question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

FIPS Compliant Mode

See original GitHub issue

We recently (version 6.1.2) introduced 3 new connection properties for FIPS mode: fips, trustStoreType, fipsProvider. The implementation assumes fipsProvider contains trustStoreType when calling Keystore.getInstance(trustStoreType,fipsProvider). However, not all providers that contain FIPS-complaint algorithms also provide keystores, such as IBMJCEFIPS. See this page. In this case, users have to use non-FIPS IBMJCE provider (IBMJCE) to store the keys, which means they also have to set fipsProvider=IBMJCE. This can be confusing, because IBMJCE is not the actual FIPS provider, but it is the provider that contains keystore.

Below are a few possible solutions to solve the issue and we would really appreciate any feedback from the community.

  1. Keep the current implementation and update the documentation describing the differences. This way we would not be introducing breaking changes, but the connection property fipsProvider could still be confusing to users because of the naming.
  2. Rename the connection property fipsProvider to trustStoreProvider. This would break the existing FIPS applications, but the name of the property would be less confusing.
  3. Remove the connection property fipsProvider. If provider is not specified, Keystore.getInstance(trustStoreType) traverses the list of registered providers and creates a new instance of matching Keystore. So, instead of creating a new Keystore from the specified provider, the driver would create it from the most preferred (the one that comes first in security providers list) provider. This would obviously be a breaking change too, but also would let us avoid any possible confusions.

I am also posting links to the related PRs below.

https://github.com/Microsoft/mssql-jdbc/pull/97 https://github.com/Microsoft/mssql-jdbc/pull/135 https://github.com/Microsoft/mssql-jdbc/pull/325 https://github.com/Microsoft/mssql-jdbc/pull/433

We would appreciate opinions on the proposed solutions. Please feel free to let us know if you have other suggestions 👍

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:10 (8 by maintainers)

github_iconTop GitHub Comments

2reactions
nsidhayecommented, Aug 15, 2017

Thanks @ulvii for discussion.

FIPSProvider attribute introduced especially for keystore usage. For getting keystore instance we can pass appropriate FIPSprovider thinking of useful in custom runtime configurations for FIPS.

ks = KeyStore.getInstance(trustStoreType, fipsProvider);

@ulvii showed me that even with runtime FIPS configuration one will get appropraite keystore instance without passing fipsprovider. Keystore will pick up appropriate provider.

I am comfortable with option 3.

1reaction
sehropecommented, Aug 15, 2017

+1 to either option 2 or 3 though leaning more toward 2 as the extensibility would be useful to other users wishing to avoid editing java.security.

I’m usually on the side of maintaining backwards compatibility but think cleaning up the confusing property names now is good idea. I don’t see any external comments on the original PR that added that feature so hard to gauge who external to Microsoft would be impacted by the change. I can’t imagine it would be particularly widespread. Presumably anybody using features as recent as that would be tracking breaking changes to the driver and know it’s coming. Plus they’re app would break at connect time…

Somewhat related, it’d be nice if the choice of keystore itself could be externalized as a connection property. Part of the purpose of PR #74 for adding a custom TrustManager is to supply a custom keystore on a per-connection basis without mucking with JVM-wide settings. That allows for per-connection certificate pinning without maintaining a static shared keystore. Plus the keystore doesn’t have to be persisted which is a big +1 in a container/stateless deployment environment.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Federal Information Processing Standard (FIPS) 140 Validation
Cryptographic Module Version (link to Security Policy) FIP... Boot Manager 6.1.7600.16385 · 6.1.7601.17514 1319 Enhanced Cryptographic Provider (RSAENH.DLL) 6.1.7600.16385. (no change in SP1) 1330
Read more >
Enabling FIPS Mode in the Windows Client Operating System
When FIPS mode is enabled in the client operating system, applications use only cryptographic algorithms that are FIPS-140 compliant and in ...
Read more >
Running in FIPS compliant mode - BMC Documentation
Enabling FIPS mode ensures that BMC Discovery uses only FIPS-compliant cryptographic algorithms and FIPS compliant keys, ...
Read more >
Why You Shouldn't Enable “FIPS-compliant” Encryption on ...
The setting in Windows complies with the US government FIPS 140 standard. When it's enabled, it forces Windows to only use FIPS-validated ...
Read more >
Overview of the FIPS 140 Level 1 Compliant Mode license for ...
Log in to the Configuration utility. · Navigate to System > License and look for either the FIPS 140-3 Compliant Mode or the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found