JDK-8217907 : Remove the experimental SunJSSE FIPS compliant mode
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-01-28
  • Updated: 2019-02-08
  • Resolved: 2019-02-08
Related Reports
CSR :  
JDK-8217835 - Remove the experimental SunJSSE FIPS compliant mode
Description
Summary
-------
Propose to remove the experimental SunJSSE FIPS 140 compliant mode, which cannot be used since JDK 9.

Problem
-------
In JDK 6, the SunJSSE provider, which contains the SSL/TLS implementation, can be configured to operate in a FIPS 140 compliant mode experimentally.

The configuration can be done in one of the following two ways:

- update the java.security file, and specify a crypto provider for the SunJSSE provider.  For example:

    - security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    - security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS

- use the JDK internal class, and create a provider with a specified  crypto provider.  For example:
    - new com.sun.net.ssl.internal.ssl.Provider(cryptoProvider);

In JDK 9, with the update of java.security and the provider loading, the extra parameter of the SunJSSE provider is ignored. With the module design in JDK 9, the private package com.sun.net.ssl.internal.ssl is not accessible.  So neither of the above two customization is expected to work since JDK 9. Alternatively, applications can configure the java.security to use FIPS 140 compliant crypto providers.

The SunJSSE FIPS 140 compliant mode is an experimental feature.  The documentation had been removed from Java docs.  As this experimental feature makes the code complicated, and now it cannot be used since JDK 9, we could clean up the code and remove the feature from JDK.

Solution
--------
Clean up the code and remove the experimental FIPS 140 compliant mode from the SunJSSE provider.

Specification
-------------
The experimental FIPS 140 compliant mode is removed from the SunJSSE provider.

Suggested Release Note:
-------------
The experimental FIPS 140 compliant mode is removed from the SunJSSE provider.

Legacy applications may have used this experimental mode using one of the following approaches: update the java.security file and specify a crypto provider for the SunJSSE provider (for example, security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS), or use the JDK internal class and create a provider with a specified crypto provider (for example "new com.sun.net.ssl.internal.ssl.Provider(cryptoProvider);").

As the SunJSSE provider uses the JDK default cryptography providers, alternatively applications can configure the Java Security Property to use FIPS 140 compliant cryptography providers.
Comments
Moving to Approved.
08-02-2019