Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
7.4.0.GA
-
None
-
False
-
False
Description
FIPS-configured jdk fail to do SSL handshake on windows when using TLSv1.2. It fail on all jdks besides oracle-11.
RSA master secret generation error occurs on server side on fips-jdks after ClientKeyExchange message have been received.
At this stage, server should be able to generate master secret and, considering error message, it tries to generate master secret but fails. The exception is java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs. Mentioned algorithm must be a function for master secret generation.
SSLMasterKeyDerivation.java:158|RSA master secret generation error. ( "throwable" : { java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:101) at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:140) at java.base/javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:326) at java.base/sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:230) at java.base/sun.security.ssl.SSLMasterKeyDerivation$LegacyMasterKeyDerivation.deriveKey(SSLMasterKeyDerivation.java:148) at java.base/sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:89) at java.base/sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:61) at java.base/sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:419) at java.base/sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154) at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264) at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94) at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.WorkerThread.run(WorkerThread.java:591)} ) XNIO001007: A channel event listener threw an exception: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs at java.base/sun.security.ssl.SSLMasterKeyDerivation$LegacyMasterKeyDerivation.deriveKey(SSLMasterKeyDerivation.java:160) at java.base/sun.security.ssl.KAKeyDerivation.t12DeriveKey(KAKeyDerivation.java:89) at java.base/sun.security.ssl.KAKeyDerivation.deriveKey(KAKeyDerivation.java:61) at java.base/sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:419) at java.base/sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65) at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:549) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:244) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:113) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:77) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154) at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:264) at org.jboss.remoting@5.0.20.SP1-redhat-00001//org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener.handleEvent(RemoteConnection.java:243) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.jboss.xnio@3.8.4.Final-redhat-00001//org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65) at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94) at org.jboss.xnio.nio@3.8.4.Final-redhat-00001//org.xnio.nio.WorkerThread.run(WorkerThread.java:591) Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-testPkcs at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:101) at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:140) at java.base/javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:326) at java.base/sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:230) at java.base/sun.security.ssl.SSLMasterKeyDerivation$LegacyMasterKeyDerivation.deriveKey(SSLMasterKeyDerivation.java:148) ... 23 more
NSS tools version is 3.17, nss-tools support TLSv1.2 since 5.15. All jdks also support TLSv1.2.
Cipher suite used for handshake: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030).
Strange part is that it works perfectly on oracle-jdk 11 ( SunTls12MasterSecret is provided by other provider?){{}}
I create this JIRA as a place for finding out what the problem is.{{}}