Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8217907

Remove the experimental SunJSSE FIPS compliant mode

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P3
    • 13
    • security-libs
    • None
    • behavioral
    • minimal
    • Java API, Other
    • JDK

    Description

      Summary

      Propose to remove the experimental SunJSSE FIPS 140 compliant mode, which cannot be used since JDK 9.

      Problem

      In JDK 6, the SunJSSE provider, which contains the SSL/TLS implementation, can be configured to operate in a FIPS 140 compliant mode experimentally.

      The configuration can be done in one of the following two ways:

      • update the java.security file, and specify a crypto provider for the SunJSSE provider. For example:

        • security.provider.4=com.sun.net.ssl.internal.ssl.Provider
        • security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS

      • use the JDK internal class, and create a provider with a specified crypto provider. For example:

        • new com.sun.net.ssl.internal.ssl.Provider(cryptoProvider);

      In JDK 9, with the update of java.security and the provider loading, the extra parameter of the SunJSSE provider is ignored. With the module design in JDK 9, the private package com.sun.net.ssl.internal.ssl is not accessible. So neither of the above two customization is expected to work since JDK 9. Alternatively, applications can configure the java.security to use FIPS 140 compliant crypto providers.

      The SunJSSE FIPS 140 compliant mode is an experimental feature. The documentation had been removed from Java docs. As this experimental feature makes the code complicated, and now it cannot be used since JDK 9, we could clean up the code and remove the feature from JDK.

      Solution

      Clean up the code and remove the experimental FIPS 140 compliant mode from the SunJSSE provider.

      Specification

      The experimental FIPS 140 compliant mode is removed from the SunJSSE provider.

      Suggested Release Note:

      The experimental FIPS 140 compliant mode is removed from the SunJSSE provider.

      Legacy applications may have used this experimental mode using one of the following approaches: update the java.security file and specify a crypto provider for the SunJSSE provider (for example, security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS), or use the JDK internal class and create a provider with a specified crypto provider (for example "new com.sun.net.ssl.internal.ssl.Provider(cryptoProvider);").

      As the SunJSSE provider uses the JDK default cryptography providers, alternatively applications can configure the Java Security Property to use FIPS 140 compliant cryptography providers.

      Attachments

        Issue Links

          csr of

          Bug - A problem which impairs or prevents the functions of the product. JDK-8217835 Remove the experimental SunJSSE FIPS compliant mode

          • P3 - Major loss of function.
          • Resolved

          Activity

            People

              xuelei Xuelei Fan
              xuelei Xuelei Fan
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: