Issue
What were you trying to do that didn't work?
When FIPS mode is enabled java SSLSocketFactory.getDefault().getDefaultCipherSuites() rerun the list that contains chaca20_poly1305 ciphersuites that are not FIPS compliant. This was not happening with java-1.8.0-openjdk but started happening with java-11-openjdk in RHEL-9. The reason is that this version of java added support for TLS 1.3 and our java crypto-policies for FIPS does not disable chacha20 explicitly.
Please provide the package NVR for which bug is seen:
java-11-openjdk-11.0.21.0.9-2.el9
How reproducible:
100%
Steps to reproduce
Enable fips mode
# fips-mode-setup --enable && reboot
Compile and run the following java program:
# cat Client.java
import java.io.*;
import javax.net.ssl.*;public class Client {
public static void main(String[] args) throws Exception {
try {
String[] cipherSuites = ((SSLSocketFactory) SSLSocketFactory.getDefault()).getDefaultCipherSuites();
for (int i=0; i < cipherSuites.length; i++)
System.out.println(cipherSuites[i]);
System.exit(0);
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}
}
}
# javac Client.java
# java Client
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Expected results
Only FIPS compliant ciphersuites - ie. no CHACHA20_POLY1305 ones.
Actual results
See above.
