Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce a more strict FIPS 140-3 JSSE profile definition #939

Merged
merged 1 commit into from
Feb 19, 2025
Merged

Enforce a more strict FIPS 140-3 JSSE profile definition #939

merged 1 commit into from
Feb 19, 2025

Conversation

jasonkatonica
Copy link
Contributor

@jasonkatonica jasonkatonica commented Feb 17, 2025
edited
Loading

The default JSSE provider enables a few services that we would like to
disable by default whenever users are making use of the strict 140-3
FIPS profile. Specific services disabled includes the PKCS12 KeyStore,
MD5andSHA1withRSA Signature, and SSLContexts of name DTLSv1.0,
TLSv1, and TLSv1.1.

Signed-off-by: Jason Katonica [email protected]

@jasonkatonica
Enforce a more strict FIPS 140-3 JSSE profile definition
386992a 
The default JSSE provider enables a few services that we would like to
disable by default whenever users are making use of the strict 140-3
FIPS profile. Specific services disabled includes the `PKCS12` KeyStore,
`MD5andSHA1withRSA` Signature, and SSLContexts of name `DTLSv1.0`,
`TLSv1`, and `TLSv1.1`.

Signed-off-by: Jason Katonica <[email protected]>
@pshipton pshipton requested a review from keithc-ca February 18, 2025 02:29
@keithc-ca
Copy link
Member

keithc-ca commented Feb 19, 2025
edited
Loading

Please explain how adding a new provider makes the profile more strict. To me, this seems to do the opposite by permitting use of more algorithms via the new provider. Sorry I misread the change: SunJSSE was already present - this change limits the algorithms available from that provider.

@jasonkatonica
Copy link
Contributor Author

Hi Keith in case it helps, I listed all the JSSE services while running in FIPS strict mode before and after this change and the differences in services listed by the JCE framework looks as follows:

Difference.html.zip

@keithc-ca keithc-ca merged commit df94072 into ibmruntimes:openj9 Feb 19, 2025
2 checks passed
@jasonkatonica jasonkatonica deleted the katonica/issue665/jssestrictprofile branch February 19, 2025 20:28
This was referenced Feb 19, 2025
Merged
Merged
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keithc-ca keithc-ca keithc-ca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jasonkatonica @keithc-ca