Forum Stats

  • 3,838,476 Users
  • 2,262,371 Discussions
  • 7,900,667 Comments

Discussions

Does TLS 1.2 work with SunPKCS11-NSS provider in FIPS mode?

2905040
2905040 Member Posts: 1
edited Mar 17, 2015 5:16AM in Cryptography

The following exception occurs while processing serverHelloDone during an attempt at TLS1.2 with NSS in FIPS mode (via modutil) .

     java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSS

Both the client and the server are running from a unit test using:

  • JDK 1.8.0_31-b13
  • nss-3.16.2.3-3

The same test runs fine in FIPS mode using TLS1.1 or TLS1.0.  The same test also runs with TLS1.2 when the keystore is not in FIPS mode.

I am thinking that it is not supported.  SunPKCS11-NSS provider needs to be updated with the SunTLS12* algorithms before this will work.  The JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator specific to TLS1.2.  When in FIPS mode, the crypto provider is SunPKCS11-NSS and it does not have the requested algorithm.

Can anyone confirm or deny this?  Any ideas as to when it will be supported?

I've been all over the map trying to figure this one out.  I am pretty sure at this point that it is not a problem with the NSS library.

This discussion has been closed.