Bug #95039 | KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used | ||
---|---|---|---|
Submitted: | 16 Apr 2019 15:36 | Modified: | 13 Mar 16:35 |
Reporter: | Przemyslaw Bielicki | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | Connector / J | Severity: | S1 (Critical) |
Version: | 5.7.x, 8.0.x | OS: | Any |
Assigned to: | Filipe Silva | CPU Architecture: | Any |
[16 Apr 2019 15:36]
Przemyslaw Bielicki
[17 Apr 2019 8:18]
Przemyslaw Bielicki
It appears this problem came up in our staging environment where MySQL server had disabled SSL. It looks like it is working as expected with DB server with SSL enabled.
[18 Apr 2019 13:25]
Przemyslaw Bielicki
In fact this is still a valid case. It was working fine with SSL but only with MySQL server 5.6. Starting with 5.7 (also checked with 8.0) it is failing with the exceptions above.
[18 Apr 2019 13:26]
Przemyslaw Bielicki
updated affected versions
[29 Oct 2020 11:30]
Charu Joshi
Is there any resolution / workaround to this issue?
[6 Nov 2020 19:34]
Filipe Silva
Hi Przemyslaw, Thank you for this bug report. My apologies for taking so long to verify it. This is a very tricky issue. On one hand FIPS support on Sun's JSEE implementation has always been an experimental feature, and even removed in Java 9 (https://bugs.openjdk.java.net/browse/JDK-8217907), on the other hand, the default JSSE implementation doesn't offer means for validating server certificates thoroughly - a feature Connector/J needs to validate server identity, for example - so we had to implement our own TrustManagers. The problem arises when you combine both. So, there's no easy solution. Neither we can stop using our X509TrustManagerWrapper nor it works with JSSE default implementation with FIPS enabled. However, it is possible to replace the default JSSE provider by BouncyCastle's one, same as you already do with the main security provider: - Get BuncyCastle's JSSE implementation: bctls-fips-1.0.10.jar - Add these two lines to your java.security file: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS - Reset Sun's JSSE provider to its original value: security.provider.{N}=com.sun.net.ssl.internal.ssl.Provider I don't know about additional configurations you may have to do, but this should give you an option to get going. Can you please confirm if this is a good solution for you? Thank you,
[7 Dec 2020 1:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".
[26 Jan 2021 7:27]
Nagesh Kunchakarra
Hi, we are facing the same issue in our environment. However, we are using safelogic's cryptocomply instead of bouncycastle as FIPS provider, although I believe the underlying component is bouncycastle itself. Did the suggestion of using bouncy castle's jsse provider work? please let us know. Also, as przemyslaw suggested, isnt it possible to move the trustmanager warpping after the FIPS check? Thanks, Nagesh
[9 Mar 2021 13:01]
neeraj kumar
These settings worked for me in my cassandra db connection in FIPS mode. However, it is possible to replace the default JSSE provider by BouncyCastle's one, same as you already do with the main security provider: - Get BuncyCastle's JSSE implementation: bctls-fips-1.0.10.jar - Add these two lines to your java.security file: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS - Reset Sun's JSSE provider to its original value: security.provider.{N}=com.sun.net.ssl.internal.ssl.Provider<Removed the BCFIPS from here actually works> Thanks,
[11 Jul 2023 15:20]
Daniel So
Posted by developer: Added the following entry to the Connector/J 8.1.0 changelog: "When using a Java 8 to 12 JRE, if JSSE was configured to use a FIPS provider, attempts to establish secure connections to a MySQL Server failed with a KeyManagement Exception, complaining that "FIPS mode: only SunJSSE TrustManagers may be used." It was because a custom TrustManager implemented by Connector/J was invoked but, in that case, then rejected by the default implementation of SunJSSE. With this patch, a new connection property, fipsCompliantJsse, is created for users to instruct Connector/J not to use its custom TrustManager implementation. Additionally new connection properties are created for users to specify the security providers from which Connector/J will request the corresponding security materials such as key and trust manager factories or SSL context provider. See Issue with FIPS Mode for JSSE for details."