Merge pull request #32242 from utle/fips-ssl-test

Revert FIPS 140-3 SSL protocol back to TLS

Author: utle

dev/com.ibm.ws.ssl/src/com/ibm/websphere/ssl/SSLConfig.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 1997, 2020 IBM Corporation and others.
+ * Copyright (c) 1997, 2025 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -130,6 +130,9 @@ private void initializeDefaults() {
         }
 
         JSSEProvider defaultProvider = JSSEProviderFactory.getInstance();
+        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
+            Tr.debug(tc, "Defafult JSSEProvider: " + defaultProvider.toString());
+        }
 
         if (getProperty(Constants.SSLPROP_KEY_MANAGER) == null)
             setProperty(Constants.SSLPROP_KEY_MANAGER, JSSEProviderFactory.getKeyManagerFactoryAlgorithm());
@@ -138,9 +141,10 @@ private void initializeDefaults() {
             && null != defaultProvider.getKeyStoreProvider())
             setProperty(Constants.SSLPROP_KEY_STORE_PROVIDER, defaultProvider.getKeyStoreProvider());
 
-        if (getProperty(Constants.SSLPROP_PROTOCOL) == null)
+        if (getProperty(Constants.SSLPROP_PROTOCOL) == null) {
             setProperty(Constants.SSLPROP_PROTOCOL, defaultProvider.getDefaultProtocol());
-
+            Tr.debug(tc, "Default protocol: " + defaultProvider.getDefaultProtocol());
+        }
         if (getProperty(Constants.SSLPROP_CLIENT_AUTHENTICATION) == null)
             setProperty(Constants.SSLPROP_CLIENT_AUTHENTICATION, Constants.FALSE);
 
@@ -190,14 +194,16 @@ private void initializeDefaults() {
         // When only a trust store is specified, use it as the key store as well.
         if (keyStore == null && trustStore != null && trustStorePassword != null && trustStoreType != null) {
             setProperty(Constants.SSLPROP_KEY_STORE, trustStore);
-            if (trustStoreName != null) setProperty(Constants.SSLPROP_KEY_STORE_NAME, trustStoreName);
+            if (trustStoreName != null)
+                setProperty(Constants.SSLPROP_KEY_STORE_NAME, trustStoreName);
             setProperty(Constants.SSLPROP_KEY_STORE_PASSWORD, trustStorePassword);
             setProperty(Constants.SSLPROP_KEY_STORE_TYPE, trustStoreType);
         }
         // When only a key store is specified, use it as the trust store as well.
         else if (trustStore == null && keyStore != null && keyStorePassword != null && keyStoreType != null) {
             setProperty(Constants.SSLPROP_TRUST_STORE, keyStore);
-            if (keyStoreName != null) setProperty(Constants.SSLPROP_TRUST_STORE_NAME, keyStoreName);
+            if (keyStoreName != null)
+                setProperty(Constants.SSLPROP_TRUST_STORE_NAME, keyStoreName);
             setProperty(Constants.SSLPROP_TRUST_STORE_PASSWORD, keyStorePassword);
             setProperty(Constants.SSLPROP_TRUST_STORE_TYPE, keyStoreType);
         }
@@ -298,7 +304,7 @@ public String toString() {
      * Load ConfigURL from a url string that names a properties file. This
      * method does not check that values are in valid range,
      *
-     * @param propertiesURL - the properties file to load the SSL properties
+     * @param propertiesURL  - the properties file to load the SSL properties
      * @param multiConfigURL
      * @return SSLConfig[]
      */

dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/config/ProtocolHelper.java

@@ -93,11 +93,6 @@ public void checkProtocolValueGood(String sslProtocol) throws SSLException, Unsu
         } else {
             String protocol = protocols[0];
             if (!validatedProtocols.contains(protocol)) {
-//                 TODO: uncomment the following once SSL tests have been updated for FIPS 140-3
-//                if (fips140_3Enabled && !allowedProtocols.contains(protocol)) {
-//                    Tr.error(tc, "ssl.protocol.error.CWPKI0832E", protocol);
-//                    throw new SSLException("Protocol provided is not appropriate for a protocol list.");
-//                }
                 checkProtocol(protocol);
             }
         }

dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/IBMJSSEProvider.java

@@ -42,7 +42,7 @@ public IBMJSSEProvider() {
 
         String protocol = Constants.PROTOCOL_SSL_TLS_V2;
         if (CryptoUtils.isFips140_3Enabled()) {
-            protocol = Constants.PROTOCOL_TLSV1_2;
+            protocol = Constants.PROTOCOL_TLS;
         }
 
         initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.IBMJSSE2_NAME, null,

dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/SunJSSEProvider.java

@@ -40,7 +40,7 @@ public SunJSSEProvider() {
         super();
         String protocol = Constants.PROTOCOL_SSL;
         if (CryptoUtils.isFips140_3Enabled() && CryptoUtils.isSemeruFips()) {
-            protocol = Constants.PROTOCOL_TLSV1_2;
+            protocol = Constants.PROTOCOL_TLS;
         }
 
         initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.SUNJSSE_NAME, null,