1

I'm trying to configure an embedded Tomcat server so that it can serve HTTP2 in FIPs mode, using BouncyCastle's FIPs libraries. I've set the accepted protocols to TLSv1.2+TLSv1.3. I've tried various suggested cipher suites, but it seems no matter what I set as the cipher suite, Chrome/FF rejects connections on the grounds of "Inadequate Security". If I disable HTTP2, it does not matter what I set as the cipher suite - it just works.

I'm a bit confused.

JDS
  • 153
  • 9
  • Can you provide the code used to setup Tomcat and the versions of BC, Tomcat and JRE used? – Piotr P. Karwasz Mar 11 '21 at 06:29
  • Yes - I'll send a link to a gist in a moment. I will say I made "progress", in that now I cannot make any secured connections, with or without http2 enabled, with my current cipher suite. – JDS Mar 11 '21 at 14:42
  • https://gist.github.com/dajester2013/541d5c78271f453dbab288e6c43194ee – JDS Mar 11 '21 at 15:00
  • Also, tried with Java 11, 14, and 15 – JDS Mar 11 '21 at 18:30

1 Answers1

0

When BC is in FIPS mode, it requires PKIX as algorithm for the KeyManagerFactory and TrustManagerFactory:

Security.setProperty("ssl.KeyManagerFactory.algorithm", "PKIX");
Security.setProperty("ssl.TrustManagerFactory.algorithm", "PKIX");

Without these two lines the server will be unable to retrieve the keys required by the cipher suite.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Tried setting those two in BCFIPSUtil.java, but any request now throws an exception on the server: java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x010x020x000x010x000x010xfc0x030x03h_~+@_cO0xa30x90,]0xec0xe40xc3v0xcc0xcd0x030x03o.Q/0xb0u0xca]. HTTP method names must be tokens – JDS Mar 11 '21 at 19:58
  • Those are caused by HTTPS requests against a HTTP connector. Is the `SSLEnabled` property set to `true`? – Piotr P. Karwasz Mar 11 '21 at 20:09
  • Yes - https://gist.github.com/dajester2013/541d5c78271f453dbab288e6c43194ee#file-tomcatserver-java-L133 – JDS Mar 11 '21 at 20:22
  • Well, looking at the logs though, the protocol handler is http: INFO: Starting ProtocolHandler ["http-nio2-127.0.0.1-8880"] – JDS Mar 11 '21 at 20:25
  • Rookie mistake - forgot to set proper build parameters. D'oh! Anyways, I'm still getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH. One of the things I'm trying to do is, on the fly load a PEM-encoded certificate and private key into a BCFKS to use in an SSLHostConfigCertificate instance. – JDS Mar 11 '21 at 21:19
  • 1
    This, along with ensuring that the listen address is set properly (was set as /0.0.0.0, instead of just 0.0.0.0), fixed the problem. Thank you. – JDS Mar 12 '21 at 16:10