Hi all,
We have TLS connection issues when the server (openjdk version "1.8.0_222")
runs in FIPS 140.2 mode. The error thrown on the server is:
"javax.net.ssl.SSLException: Unsupported record version SSLv3" (which
originates from: sun.security.ssl.InputRecord.checkRecordVersion(...))
This error only happens when the server JRE runs in FIPS 140.2 mode. This is
because of the following code in class sun.security.ssl.ProtocolVersion:
"
// minimum version we implement (SSL 3.0)
final static ProtocolVersion MIN = FIPS ? TLS10 : SSL30;
"
Our server *only* allows TLS 1.2 as TLS protocol version, however, If I have
the correct understanding of the TLS 1.2 specification enforcing a record
version of (at least ) TLS10 seems to violate the specification
(https://tools.ietf.org/html/rfc5246#appendix-E.1):
"
[...] Thus, TLS servers compliant with this specification MUST accept any
value {03,XX} as
the record layer version number for ClientHello. [...]
(Appendix E. Backward Compatibility - E.1. Compatibility with TLS 1.0/1.1 and
SSL 3.0)
"
Is this something which should be fixed in the JRE? Or is the behavior of the
client wrong?
Thanks,
Christian.
