Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8250787

Provider.put no longer registering aliases in FIPS env

    Details

      Backports

        Description

        Submitter seeing regression with JDK 8u261

        When they enable FIPS, their code uses the JDK Security provider name Alias
        feature to workaround the JDBC driver's SSL Context loading problem (i.e., in
        CustomSSLSocketFactory.createSSLContext(), line 337

        /* 337 */ SSLContext arg2 = SSLContext.getInstance("SSL");

        The workaround is provided by OCI code JCEProviders.load(), with following
        use of alias "TLS" for "SSL"

                // Remove default jsse provider, and add a BC FIPS compatible one
                com.sun.net.ssl.internal.ssl.Provider jsseProvider =
                        new com.sun.net.ssl.internal.ssl.Provider(BouncyCastleFipsProvider.PROVIDER_NAME);

                jsseProvider.put("Alg.Alias.SSLContext.SSL", "TLS"); // Map SSL -> TLS for SSLContext
                Security.removeProvider(jsseProvider.getName());
                Security.insertProviderAt(jsseProvider, 2);
                log.info("Initialized JSSE provider with BouncyCastle-FIPS in position 2");


        Now with latest JDK8 261 B33, this workaround no longer works, and saw
        following exception when connecting to ATP Database by using JDBC8 driver

        Exception in thread "main" java.sql.SQLRecoverableException: IO Error: The
        Network Adapter could not establish the connection
                at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:801)
                at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)
                at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)
                at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)
                at java.sql.DriverManager.getConnection(DriverManager.java:664)
                at java.sql.DriverManager.getConnection(DriverManager.java:208)
                at com.oracle.oci.cnrc.jdbc.Main.getConnection(Main.java:86)
                at com.oracle.oci.cnrc.jdbc.Main.main(Main.java:42)
        Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
                at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:569)
                at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:521)
                at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:660)
                at oracle.net.ns.NSProtocol.connect(NSProtocol.java:287)
                at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)
                at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)
                ... 7 more
        Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
                atoracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:344)
                at oracle.net.nt.CustomSSLSocketFactory.getSSLContext(CustomSSLSocketFactory.java:305)
                at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketEngine(CustomSSLSocketFactory.java:271)
                at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:170)
                at oracle.net.nt.ConnOption.connect(ConnOption.java:172)
                at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:508)
                ... 12 more
        Caused by: java.security.NoSuchAlgorithmException: SSL SSLContext not available
                at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
                at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
                at oracle.net.nt.CustomSSLSocketFactory.createSSLContext(CustomSSLSocketFactory.java:337)
                ... 17 more

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  coffeys Sean Coffey
                  Reporter:
                  shadowbug Shadow Bug
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  10 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: