-
Bug
-
Resolution: Done
-
Blocker
-
7.1.0.DR19
In DR19 there was introduced DelegatingKeyManager [1], which is used by default. That breaks FIPS TLS on Oracle/OpenJDK java, because only JSSE keymanagers are permitted in FIPS mode [2]
// In FIPS mode, require that one of SunJSSE's own keymanagers // is used. Otherwise, we cannot be sure that only keys from // the FIPS token are used. if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) { return (X509ExtendedKeyManager)km; } else { // throw exception, we don't want to silently use the // dummy keymanager without telling the user. throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used"); }
Note, in my opinion it will be not enough to restrict reload operation only to file-based keystores. From my point of view reload would be also valid operation on PKCS11 module.
But more importantly there also exists file based FIPS keystore type - BCFKS (Bouncy Castle FIPS).
[1] https://github.com/wildfly/wildfly-core/commit/de41fa268cca32cebb13e21d850614802bd8d434
[2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/SSLContextImpl.java#158
- is cloned by
-
WFCORE-2907 Regression, Unable to create TLS in FIPS mode
- Resolved
- is incorporated by
-
JBEAP-11137 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta26
- Closed