JDK-8230923 : SunJSSE is not properly initialized in FIPS mode from a configuration file
  • Type: Bug
  • Component: security-libs
  • Affected Version: 11
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2019-09-12
  • Updated: 2020-09-18
  • Resolved: 2019-09-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11
11.0.6 b01Fixed
Related Reports
Relates :  
JDK-8237600 - Test SunJSSEFIPSInit fails on Ubuntu
Relates :  
JDK-7191662 - JCE providers should be located via ServiceLoader
Description
SunJSSE security provider cannot be properly initialized in FIPS mode from a configuration file. Initialization apparently succeeds but in non-FIPS mode.

In example, let's assume we have the following security providers in a 'java.security' configuration file:

security.provider.1=SunPKCS11 /path/to/nss.cfg
security.provider.2=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS

SunJSSE provider will be initialized in non-FIPS mode, as if the configuration line were "security.provider.2=com.sun.net.ssl.internal.ssl.Provider". In fact, you can set any invalid argument and initialization apparently succeeds because the argument is not considered at all.

This bug affects JDK-11 only. Newer versions are not affected because "Experimental FIPS support" was removed. Older versions are not affected because the code related to loading security providers is different.
Comments
URL: https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/b0436c181872 User: goetz Date: 2019-10-30 09:55:51 +0000
30-10-2019
URL: https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/b0436c181872 User: mbalao Date: 2019-09-24 01:05:23 +0000
24-09-2019
Fix Request (jdk11u) I'd like to have an approval for this bug. Risk is low because it's a trivial patch, and there is a testcase included which exposes the issue. It has been reviewed at http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-September/001869.html
12-09-2019