Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: None
Affects Version/s: 7.4.0.Beta
Component/s: Documentation, Security
Labels:
None

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Text:
Undefined
Target Release:

7.backlog.GA
Market:

SFDC Cases Counter:
SFDC Cases Links:

Recently TLSv.1.1 has been disabled on most of the JDKs we use to test FIPS for EAP (see e.g. https://bugs.openjdk.java.net/browse/JDK-8254713);

Our 7.4 documentation still suggests using TLSv1.1: https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_jboss_enterprise_application_platform%2F7.4-beta%2Fhtml-single%2Fhow_to_configure_server_security%2Findex%23fips_compliant_cryptography;

We should update documentation to TLSv1.2 (or higher? e.g. TLSv1.3);

Also the solution titled "NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret" https://access.redhat.com/solutions/1309153 which is linked in the documentation, suggest migrating to the latest JDK in case Java is configured to use TLS 1.2;

Here is the complete list of JDK we use with indication on which are affected:

OpenJDK

OpenJDK 8 for RHEL: openjdk-1.8.0.292.b10

jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

OpenJDK 8 for Windows: windows java-1.8.0-openjdk-1.8.0.292-1.b10.redhat.windows.x86_64

jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

OpenJDK 11 for RHEL: openjdk-11.0.11.0.9

conf/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

OpenJDK 11 for Windows: windows java-11-openjdk-11.0.11.9-1.windows.redhat.x86_64

conf/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Oracle JDK

Oracle JDK 8: windows jdk1.8.0_291

jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Oracle JDK 8: jdk1.8.0_291

jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Oracle JDK 11 for RHEL: jdk-11.0.11

conf/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Oracle JDK 11 for Windows: windows jdk-11.0.11

conf/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

AdoptOpen

AdoptOpen JDK 11: adoptopenjdk11.0.11.openj9

conf/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

AdoptOpen JDK 8: windows jdk8u242-b08_openj9-0.18.1

jre/lib/security/java.security TLSv1.1 NOT DISABLED!!!!!!!!!!!!!

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

AdoptOpen JDK 8: adoptopenjdk1.8.292.openj9

jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

IBM JDK

IBM JDK 8: ibm-java-x86_64-sdk-8.0-6.26

jre/lib/security/java.security TLSv1.1 NOT DISABLED!!!!!!!!!!!!!

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC

is related to

JBEAP-21942 FIPS: TLSv1.1 has been disabled on OpenJDK

Closed

JBEAP-21943 FIPS: TLSv1.1 has been disabled on Oracle JDK

Closed

JBEAP-21944 FIPS: TLSv1.1 has been disabled on AdoptOpen JDK for Linux

Closed

relates to

JBEAP-23440 Some Java releases now support TLSv1.2 with PKCS#11 / FIPS mode

New

JBEAP-22036 [7.4.0 RN] Warn users that TLS 1.1 is disabled by default on newer JDKs and user might need to re-enable it

Closed

Details

Description

OpenJDK

OpenJDK 8 for RHEL: openjdk-1.8.0.292.b10

OpenJDK 8 for Windows: windows java-1.8.0-openjdk-1.8.0.292-1.b10.redhat.windows.x86_64

OpenJDK 11 for RHEL: openjdk-11.0.11.0.9

OpenJDK 11 for Windows: windows java-11-openjdk-11.0.11.9-1.windows.redhat.x86_64

Oracle JDK

Oracle JDK 8: windows jdk1.8.0_291

Oracle JDK 8: jdk1.8.0_291

Oracle JDK 11 for RHEL: jdk-11.0.11

Oracle JDK 11 for Windows: windows jdk-11.0.11

AdoptOpen

AdoptOpen JDK 11: adoptopenjdk11.0.11.openj9

AdoptOpen JDK 8: windows jdk8u242-b08_openj9-0.18.1

AdoptOpen JDK 8: adoptopenjdk1.8.292.openj9

IBM JDK

IBM JDK 8: ibm-java-x86_64-sdk-8.0-6.26

Attachments

Issue Links

Activity

People

Dates