stackoom
  简体   繁体   中英

Disable HTTPS Certificate Validation in FIPS mode

 原文  2020-06-28 20:25:32       java/ security/ ssl/ fips

Question

There is a code in java which performs HTTPS call and then ignores the incoming certificate validation. In order to do this the custom trust manager is implemented. But now we need to switch to FIPS mode. And in fips mode the following exception is received when the custom trustmanager is used by SSL Socket.

FIPS mode: only SunJSSE TrustManagers may be used

So is there a way to bypass the incoming certificate verification in a FIPS mode?

2 answers

solution1
 3 ACCPTED  2020-06-28 20:47:04

You are basically asking if you can enable a specific security level (FIPS) while disabling some of the security required in this level. No - the whole point of this security level is to ensure that specific security requirements are met, and proper certificate validation is an essential requirement.

solution2
 0  2021-09-03 12:16:16

This behavior of NOT allowing non-SunJSSE trust or key manager seems specific to Sun/Oracle JRE. Don't think it's a FIPS compliance mandate. Apparently, openSSL with FIPS enabled and libcurl doesn't have this limitation.

I am also facing issues due to this.

We have some HTTPS API calls happening in our Java application. These API calls are actually about fetching the CA certificate of remote end, displaying finger print and other details to end-user and when use accepts, persist this certificate in trust store. From then on, for subsequent HTTPS call in the workflow, will use this trust store.

So, the HTTPS call from our app to fetch the CA certificate, I have used a "trust-all" trust manager but apparently that's NOT acceptable in FIPS mode.

I agree FIPS requires tighter security and thus disabling certificate validation isn't a great idea and should NOT be done ideally. But exceptional cases like this (and probably where we wanted to perform more validations such as custom host name verification, certificate revocation status check, etc.) there should have been some provision with Sun JSSE to override this FIPS mode behavior.

Most probably, we need to implement SSLContextSpi and hook in our custom SSL context. The implementation would look very similar to SSLContextImpl below but with probably FIPS limitations relaxed. (Needless to say, this needs to be used judiciously, specially with FIPS.)

https://hg.openjdk.java.net/jdk8/jdk8/jdk/raw-file/687fd7c7986d/src/share/classes/sun/security/ssl/SSLContextImpl.java

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question java ignore https certificate validation Disable SSL certificate validation in Java How to disable certificate validation in java ActiveMQ run in FIPS mode HTTPS certificate validation fails when using a trustStore Bypass HTTPS certificate validation while invoking webservice How to disable certificate validation for particular http request? Disable camel certificate validation in Camel 2.12 How to build fips compliant sqlcipher to call FIPS_mode_set(1) Certificate validation in browsers (specific case: https://gmail.com)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM