Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

FIPS mode: only SunJSSE TrustManagers may be used

catitApr 12 2017 — edited Apr 13 2017

After turn on fips mode, I found JRE only allow  SunJSSE TrustManagers and KeyManagers when you create a SSLContext.

I google the source code of sun.security.ssl.SSLContextImpl, and found the following code

if (tm[i] instanceof X509TrustManager) {

   if (SunJSSE.isFIPS() &&

  !(tm[i] instanceof X509TrustManagerImpl)) {

   throw new KeyManagementException

  ("FIPS mode: only SunJSSE TrustManagers may be used");

  }

the trustmanger must be instance of X509TrustManagerImpl class, and this class is final, so it could not be extended.

But for software requirement, I need to do additional check to the subject of certificate when doing SSL handshake,

so I use a customized trust manager to do additional check in checkServerTrusted() and checkClientTrusted().

But it results in the exception "FIPS mode: only SunJSSE TrustManagers may be used" when turn on fips mode.

Although I know forcing user to SunJSSE TrustManagers is for FIPS mode requirement, but I'm curious if there is any other way to hook the listener to do the additional strict check?

It should be common situation.

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 10 2017
Added on Apr 12 2017
0 comments
3,224 views