Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22388

TLSv1.2 fails on windows with FIPS mode

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 7.4.0.GA
    • None
    • Security
    • None

    Description

      FIPS-configured jdk fail to do SSL handshake on windows when using TLSv1.2. It fail on all jdks besides oracle-11.

      RSA master secret generation error occurs on server side on fips-jdks after ClientKeyExchange message have been received.

      At this stage, server should be able to generate master secret and, considering error message, it tries to generate master secret but fails. The exception is java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs. Mentioned algorithm must be a function for master secret generation.

      SSLMasterKeyDerivation.java:158|RSA master secret generation error. (
      "throwable" : {
         java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs
         	at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:101)
         	at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:140)
         	at java.base/javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:326)
         	at java.base/sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:230)
         	at java.base/sun.security.ssl.SSLMasterKeyDerivation$LegacyMasterKeyDerivation.deriveKey(SSLMasterKeyDerivation.java:148)
         	at java.base/sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:89)
         	at java.base/sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:61)
         	at java.base/sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:419)
         	at java.base/sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65)
         	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
         	at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182)
         	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
         	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
         	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
         	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
         	at java.base/java.security.AccessController.doPrivileged(Native Method)
         	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
         	at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
         	at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
         	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
         	at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
         	at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.WorkerThread.run(WorkerThread.java:591)}
       
       )
       XNIO001007: A channel event listener threw an exception: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs
       	at java.base/sun.security.ssl.SSLMasterKeyDerivation$LegacyMasterKeyDerivation.deriveKey(SSLMasterKeyDerivation.java:160)
       	at java.base/sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:89)
       	at java.base/sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:61)
       	at java.base/sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:419)
       	at java.base/sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65)
       	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
       	at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182)
       	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
       	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
       	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
       	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
       	at java.base/java.security.AccessController.doPrivileged(Native Method)
       	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
       	at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264)
       	at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
       	at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
       	at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
       	at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
       Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs
       	at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:101)
       	at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:140)
       	at java.base/javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:326)
       	at java.base/sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:230)
       	at java.base/sun.security.ssl.SSLMasterKeyDerivation$LegacyMasterKeyDerivation.deriveKey(SSLMasterKeyDerivation.java:148)
       	... 23 more
      

      NSS tools version is 3.17, nss-tools support TLSv1.2 since 5.15. All jdks also support TLSv1.2.
      Cipher suite used for handshake: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030).

      Strange part is that it works perfectly on oracle-jdk 11 ( SunTls12MasterSecret is provided by other provider?){{}}

      I create this JIRA as a place for finding out what the problem is.{{}}

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-ngibor Nikita Gibor
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: