From f51f32943e012ca78d401b32ef2c8bfd845ada4e Mon Sep 17 00:00:00 2001 From: JinhangZhang Date: Fri, 9 Aug 2024 13:58:56 -0400 Subject: [PATCH] Disable more DHE related ciphersuites DHE related cipher suites need Diffie-Hellman crypto services. However, those crypto services are not allowed in strict profile in FIPS140-3. Signed-off-by: Jinhang Zhang --- src/java.base/share/conf/security/java.security | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security index 4032b871b0..f0fcc8c322 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -188,7 +188,7 @@ RestrictedSecurity.NSS.140-2.securerandom.algorithm = PKCS11 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.name = OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.default = false RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.fips = true -RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.hash = SHA256:b3e01416cda6ca0134e92940b1c2d94664a742325cbbc8d65b6f536ea3770853 +RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.hash = SHA256:a5bd1607d552ad08e8d3372bceaedb759a68a48ed8d3840abc1992615a814447 RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.number = Certificate #XXX RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.policy = https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.desc.sunsetDate = 2026-09-21 @@ -213,7 +213,11 @@ RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3.tls.disabledAlgorithms = \ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \