After turn on fips mode, I found JRE only allow SunJSSE TrustManagers and KeyManagers when you create a SSLContext.
I google the source code of sun.security.ssl.SSLContextImpl, and found the following code
if (tm[i] instanceof X509TrustManager) {
if (SunJSSE.isFIPS() &&
!(tm[i] instanceof X509TrustManagerImpl)) {
throw new KeyManagementException
("FIPS mode: only SunJSSE TrustManagers may be used");
}
the trustmanger must be instance of X509TrustManagerImpl class, and this class is final, so it could not be extended.
But for software requirement, I need to do additional check to the subject of certificate when doing SSL handshake,
so I use a customized trust manager to do additional check in checkServerTrusted() and checkClientTrusted().
But it results in the exception "FIPS mode: only SunJSSE TrustManagers may be used" when turn on fips mode.
Although I know forcing user to SunJSSE TrustManagers is for FIPS mode requirement, but I'm curious if there is any other way to hook the listener to do the additional strict check?
It should be common situation.