Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUERY] Does Azure Java SDK support FIPS by default #42562

Open
nnajwaa opened this issue Oct 24, 2024 · 3 comments
Open

[QUERY] Does Azure Java SDK support FIPS by default #42562

nnajwaa opened this issue Oct 24, 2024 · 3 comments
Assignees
@alzimmermsft
Labels
Azure.Core azure-core Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@nnajwaa
Copy link

nnajwaa commented Oct 24, 2024

Query/Question

The default SSL/TLS library for Azure Java SDK http clients is the Tomcat-native Boring SSL library (dependency in code, official documentation documentation)

The Tomcat-native Boring SSL library is not FIPS validated (source)

I have found conflicting information stating (source query) :

We acquire our crypto instances via Java's cryptographic framework, which can be set by the application developer to provide whatever implementation is desired. You as the end-developer get to choose what providers are available to the JVM in the first place, and thus can ensure only fips-compliant providers are given.

^ This seems to point to the Azure Java SDK using by default the JVM crypto.

I'm seeking confirmation on whether the HttpClient is automatically FIPS compliant as long as the underlying JVM only exposes FIPS compliant providers.

Thanks!
@github-actions github-actions bot added Azure.Core azure-core Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 24, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@nnajwaa
Copy link
Author

nnajwaa commented Oct 25, 2024

Hi @alzimmermsft 👋🏼 I'd appreciate it if you could have a look at this. Thanks!

@alzimmermsft
Copy link
Member

Thanks for asking this question @nnajwaa. I'll need to investigate this further.

Few quick things though:

  • Netty may have an ability to enable FIPS compliance in Tomcat-native Boring SSL (Request for FIPS-Validated netty-tcnative release netty/netty-tcnative#799). Though I haven't really looked into what this does or means.
  • Another option is to exclude Tomcat-native Boring SSL from your application and provide another SSL provider which is FIPS compliant (similar to what the conflicting information you've included).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alzimmermsft alzimmermsft

Labels
Azure.Core azure-core Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Java SDKs Azure Core
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alzimmermsft @nnajwaa