Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-14517

[Doc] TLS using PKCS11 (FIPS) and JDK9+ does not work by default

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • None
    • Documentation, Security
    • None
    • 5
    • Release Notes

      Please document in 7.2.0.GA documentation, SunPKCS11 (FIPS) provider does not support
      extended master secret TLS extension, which is turned on by default since 9.0.4 and 10 b36 [1].

      Trying this leads to error

      17:32:48,377 INFO  [stdout] (default task-1) SESSION KEYGEN:
      17:32:48,378 INFO  [stdout] (default task-1) PreMaster Secret:
      17:32:48,378 INFO  [stdout] (default task-1) (key bytes not available)
      17:32:48,378 INFO  [stdout] (default task-1) RSA master secret generation error:
      17:32:48,378 INFO  [stdout] (default task-1) java.security.InvalidAlgorithmParameterException: Key format must be RAW
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:69)
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:477)
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:453)
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1334)
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:1235)
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:318)
      17:32:48,378 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
      17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1031)
      17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker$1.run(Handshaker.java:1028)
      17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/java.security.AccessController.doPrivileged(Native Method)
      17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1534)
      17:32:48,379 INFO  [stdout] (default task-1) 	at io.undertow.core@2.0.0.SP1-redhat-1//io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1047)
      17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      17:32:48,379 INFO  [stdout] (default task-1) 	at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      17:32:48,379 INFO  [stdout] (default task-1) 	at java.base/java.lang.Thread.run(Thread.java:844)
      17:32:48,379 INFO  [stdout] (default I/O-7) default I/O-7, fatal error: 80: problem unwrapping net record
      17:32:48,379 INFO  [stdout] (default I/O-7) java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: Key format must be RAW
      

      This default extension behaviour can be switched off by system property -Djdk.tls.useExtendedMasterSecret=false on EAP server side.

      [1] https://bugs.java.com/view_bug.do?bug_id=JDK-8148421

              dfitzmau@redhat.com Darragh Fitzmaurice
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: