Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.3.0
Component/s: crypto-policies
Labels:
- Accepted
- CY24Q1
- FIPS

Fixed in Build:
crypto-policies-20240202-1.git283706d.el9
Regression:
None
Severity:
None
Epic Link:
CRYPTO-11831
sprint_count:
1

Pool Team:

rhel-sst-security-crypto
Sub-System Group:

ssg_security

Dev Target Milestone:
24
Internal Target Milestone:
25
Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Products:

Red Hat Enterprise Linux
Sprint:
Crypto24Q1

Acceptance Criteria:
- (gating) SSLSocketFactory.getDefault().getDefaultCipherSuites() returns only FIPS compliant ciphersuites in FIPS mode
Test Plan:
https://tcms.engineering.redhat.com/plan/34117
Preliminary Testing:
Pass
Test Link:
https://tcms.engineering.redhat.com/case/0589028/
Errata Link:
https://errata.engineering.redhat.com/advisory/120978
Gating Tests:

Needed
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When FIPS mode is enabled java SSLSocketFactory.getDefault().getDefaultCipherSuites() rerun the list that contains chaca20_poly1305 ciphersuites that are not FIPS compliant. This was not happening with java-1.8.0-openjdk but started happening with java-11-openjdk in RHEL-9. The reason is that this version of java added support for TLS 1.3 and our java crypto-policies for FIPS does not disable chacha20 explicitly.

Please provide the package NVR for which bug is seen:

java-11-openjdk-11.0.21.0.9-2.el9

How reproducible:

100%

Steps to reproduce

Enable fips mode

# fips-mode-setup --enable && reboot

Compile and run the following java program:

# cat Client.java
import java.io.*;
import javax.net.ssl.*;public class Client {
    public static void main(String[] args) throws Exception {
        try {
            String[] cipherSuites = ((SSLSocketFactory) SSLSocketFactory.getDefault()).getDefaultCipherSuites();
            for (int i=0; i < cipherSuites.length; i++)
                System.out.println(cipherSuites[i]);                
            System.exit(0);
        } catch (Exception e) {            
            e.printStackTrace();
            System.exit(1);
        }
    }
}

# javac Client.java

# java Client
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Expected results

Only FIPS compliant ciphersuites - ie. no CHACHA20_POLY1305 ones.

Actual results

See above.

links to

RHEA-2023:120978 crypto-policies bug fix and enhancement update

mentioned on

Commit - Update from upstream (ostree, java chacha20)

Merge request - Update from upstream (ostree, java chacha20)

Assignee:: Alexander Sosedkin

Reporter:: Ondrej Moris

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/12/07 7:50 AM

Updated:: 2024/06/19 1:54 PM

Resolved:: 2024/04/30 10:16 AM

Dev Target end:: 2024/02/12

Target end:: 2024/02/19

Release Date:: 2024/04/30

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates