Issue with Wildfly 26 with Java Corretto JDK 11 configured with the latest BC FIPS libraries on Windows 11. #1682

ashadev2022 · 2024-05-24T22:58:52Z

ashadev2022
May 24, 2024

Environment : Wildfly 26 with Java Corretto JDK 11 configured with the latest BC FIPS libraries on Windows 11.

I was trying to bring up an wildfly instance configured with Java11 with latest BC FIPS libraries - bc-fips-1.0.2.4.jar bctls-fips-1.0.18.jar . Java.security -

security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
securerandom.strongAlgorithms=DEFAULT:BCFIPS
keystore.type=BCFKS
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

JAVA_OPTS in standalone.conf.bat - -Djdk.tls.trustNameService=true -Djavax.net.ssl.trustStoreType=BCFKS -Djavax.net.ssl.trustStoreProvider=BCFIPS

bcfks Keystore created using keytool.

Standalone.xml file

cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256" protocols="TLSv1.2"

When I try to start https://localhost:8443, getting the following error :

DEBUG [io.undertow.request.io] (default I/O-7) UT005013: An IOException occurred: javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40)
   at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(Unknown Source)
   at io.undertow.core@2.2.19.Final//io.undertow.protocols.ssl.SslConduit.engineUnwrap(SslConduit.java:691)
   at io.undertow.core@2.2.19.Final//io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:783)
   at io.undertow.core@2.2.19.Final//io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:587)
   at org.jboss.xnio@3.8.7.Final//org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
   at io.undertow.core@2.2.19.Final//io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:356)
   at io.undertow.core@2.2.19.Final//io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:313)
   at io.undertow.core@2.2.19.Final//io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:67)
   at org.jboss.xnio@3.8.7.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
   at org.jboss.xnio@3.8.7.Final//org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
   at org.jboss.xnio@3.8.7.Final//org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
   at org.jboss.xnio@3.8.7.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
   at org.jboss.xnio@3.8.7.Final//org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
   at org.jboss.xnio@3.8.7.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
   at org.jboss.xnio.nio@3.8.7.Final//org.xnio.nio.QueuedNioTcpServer2.acceptTask(QueuedNioTcpServer2.java:178)
   at org.jboss.xnio.nio@3.8.7.Final//org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
   at org.jboss.xnio.nio@3.8.7.Final//org.xnio.nio.WorkerThread.run(WorkerThread.java:479)

Caused by: org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40)
at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.sendServerHelloMessage(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readFullRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadFullRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.offerInput(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.offerInput(Unknown Source)
... 17 more

Any pointers to solve this issue would be helpful.
Thanks
--- DEBUG- SSL--(-Djavax.net.debug=ssl,handshake )
09:07:29,399 ERROR [stderr] (default I/O-2) Provider: SecureRandom.null algorithm from: BCFIPS_RNG
09:11:18,692 ERROR [stderr] (default I/O-1) Provider: SecureRandom.null algorithm from: BCFIPS_RNG
09:11:18,723 ERROR [stderr] (default I/O-1) Provider: Cipher.RSA/NONE/PKCS1Padding decryption algorithm from: BCFIPS
09:11:18,739 ERROR [stderr] (default I/O-1) Provider: Mac.HmacSHA256 algorithm from: BCFIPS
09:11:18,739 ERROR [stderr] (default I/O-1) Provider: Mac.HmacSHA256 algorithm from: BCFIPS
09:11:18,739 ERROR [stderr] (default I/O-1) Provider: Cipher.AES/CBC/NoPadding decryption algorithm from: BCFIPS
09:11:18,739 ERROR [stderr] (default I/O-1) Provider: Cipher.AES/CBC/NoPadding en

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Issue with Wildfly 26 with Java Corretto JDK 11 configured with the latest BC FIPS libraries on Windows 11. #1682

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Issue with Wildfly 26 with Java Corretto JDK 11 configured with the latest BC FIPS libraries on Windows 11. #1682

Uh oh!

ashadev2022 May 24, 2024

Standalone.xml file

Replies: 0 comments

ashadev2022
May 24, 2024