Skip to content

Exclude FIPS+TLSv1.2 testing with native client (ojdk lacks ems support) #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
judovana merged 1 commit into from
Aug 4, 2025
Merged

Exclude FIPS+TLSv1.2 testing with native client (ojdk lacks ems support) #35

judovana merged 1 commit into from
Aug 4, 2025

Conversation

@zzambers
Copy link
Collaborator

@zzambers zzambers commented Aug 4, 2025
edited
Loading

Currently cases using TLSv1.2 fail in fips mode, when native client is used. It is because openjdk lacks EMS (extended master secret) support for TLSv1.2. This seems unlikely to be fixed soon (waits for pkcs11 mechanism to be standartized).

So exclude TLSV1.2+FIPS+native clients. (Can be re-enabled if implemented)

judovana
judovana reviewed Aug 4, 2025
View reviewed changes
ssl-tests/ssl-tests.mk
if [ 1 = "$(TEST_PKCS11_FIPS)" ] ; then \
if ! [ 1 = "$(JAVA_CONF_FIPS)" ] || ! [ 1 = "$(FIPS_MODE_ENABLED)" ] ; then \
printf '%s' 'TLSv1|TLSv1.1|TLSv1.3' ; \
elif [ 1 = "$(SSLTESTS_USE_OPENSSL_CLIENT)" ] || [ 1 = "$(SSLTESTS_USE_GNUTLS_CLIENT)" ] || [ 1 = "$(SSLTESTS_USE_NSS_CLIENT)" ] ; then \
Copy link
Collaborator

@judovana judovana Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it can include jdk version in this condition? And for jdk26 and up it can conisder pkcs11 as standartised?

Copy link
Collaborator Author

@zzambers zzambers Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not aware this would be implemented in any jdk version (or expected to be implemented) . Only jdk21+ (?) also supports TLSv1.3 in FIPS, which does not have this problem.

Copy link
Collaborator Author

@zzambers zzambers Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it will be implemented in future version, but I would wait for it to happen...

Copy link
Collaborator

@judovana judovana Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure:(

@judovana judovana merged commit ff99362 into rh-openjdk:master Aug 4, 2025
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@judovana judovana judovana left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zzambers @judovana