Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8250787

Provider.put no longer registering aliases in FIPS env

XMLWordPrintable

        Submitter seeing regression with JDK 8u261

        When they enable FIPS, their code uses the JDK Security provider name Alias
        feature to workaround the JDBC driver's SSL Context loading problem (i.e., in
        CustomSSLSocketFactory.createSSLContext(), line 337

        /* 337 */ SSLContext arg2 = SSLContext.getInstance("SSL");

        The workaround is provided by OCI code JCEProviders.load(), with following
        use of alias "TLS" for "SSL"

                // Remove default jsse provider, and add a BC FIPS compatible one
                com.sun.net.ssl.internal.ssl.Provider jsseProvider =
                        new com.sun.net.ssl.internal.ssl.Provider(BouncyCastleFipsProvider.PROVIDER_NAME);

                jsseProvider.put("Alg.Alias.SSLContext.SSL", "TLS"); // Map SSL -> TLS for SSLContext
                Security.removeProvider(jsseProvider.getName());
                Security.insertProviderAt(jsseProvider, 2);
                log.info("Initialized JSSE provider with BouncyCastle-FIPS in position 2");


        Now with latest JDK8 261 B33, this workaround no longer works, and saw
        following exception when connecting to ATP Database by using JDBC8 driver

        Exception in thread "main" java.sql.SQLRecoverableException: IO Error: The
        Network Adapter could not establish the connection
                at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:801)
                at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
                at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
                at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
                at java.sql.DriverManager.getConnection(DriverManager.java:664)
                at java.sql.DriverManager.getConnection(DriverManager.java:208)
                at com.oracle.oci.cnrc.jdbc.Main.getConnection(Main.java:86)
                at com.oracle.oci.cnrc.jdbc.Main.main(Main.java:42)
        Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
                at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:569)
                at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521)
                at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660)
                at oracle.net.ns.NSProtocol.connect(NSProtocol.java:287)
                at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)
                at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)
                ... 7 more
        Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
                atoracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:344)
                at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:305)
                at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:271)
                at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:170)
                at oracle.net.nt.ConnOption.connect(ConnOption.java:172)
                at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:508)
                ... 12 more
        Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available
                at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
                at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
                at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:337)
                ... 17 more

              coffeys Sean Coffey
              shadowbug Shadow Bug
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: