Forum Stats

  • 3,827,826 Users
  • 2,260,824 Discussions
  • 7,897,390 Comments

Discussions

FIPS mode: only SunJSSE TrustManagers may be used

catit
catit Member Posts: 1

After turn on fips mode, I found JRE only allow  SunJSSE TrustManagers and KeyManagers when you create a SSLContext.

I google the source code of sun.security.ssl.SSLContextImpl, and found the following code

if (tm[i] instanceof X509TrustManager) {

   if (SunJSSE.isFIPS() &&

  !(tm[i] instanceof X509TrustManagerImpl)) {

   throw new KeyManagementException

  ("FIPS mode: only SunJSSE TrustManagers may be used");

  }

the trustmanger must be instance of X509TrustManagerImpl class, and this class is final, so it could not be extended.

But for software requirement, I need to do additional check to the subject of certificate when doing SSL handshake,

so I use a customized trust manager to do additional check in checkServerTrusted() and checkClientTrusted().

But it results in the exception "FIPS mode: only SunJSSE TrustManagers may be used" when turn on fips mode.

Although I know forcing user to SunJSSE TrustManagers is for FIPS mode requirement, but I'm curious if there is any other way to hook the listener to do the additional strict check?

It should be common situation.

This discussion has been closed.