I am currently facing an issue in the latest version of Netty (4.1) while using it in Spring Boot 2.3. When changing my default security providers to FIPS compliant BouncyCastle Providers (specifically here BCJSSE), I run into an issue during startup. However, from what I can see, SSL negotiation is not affected aside from the fact that ALPN cannot be negotiated.
The Error I am seeing:
Unable to initialize JdkAlpnSslUtils, but the detected java version was: 11
The error does not indicate to me how to actually fix this situation and I do not fully understand the problem it is facing, but after some looks into the code, I could not figure out specifics other than that it is doing this because we are running in JDK11. I was expecting ALPN to be freely negotiated however since JDK9, recently even JDK8 through BackPorting (which is why this class exists)
I can successfully validate that I am using the Bouncy Castle Security Provider correctly and can also verify that Netty is running in JDK Mode, not OpenSSL (which is why the error occurs in the first place). After trying to find an issue online, I cannot seem to understand how to overcome the error and/or supress it correctly.
Could anyone help me find out how to correctly suppress or circumvent the issue? That I cannot negotiate ALPN is actually not that important since I am running the Service in a proxied Mesh with Envoy that use ALPN when forwarding requests.
My Container is running on RHEL7 AdoptOpenJDK 11.
EDIT: In Request some relevant Configuration: I did NOT configure any of the Security Parameters in Spring Boot (e.g. server.ssl.*) but instead instantiated the JVM with different providers
-Dio.netty.handler.ssl.noOpenSsl=true -Djavax.net.ssl.trustStoreProvider=BCFIPS -Djavax.net.ssl.trustStoreType=BCFKS
Also I configured the following during my Gradle build to ensure no classic bouncy castle is injected through Spring
implementation {
// FIPS validated libraries added to boot classpath in base image.
// NON-FIPS version of libraries must be excluded at compile time.
exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
}
I am instead using fips-compliant libraries by include
compile group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
compile group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.10'
In Addition, I also configured (as Safety Guard) the following Provider-Override in my ServiceRunner (annotated @SpringBootApplication)
Security.insertProviderAt(new BouncyCastleFipsProvider(),1); // basic encryption provider
Security.insertProviderAt(new BouncyCastleJsseProvider(),2); // tls
Security.removeProvider("SunRsaSign");
Security.removeProvider("SunJSSE");
The JVM is initialized with these settings (partially cut)
ENV JAVA_OPTS --show-version \
-XshowSettings:vm \
-XX:+DisableExplicitGC \
-Dfile.encoding=UTF-8 \
-Dorg.bouncycastle.fips.approved_only=true \
-Xbootclasspath/a:/PATHTOJARS/bc-fips-${BC_VERSION}.jar \
-Xbootclasspath/a:/PATHTOJARS/bctls-fips-${BC_TLS_VERSION}.jar"
My standard castore is changed to use BCFKS, this can be achieved mainly with this change to keytool and some import/exporting
ENV KEYTOOL_OPTS "-storetype BCFKS \
-providerpath /PATHTOJARS/bc-fips-${BC_VERSION}.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"
This is my changed java.security
RUN sed -i 's/\(security\.provider\.[0-9]\+\)=\(.*\)/##\1=\2/g' java.security
RUN sed -i 's/\(ssl\.KeyManagerFactory\.algorithm\)=.*/\1=PKIX/g' java.security
RUN sed -i 's/\(securerandom\.source\)=.*/\1=file:\/dev\/urandom/g' java.security
RUN sed -i 's/\(securerandom\.strongAlgorithms\)=.*/\1=NativePRNGNonBlocking:SUN,DRBG:SUN/g' java.security
RUN printf '\nsecurity.provider.1=BCFIPS\nsecurity.provider.2=BCJSSE fips:BCFIPS\nsecurity.provider.3=SUN\n' >> java.security
