FIPS support ! : by enhancing the winrm4j library to support TLS using Bo…

[EXTERNALCOREWORKS]

…uncycastle (in addition to the common JKS) as the provider.

On winrm4j 0.6.1, new changes were introduced by your team: Due to this issue: https://github.com/cloudsoft/winrm4j/issues/80 Commits: https://github.com/cloudsoft/winrm4j/pull/92 https://github.com/cloudsoft/winrm4j/pull/93 Which allowed us to propagate the:

• SSLContext (which mostly contains the protocols and as well as the security provider being defined, either JKS or bouncycastle or whatever, vital for FIPS compliance) and the
• SSLSocketFactory (which contains the cipher suites to use, vital for FIPS compliance).
  So when we tried to do it by just passing over both the SSLContext and the SSLSocketFactory, we encountered the following open issue which we had already reported to your team: https://github.com/cloudsoft/winrm4j/issues/97

So in order to fix it: Based on the SSLSocketFactory (if present), we are just propagating out of it, the cipher suites to the Apache cxf TLSClientParameters class which later on will use such ciphers along with the provider for the secure communication. Based on the SSLContext, we are passing over the whole SSLContext to the TLSClientParameters, but we are also passing the protocols in the Apache CXF TLSClientParameters, so that the communication can be established successfully and FIPS compliant.

There could be better ways to propagate only those parameters (like allowing to pass the ciphers and protocols as new params besides the SSLContext and the SSLSocketFactory), but the fact that how it got implement in 0.6.1 was not stable enough is true, meaning that by incorporating this changes, the client application should only care to propagate both the SSLContext and the SSLSocketFactory and the winrm4j library will use only what's really needed :). Hope you can absorb this changes that will benefit a lot your API, there is no single API similar like yours (like overthere or so) that actually supports FIPS, so this will be a great WIN for your software.

[EXTERNALCOREWORKS]

Hi @aledsage, would you mind to take a look at this Improvement PR ? Im willing to have this integrated in the product out of the box, benefiting a lot of customers that looks for FIPS compliance in their secure communications.

[EXTERNALCOREWORKS]

Hi colleagues, Any updates on this one ?

[EXTERNALCOREWORKS]

Hi, any updates on this PR ?

[aledsage]

Quoting org.apache.cxf.configuration.jsse.TLSClientParameters:

    /**
     * This sets the SSLSocketFactory to use, causing all other properties of
     * this bean (and its superclass) to get ignored (this takes precendence).
     */
    public final void setSSLSocketFactory(SSLSocketFactory factory) {
        sslSocketFactory = factory;
    }

This suggests we do not need to extract cipher suites etc from the SSLSocketFactory to set it directly on the tlsClientParameters.

Does that contradict the behaviour you have seen @EXTERNALCOREWORKS ?