FIPS 140 Compliant Mode for SunJSSE

In Sun's Java SE implementation version 6 or later, the SunJSSE provider, which contains the SSL/TLS implementation, can be configured to operate in a FIPS 140 compliant mode instead of its default mode. This document describes the FIPS 140 compliant mode (subsequently called "FIPS mode").

Configuring SunJSSE for FIPS Mode

SunJSSE is configured in FIPS mode by associating it with an appropriate FIPS 140 certified cryptographic provider that supplies the implementations for all cryptographic algorithms required by SunJSSE. This can be done in one of the following ways:

  1. edit the file ${java.home}/lib/security/java.security and modify the line that lists com.sun.net.ssl.internal.ssl.Provider to list the provider name of the FIPS 140 certified cryptographic provider. For example if the name of the cryptographic provider is SunPKCS11-NSS, change the line from

      security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    

    to

      security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
    

    The class for the provider of the given name must also be listed as a security provider in the java.security file.

  2. at runtime, call the constructor of the SunJSSE provider that takes a java.security.Provider object as a parameter. For example, if the variable cryptoProvider is a reference to the cryptographic provider, call new com.sun.net.ssl.internal.ssl.Provider(cryptoProvider).

  3. at runtime, call the constructor of the SunJSSE provider that takes a String object as a parameter. For example if the cryptographic provider is called SunPKCS11-NSS call new com.sun.net.ssl.internal.ssl.Provider("SunPKCS11-NSS"). A provider with the specified name must be one of the configured security providers.

Within a given Java process, SunJSSE can be used either in FIPS mode or in default mode, but not both at the same time. Once SunJSSE has been initialized, it is not possible to change the mode. This means that if one of the runtime configuration options is used (option 2 or 3), the configuration must take place before any SSL/TLS operation.

Note that only the specified configured provider will be used by the SunJSSE for any and all cryptographic operations. All other cryptographic providers including those included with the Java SE implementation will be ignored and not used.

Difference Between FIPS Mode and Default Mode

In FIPS mode, SunJSSE behaves in a way identical to default mode, except for the following differences.

In FIPS mode:

Ciphersuites Usable in FIPS Mode

The following is the current list of ciphersuites which can be used by SunJSSE in FIPS mode with their names and the id as assigned in the TLS protocol provided that the configured cryptographic FIPS module supports the necessary algorithms. Note that although SunJSSE uses the prefix SSL_ in the name of some of these ciphersuites, this is for compatibility with earlier versions of the specification only. In FIPS mode, SunJSSE will always use TLS 1.0 or later and implement the ciphersuites as required by those specifications.

SSL_RSA_WITH_3DES_EDE_CBC_SHA

0x000a

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

0x0016

TLS_RSA_WITH_AES_128_CBC_SHA

0x002f

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

0x0032

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

0x0033

TLS_RSA_WITH_AES_256_CBC_SHA

0x0035

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

0x0038

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

0x0039

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

0xC003

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

0xC004

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

0xC005

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

0xC008

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

0xC009

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

0xC00A

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

0xC00D

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

0xC00E

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

0xC00F

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

0xC012

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

0xC013

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

0xC014

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

0xC017

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

0xC018

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

0xC019

Conclusion

When SunJSSE is configured in FIPS 140 compliant mode together with an appropriate FIPS 140 certified cryptographic provider, for example Network Security Services (NSS) in its FIPS mode, SunJSSE is FIPS 140 compliant.


Copyright © 1993, 2014, Oracle and/or its affiliates. All rights reserved.