From 2bc635e2c2e64cf60b01663b94d748ccecb7ff04 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Thu, 30 Mar 2023 11:54:00 -0400 Subject: [PATCH] Support For AES/GCM Cipher For FIPS Mode Signed-off-by: Tao Liu --- .../share/conf/security/java.security | 55 ++++++++++++------- 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 406b23013b8..050dfc655da 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -87,29 +87,42 @@ security.provider.tbd=SunPKCS11 # Java Restricted Security Mode # RestrictedSecurity1.desc.name = Red Hat Enterprise Linux 8 NSS Cryptographic Module FIPS 140-2 -RestrictedSecurity1.desc.number = Certificate #3946 -RestrictedSecurity1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3946 -RestrictedSecurity1.desc.sunsetDate = 2026-06-06 +RestrictedSecurity1.desc.number = Certificate #4413 +RestrictedSecurity1.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4413 +RestrictedSecurity1.desc.sunsetDate = 2026-09-21 RestrictedSecurity1.tls.disabledNamedCurves = -RestrictedSecurity1.tls.disabledAlgorithms = X25519, X448, SSLv3, TLSv1, TLSv1.1, \ - TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, \ - TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \ - TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, \ - TLS_RSA_WITH_AES_128_CBC_SHA, TLS_AES_256_GCM_SHA384, \ - TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \ - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \ - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ - TLS_EMPTY_RENEGOTIATION_INFO_SCSV +RestrictedSecurity1.tls.disabledAlgorithms = \ + SSLv3, \ + TLS_AES_128_GCM_SHA256, \ + TLS_AES_256_GCM_SHA384, \ + TLS_CHACHA20_POLY1305_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, \ + TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \ + TLS_RSA_WITH_AES_128_CBC_SHA, \ + TLS_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_RSA_WITH_AES_256_CBC_SHA, \ + TLS_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_RSA_WITH_AES_256_GCM_SHA384, \ + TLSv1, \ + TLSv1.1, \ + X25519, \ + X448 RestrictedSecurity1.tls.ephemeralDHKeySize = RestrictedSecurity1.tls.legacyAlgorithms =