禁用 FIPS 模式下的 HTTPS 证书验证

huangapple go评论81阅读模式
英文:

Disable HTTPS Certificate Validation in FIPS mode

问题

有一个用Java编写的代码,用于执行HTTPS调用,然后忽略传入的证书验证。为了做到这一点,实现了自定义信任管理器。但是现在我们需要切换到FIPS模式。在FIPS模式下,当SSL套接字使用自定义信任管理器时,会收到以下异常:

FIPS模式:只能使用SunJSSE信任管理器

那么,在FIPS模式下是否有方法可以绕过传入的证书验证呢?

英文:

There is a code in java which performs HTTPS call and then ignores the incoming certificate validation. In order to do this the custom trust manager is implemented.
But now we need to switch to FIPS mode. And in fips mode the following exception is received when the custom trustmanager is used by SSL Socket.

FIPS mode: only SunJSSE TrustManagers may be used

So is there a way to bypass the incoming certificate verification in a FIPS mode?

答案1

得分: 3

你基本上在询问是否可以在禁用某些安全性要求的情况下启用特定的安全级别(FIPS)。不行——这个安全级别的整点意义在于确保满足特定的安全要求,并且正确的证书验证是一个基本要求。

英文:

You are basically asking if you can enable a specific security level (FIPS) while disabling some of the security required in this level. No - the whole point of this security level is to ensure that specific security requirements are met, and proper certificate validation is an essential requirement.

答案2

得分: 0

这种不允许非SunJSSE信任或密钥管理器的行为似乎只适用于Sun/Oracle JRE。我认为这不是FIPS合规性要求。显然,启用了FIPS的openSSL和libcurl没有这种限制。

我也因此遇到了问题。

我们的Java应用程序中有一些HTTPS API调用。实际上,这些API调用是用于获取远程端的CA证书,显示指纹和其他细节给最终用户,用户接受后,将此证书持久化到信任存储中。从那时起,对于工作流中的后续HTTPS调用,将使用这个信任存储。

因此,从我们的应用程序发起的HTTPS调用来获取CA证书时,我使用了一个“trust-all”信任管理器,但显然在FIPS模式下这是不可接受的。

我同意FIPS需要更严格的安全性,因此禁用证书验证不是一个好主意,理论上不应该这样做。但在像这种特殊情况下(可能需要执行更多验证,比如自定义主机名验证、证书吊销状态检查等),Sun JSSE应该提供一些方法来覆盖这种FIPS模式行为。

很可能,我们需要实现SSLContextSpi并将其连接到我们的自定义SSL上下文中。实现可能与下面的SSLContextImpl非常相似,但可能会放宽一些FIPS限制。(不用说,这需要谨慎使用,特别是在FIPS环境中。)

https://hg.openjdk.java.net/jdk8/jdk8/jdk/raw-file/687fd7c7986d/src/share/classes/sun/security/ssl/SSLContextImpl.java

英文:

This behavior of NOT allowing non-SunJSSE trust or key manager seems specific to Sun/Oracle JRE. Don't think it's a FIPS compliance mandate. Apparently, openSSL with FIPS enabled and libcurl doesn't have this limitation.

I am also facing issues due to this.

We have some HTTPS API calls happening in our Java application. These API calls are actually about fetching the CA certificate of remote end, displaying finger print and other details to end-user and when use accepts, persist this certificate in trust store. From then on, for subsequent HTTPS call in the workflow, will use this trust store.

So, the HTTPS call from our app to fetch the CA certificate, I have used a "trust-all" trust manager but apparently that's NOT acceptable in FIPS mode.

I agree FIPS requires tighter security and thus disabling certificate validation isn't a great idea and should NOT be done ideally. But exceptional cases like this (and probably where we wanted to perform more validations such as custom host name verification, certificate revocation status check, etc.) there should have been some provision with Sun JSSE to override this FIPS mode behavior.

Most probably, we need to implement SSLContextSpi and hook in our custom SSL context. The implementation would look very similar to SSLContextImpl below but with probably FIPS limitations relaxed. (Needless to say, this needs to be used judiciously, specially with FIPS.)

https://hg.openjdk.java.net/jdk8/jdk8/jdk/raw-file/687fd7c7986d/src/share/classes/sun/security/ssl/SSLContextImpl.java

huangapple
  • 本文由 发表于 2020年6月29日 04:25:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/62627846.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定