NSS on fips mode supports TLS only. SSL is not supported.
On Friday, 4 September 2015 00:38:58 UTC+5:30, Ernie Kovak wrote:
> Using NSS 3.20 built on Windows, using it with Java 8 for SSL connections
> from thick client to FIPS-enabled server. It fails to establish a connection,
> generating the following exception:
>
> Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
> at
> sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:86)
> at
> sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:906)
>
> Caused by: java.security.NoSuchAlgorithmException: no such algorithm:
> SunTls12RsaPremasterSecret for provider SunPKCS11-nss-fips
> at sun.security.jca.GetInstance.getService(GetInstance.java:101)
> at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
> at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:303)
> at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:274)
> at
> sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:77)
>
> The error occurs after client and server agree to use the
> TLS_RSA_WITH_AES_128_CBC_SHA256 cipher. The client can't encrypt the
> pre-master-secret.
>
> The list of services and algorithms for the provider does not include the
> SunTls12RsaPremasterSecret:
>
> DEBUG - NSSConfigurationHandler: NSS Provider successfully instantiated
> DEBUG - AFTER loading the NSS provider
> DEBUG - Provider: SunPKCS11-nss-fips
> Service: Mac HmacSHA1
> Service: SecretKeyFactory DES
> Service: MessageDigest SHA-384
> Service: Signature SHA256withECDSA
> Service: KeyPairGenerator DSA
> Service: KeyFactory EC
> Service: KeyFactory DSA
> Service: KeyPairGenerator DH
> Service: MessageDigest MD5
> Service: KeyGenerator SunTlsPrf
> Service: KeyFactory DH
> Service: Cipher AES/ECB/PKCS5Padding
> Service: Signature MD2withRSA
> Service: AlgorithmParameters EC
> Service: Signature SHA224withECDSA
> Service: Cipher DES/CBC/PKCS5Padding
> Service: Cipher DESede/CBC/NoPadding
> Service: Signature SHA1withRSA
> Service: SecretKeyFactory AES
> Service: MessageDigest SHA-256
> Service: Cipher AES/ECB/NoPadding
> Service: Mac HmacMD5
> Service: Cipher AES_128/ECB/NoPadding
> Service: MessageDigest MD2
> Service: Signature SHA1withECDSA
> Service: Signature SHA512withRSA
> Service: KeyPairGenerator EC
> Service: Cipher DES/ECB/NoPadding
> Service: MessageDigest SHA-512
> Service: Signature RawDSA
> Service: SecretKeyFactory ARCFOUR
> Service: Signature SHA384withRSA
> Service: MessageDigest SHA1
> Service: Mac HmacSHA256
> Service: KeyGenerator DES
> Service: Cipher DESede/ECB/NoPadding
> Service: KeyAgreement DH
> Service: Cipher DES/ECB/PKCS5Padding
> Service: Mac HmacSHA512
> Service: Mac HmacSHA224
> Service: Signature SHA256withRSA
> Service: Signature NONEwithECDSA
> Service: Cipher RSA/ECB/NoPadding
> Service: Cipher AES_256/CBC/NoPadding
> Service: Cipher AES/CBC/PKCS5Padding
> Service: Cipher DES/CBC/NoPadding
> Service: KeyGenerator SunTlsKeyMaterial
> Service: Cipher ARCFOUR
> Service: KeyGenerator DESede
> Service: MessageDigest SHA-224
> Service: Cipher AES/CBC/NoPadding
> Service: Signature SHA384withECDSA
> Service: Cipher DESede/CBC/PKCS5Padding
> Service: KeyAgreement ECDH
> Service: Cipher AES_192/ECB/NoPadding
> Service: Cipher RSA/ECB/PKCS1Padding
> Service: Signature SHA512withECDSA
> Service: Cipher AES_128/CBC/NoPadding
> Service: KeyGenerator SunTlsMasterSecret <<<<<<<<<<<
> Service: Signature MD5withRSA
> Service: Mac HmacSHA384
> Service: Cipher AES_256/ECB/NoPadding
> Service: SecretKeyFactory DESede
> Service: KeyPairGenerator RSA
> Service: Signature SHA224withRSA
> Service: Mac SslMacSHA1
> Service: KeyFactory RSA
> Service: KeyGenerator ARCFOUR
> Service: Cipher AES/CTR/NoPadding
> Service: Signature DSA
> Service: Cipher AES_192/CBC/NoPadding
> Service: KeyGenerator SunTlsRsaPremasterSecret <<<<<<<<<<<
> Service: Cipher DESede/ECB/PKCS5Padding
> Service: KeyGenerator AES
> Service: Mac SslMacMD5
> Service: SecureRandom PKCS11
> Service: KeyStore PKCS11
>
> Code that instantiates the Provider:
>
> InputStream nssConfigStream = new
> ByteArrayInputStream(nssConfig.getBytes(StandardCharsets.UTF_8));
> Class<Provider> clas = (Class<Provider>)
> Class.forName("sun.security.pkcs11.SunPKCS11");
> Constructor<Provider> constructor = clas.getConstructor(new
> Class[]{InputStream.class});
> Provider provider = (Provider)constructor.newInstance(nssConfigStream);
>
>
> Is there some configuration item, etc., that I'm missing?
>
> Thanks!
> Ernie
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
