)
https://hg.openjdk.java.net/jdk8/jdk8/jdk/raw-file/687fd7c7986d/src/share/classes/sun/security/ssl/SSLContextImpl.java https://hg.openjdk.java.net/jdk8/jdk8/jdk/raw-file/687fd7c7986d/src/share/classes/sun/security/ssl/SSLContextImpl.Z93F725A07423FE1C889F448B33DZF
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.