Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-21941

FIPS: TLSv1.1 has been disabled on most JDKs

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Done
    • 7.4.0.Beta
    • None
    • Documentation, Security
    • None

    Description

      Recently TLSv.1.1 has been disabled on most of the JDKs we use to test FIPS for EAP (see e.g. https://bugs.openjdk.java.net/browse/JDK-8254713);

      Our 7.4 documentation still suggests using TLSv1.1: https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_jboss_enterprise_application_platform%2F7.4-beta%2Fhtml-single%2Fhow_to_configure_server_security%2Findex%23fips_compliant_cryptography;

      We should update documentation to TLSv1.2 (or higher? e.g. TLSv1.3);

      Also the solution titled "NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret" https://access.redhat.com/solutions/1309153 which is linked in the documentation, suggest migrating to the latest JDK in case Java is configured to use TLS 1.2;

      Here is the complete list of JDK we use with indication on which are affected:

      OpenJDK

      OpenJDK 8 for RHEL: openjdk-1.8.0.292.b10

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      OpenJDK 8 for Windows: windows java-1.8.0-openjdk-1.8.0.292-1.b10.redhat.windows.x86_64

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      OpenJDK 11 for RHEL: openjdk-11.0.11.0.9

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      OpenJDK 11 for Windows: windows java-11-openjdk-11.0.11.9-1.windows.redhat.x86_64

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      Oracle JDK

      Oracle JDK 8: windows jdk1.8.0_291

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      Oracle JDK 8: jdk1.8.0_291

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      Oracle JDK 11 for RHEL: jdk-11.0.11

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      Oracle JDK 11 for Windows: windows jdk-11.0.11

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      AdoptOpen

      AdoptOpen JDK 11: adoptopenjdk11.0.11.openj9

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      AdoptOpen JDK 8: windows jdk8u242-b08_openj9-0.18.1

      jre/lib/security/java.security TLSv1.1 NOT DISABLED!!!!!!!!!!!!!

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
          EC keySize < 224, 3DES_EDE_CBC, anon, NULL
      

      AdoptOpen JDK 8: adoptopenjdk1.8.292.openj9

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      IBM JDK

      IBM JDK 8: ibm-java-x86_64-sdk-8.0-6.26

      jre/lib/security/java.security TLSv1.1 NOT DISABLED!!!!!!!!!!!!!

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
      

      Attachments

        Issue Links

          Activity

            People

              ncbaratta Nicole Baratta
              tborgato@redhat.com Tommaso Borgato
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: