Hi Jenny, As there is no PKCS#11 spec to support the mechanism, it is a known issue to us: https://bugs.openjdk.java.net/browse/JDK-8029661
Need to look into the new development of PKCS11 standards. Regards, Xuelei On 4/1/2015 1:09 AM, Lighthart, Jenny wrote: > Hello Java Security Devs, > > > > The following exception occurs while processing serverHelloDone during > an attempt at TLS1.2 with NSS in FIPS mode (via modutil) . > > > > java.security.NoSuchAlgorithmException: no such algorithm: > SunTls12RsaPremasterSecret for provider SunPKCS11-NSS > > > > Both the client and the server are running from a unit test using: > > · JDK 1.8.0_31-b13 > > · nss-3.16.2.3-3 > > > > The same test runs fine in FIPS mode using TLS1.1 or TLS1.0. The same > test also runs with TLS1.2 when the keystore is not in FIPS mode. > > > > I am thinking that it is not supported. SunPKCS11-NSS provider needs to > be updated with the SunTLS12* algorithms before this will work. The > JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator > specific to TLS1.2. When in FIPS mode, the crypto provider is > SunPKCS11-NSS and it does not have the requested algorithm. > > > > Can anyone confirm or deny this? Any ideas as to when it will be supported? > > > > I've been all over the map trying to figure this one out. I am pretty > sure at this point that it is not a problem with the NSS library. I can > provide full stack trace and debug output as needed, but am hoping > someone can answer first whether this configuration should be expected > to work. > > > > Thanks for your help, > > Jenny >
