action #125654
[security][FIPS] clarify openJDK version testing
70%
Description
Context¶
our current test https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/fips/openjdk/openjdk_fips.pm is specifically installing jdk11, but with the progress of the updates it can happen that we find on the machines a newer one. The newer one could support new Cipher Suites and Security Providers.
At the moment as a workaround, we uninstall any JDK before testing; the question is:
Question¶
- should we test any present and greater version of OpenJDK, or only some specific ones?
Action¶
- provide for each JDK version the accepted list of FIPS crypto providers, which for OpenJDK 11 is currently stored in https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt
- change the test to map the correct JDK version with the reference list of Supported Cipher Suites and Security Providers
History
Updated by 
Updated by #3
Updated by pstivanin 3 months ago
- % Done changed from 0 to 50
- ciphers reported here (https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) are correct for all openjdk versions tested under fips.
- according to https://confluence.suse.com/pages/viewpage.action?pageId=675512957, only openjdk-11 should be tested, but Marcus wrote that it'd be nice to have java-17-openjdk tested too
slack conversation: https://suse.slack.com/archives/C04QYGFKQ1G/p1679470228936649
#5
Updated by pstivanin 2 months ago
- Status changed from In Progress to Blocked
about openjdk17, the test is currently failing (https://openqa.suse.de/tests/10752801) because the returned ciphers are different.
Currently, we have this(https://gitlab.suse.de/qe-security/testing/-/raw/main/data/openjdk/Tcheck.txt) for openjdk11, but openjdk17 outputs that(https://gitlab.suse.de/qe-security/testing/-/raw/2ff4bcc7545e7d0ea97c1645a1a25dd2cfab2bce/data/openjdk/Tcheck17.txt).
I've asked Dennis and Viktor how to proceed. Waiting for feedback.
#8
Updated by pstivanin 26 days ago
- Status changed from Blocked to In Progress
Fridrich found the bug and already opened an SR:
I think that it will be working with this change. The reason for this from the part of RedHat was that right now there is no way to disable OpenJDK FIPS for all java applications running on a FIPS enabled host. I.e. let everything else - non-Java - be in FIPS mode, but disable it for OpenJDK applications.
Now, their reasoning for this change was that one could never disable fips globally for all java applications. Now, they implemented the possibility that if system config files are disabled, fips is disabled automatically too for openjdk. Which is a useful feature. But they also flipped the default, which changed our default behaviour and you thankfully found it out. Now, I flipped that default back. If some customer wants disable FIPS for all java applications, she just needs to flip that one property in the file. So I think that this solution is more or less the best.
#12
Updated by pstivanin 22 days ago
I've now scheduled both openjdk 11 and 17 on my devel prj: https://openqa.suse.de/group_overview/431
I'll let them both run there until we get an approval for the 17's baseline.
#16
Updated by pstivanin 13 days ago
- % Done changed from 80 to 70
we now have the update in the testing queue (https://smelt.suse.de/request/299043/) and the fips test is now passing (https://openqa.suse.de/tests/11186952#step/openjdk17_fips/1)
the ssh one is failing though https://openqa.suse.de/tests/11186952#step/openjdk17_ssh/21 , so I'm looking into it.
#21
Updated by pstivanin about 18 hours ago
SR went back to the submitted queue with a new id (300306)