Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-21942

FIPS: TLSv1.1 has been disabled on OpenJDK

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 7.4.0.Beta
    • None
    • Documentation, Security
    • None
    • False
    • False
    • Undefined

    Description

      Recently TLSv.1.1 has been disabled on most of the JDKs we use to test FIPS for EAP: https://bugs.openjdk.java.net/browse/JDK-8254713;

      Our 7.4 documentation still suggests using TLSv1.1: https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_jboss_enterprise_application_platform%2F7.4-beta%2Fhtml-single%2Fhow_to_configure_server_security%2Findex%23fips_compliant_cryptography;

      This should be reflected in documentation in order to give customers indications on how-to setup FIPS with TLSv1.2 (or higher?) and OpenJDK;

      In particular TLSv.1.1 has been disabled on OpenJDKs:

      OpenJDK

      OpenJDK 8 for RHEL: openjdk-1.8.0.292.b10

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      OpenJDK 8 for Windows: windows java-1.8.0-openjdk-1.8.0.292-1.b10.redhat.windows.x86_64

      jre/lib/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      OpenJDK 11 for RHEL: openjdk-11.0.11.0.9

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      OpenJDK 11 for Windows: windows java-11-openjdk-11.0.11.9-1.windows.redhat.x86_64

      conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
          DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
          include jdk.disabled.namedCurves
      

      Attachments

        Issue Links

          Activity

            People

              ncbaratta Nicole Baratta
              tborgato@redhat.com Tommaso Borgato
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: