18 changed files with 1248 additions and 9365 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
+SOURCES/openjdk-jdk17-jdk-17+33.tar.xz
-SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
+SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/.java-17-openjdk.metadata
+++ b/.java-17-openjdk.metadata
@ -1,2 +1,2 @@
-95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
+e2edecf5fbb3d791367caf2a0e148d643ad7e9cf SOURCES/openjdk-jdk17-jdk-17+33.tar.xz
-c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
+7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/SOURCES/CheckVendor.java
+++ b/SOURCES/CheckVendor.java
@ -1,65 +0,0 @@
 /* CheckVendor -- Check the vendor properties match specified values.
   Copyright (C) 2020 Red Hat, Inc.
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 /**
 * @test
 */
 public class CheckVendor {
    public static void main(String[] args) {
        if (args.length < 4) {
            System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
 	    System.exit(1);
 	}
 	String vendor = System.getProperty("java.vendor");
 	String expectedVendor = args[0];
 	String vendorURL = System.getProperty("java.vendor.url");
 	String expectedVendorURL = args[1];
 	String vendorBugURL = System.getProperty("java.vendor.url.bug");
 	String expectedVendorBugURL = args[2];
        String vendorVersionString = System.getProperty("java.vendor.version");
        String expectedVendorVersionString = args[3];
 	if (!expectedVendor.equals(vendor)) {
 	    System.err.printf("Invalid vendor %s, expected %s\n",
 			      vendor, expectedVendor);
 	    System.exit(2);
 	}
 	if (!expectedVendorURL.equals(vendorURL)) {
 	    System.err.printf("Invalid vendor URL %s, expected %s\n",
 			      vendorURL, expectedVendorURL);
 	    System.exit(3);
 	}
 	if (!expectedVendorBugURL.equals(vendorBugURL)) {
            System.err.printf("Invalid vendor bug URL %s, expected %s\n",
 			      vendorBugURL, expectedVendorBugURL);
 	    System.exit(4);
 	}
        if (!expectedVendorVersionString.equals(vendorVersionString)) {
            System.err.printf("Invalid vendor version string %s, expected %s\n",
                              vendorVersionString, expectedVendorVersionString);
 	    System.exit(5);
        }
        System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
                          vendor, vendorURL, vendorBugURL, vendorVersionString);
    }
 }
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@ -1,20 +1,3 @@
 /* TestSecurityProperties -- Ensure system security properties can be used to
                             enable the crypto policies.
   Copyright (C) 2022 Red Hat, Inc.
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 import java.io.File;
 import java.io.FileInputStream;
 import java.security.Security;
@ -26,59 +9,35 @@ public class TestSecurityProperties {
    // JDK 8
    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
    private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
    private static final String MSG_PREFIX = "DEBUG: ";
    public static void main(String[] args) {
        if (args.length == 0) {
            System.err.println("TestSecurityProperties <true|false>");
            System.err.println("Invoke with 'true' if system security properties should be enabled.");
            System.err.println("Invoke with 'false' if system security properties should be disabled.");
            System.exit(1);
        }
        boolean enabled = Boolean.valueOf(args[0]);
        System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
        Properties jdkProps = new Properties();
        loadProperties(jdkProps);
        if (enabled) {
            loadPolicy(jdkProps);
        }
        for (Object key: jdkProps.keySet()) {
            String sKey = (String)key;
            String securityVal = Security.getProperty(sKey);
            String jdkSecVal = jdkProps.getProperty(sKey);
            if (!securityVal.equals(jdkSecVal)) {
-                String msg = "Expected value '" + jdkSecVal + "' for key '" +
+                String msg = "Expected value '" + jdkSecVal + "' for key '" + 
                             sKey + "'" + " but got value '" + securityVal + "'";
                throw new RuntimeException("Test failed! " + msg);
            } else {
-                System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
+                System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
            }
        }
        System.out.println("TestSecurityProperties PASSED!");
    }
-
+    
    private static void loadProperties(Properties props) {
        String javaVersion = System.getProperty("java.version");
-        System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
+        System.out.println("Debug: Java version is " + javaVersion);
        String propsFile = JDK_PROPS_FILE_JDK_11;
        if (javaVersion.startsWith("1.8.0")) {
            propsFile = JDK_PROPS_FILE_JDK_8;
        }
-        try (FileInputStream fin = new FileInputStream(propsFile)) {
+        try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
            props.load(fin);
        } catch (Exception e) {
            throw new RuntimeException("Test failed!", e);
        }
    }
    private static void loadPolicy(Properties props) {
        try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
            props.load(fin);
        } catch (Exception e) {
            throw new RuntimeException("Test failed!", e);
        }
    }
 }
--- a/SOURCES/TestTranslations.java
+++ b/SOURCES/TestTranslations.java
@ -1,160 +0,0 @@
 /* TestTranslations -- Ensure translations are available for new timezones
   Copyright (C) 2022 Red Hat, Inc.
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 import java.text.DateFormatSymbols;
 import java.time.ZoneId;
 import java.time.format.TextStyle;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Locale;
 import java.util.Objects;
 import java.util.TimeZone;
 public class TestTranslations {
    private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
    static {
        Map<Locale,String[]> map = new HashMap<Locale,String[]>();
        map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
                                          "Eastern European Summer Time", "GMT+03:00", "EEST",
                                          "Eastern European Time", "GMT+02:00", "EET"});
        map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
                                              "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
                                              "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
        map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
                                               "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
                                               "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
        KYIV = Collections.unmodifiableMap(map);
        map = new HashMap<Locale,String[]>();
        map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
                                          "Mountain Daylight Time", "MDT", "MDT",
                                          "Mountain Time", "MT", "MT"});
        map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
                                              "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
                                              "heure des Rocheuses", "UTC\u221207:00", "MT"});
        map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST",
                                               "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
                                               "Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
        CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
    }
    public static void main(String[] args) {
        if (args.length < 1) {
            System.err.println("Test must be started with the name of the locale provider.");
            System.exit(1);
        }
        System.out.println("Checking sanity of full zone string set...");
        boolean invalid = Arrays.stream(Locale.getAvailableLocales())
            .peek(l -> System.out.println("Locale: " + l))
            .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
            .flatMap(zs -> Arrays.stream(zs))
            .flatMap(names -> Arrays.stream(names))
            .filter(name -> Objects.isNull(name) || name.isEmpty())
            .findAny()
            .isPresent();
        if (invalid) {
            System.err.println("Zone string for a locale returned null or empty string");
            System.exit(2);
        }
        String localeProvider = args[0];
        testZone(localeProvider, KYIV,
                 new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
        testZone(localeProvider, CIUDAD_JUAREZ,
                 new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
    }
    private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
        for (Locale l : exp.keySet()) {
            String[] expected = exp.get(l);
            System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
            for (String id : ids) {
                String expectedShortStd = null;
                String expectedShortDST = null;
                String expectedShortGen = null;
                System.out.printf("Checking locale %s for %s...\n", l, id);
                if ("JRE".equals(localeProvider)) {
                    expectedShortStd = expected[2];
                    expectedShortDST = expected[5];
                    expectedShortGen = expected[8];
                } else if ("CLDR".equals(localeProvider)) {
                    expectedShortStd = expected[1];
                    expectedShortDST = expected[4];
                    expectedShortGen = expected[7];
                } else {
                    System.err.printf("Invalid locale provider %s\n", localeProvider);
                    System.exit(3);
                }
                System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
                                  localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
                String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
                String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
                String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
                String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
                String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
                String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
                if (!expected[0].equals(longStd)) {
                    System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
                                      id, l, longStd, expected[0]);
                    System.exit(4);
                }
                if (!expectedShortStd.equals(shortStd)) {
                    System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
                                      id, l, shortStd, expectedShortStd);
                    System.exit(5);
                }
                if (!expected[3].equals(longDST)) {
                    System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
                                      id, l, longDST, expected[3]);
                    System.exit(6);
                }
                if (!expectedShortDST.equals(shortDST)) {
                    System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
                                      id, l, shortDST, expectedShortDST);
                    System.exit(7);
                }
                if (!expected[6].equals(longGen)) {
                    System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
                                      id, l, longGen, expected[6]);
                    System.exit(8);
                }
                if (!expectedShortGen.equals(shortGen)) {
                    System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
                                      id, l, shortGen, expectedShortGen);
                    System.exit(9);
                }
            }
        }
    }
 }
--- a/SOURCES/fips-17u-72d08e3226f.patch
+++ b/SOURCES/fips-17u-72d08e3226f.patch
--- a/SOURCES/jconsole.desktop.in
+++ b/SOURCES/jconsole.desktop.in
@ -1,8 +1,8 @@
 [Desktop Entry]
-Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@
-Comment=Monitor and manage OpenJDK applications
+Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@
-Exec=_SDKBINDIR_/jconsole
+Exec=@JAVA_HOME@/jconsole
-Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@
 Terminal=false
 Type=Application
 StartupWMClass=sun-tools-jconsole-JConsole
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
@ -0,0 +1,6 @@
 name = NSS-FIPS
 nssLibraryDirectory = @NSS_LIBDIR@
 nssSecmodDirectory = @NSS_SECMOD@
 nssDbMode = readOnly
 nssModule = fips
--- a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+++ b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
@ -0,0 +1,88 @@
 # HG changeset patch
 # User andrew
 # Date 1478057514 0
 # Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
 # Parent  3d53f19b48384e5252f4ec8891f7a3a82d77af2a
 PR3183: Support Fedora/RHEL system crypto policy
 diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
 --- a/src/java.base/share/classes/java/security/Security.java	Wed Oct 26 03:51:39 2016 +0100
 +++ b/src/java.base/share/classes/java/security/Security.java	Wed Nov 02 03:31:54 2016 +0000
@@ -43,6 +43,9 @@
  * implementation-specific location, which is typically the properties file
  * {@code conf/security/java.security} in the Java installation directory.
  *
 + * <p>Additional default values of security properties are read from a
 + * system-specific location, if available.</p>
 + *
  * @author Benjamin Renaud
  * @since 1.1
  */
@@ -52,6 +55,10 @@
     private static final Debug sdebug =
                         Debug.getInstance("properties");
 +    /* System property file*/
 +    private static final String SYSTEM_PROPERTIES =
 +        "/etc/crypto-policies/back-ends/java.config";
 +
     /* The java.security properties */
     private static Properties props;
@@ -93,6 +100,7 @@
                 if (sdebug != null) {
                     sdebug.println("reading security properties file: " +
                                 propFile);
 +                    sdebug.println(props.toString());
                 }
             } catch (IOException e) {
                 if (sdebug != null) {
@@ -114,6 +122,31 @@
         }
         if ("true".equalsIgnoreCase(props.getProperty
 +                ("security.useSystemPropertiesFile"))) {
 +
 +            // now load the system file, if it exists, so its values
 +            // will win if they conflict with the earlier values
 +            try (BufferedInputStream bis =
 +                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 +                props.load(bis);
 +                loadedProps = true;
 +
 +                if (sdebug != null) {
 +                    sdebug.println("reading system security properties file " +
 +                                   SYSTEM_PROPERTIES);
 +                    sdebug.println(props.toString());
 +                }
 +            } catch (IOException e) {
 +                if (sdebug != null) {
 +                    sdebug.println
 +                        ("unable to load security properties from " +
 +                         SYSTEM_PROPERTIES);
 +                    e.printStackTrace();
 +                }
 +            }
 +        }
 +
 +        if ("true".equalsIgnoreCase(props.getProperty
                 ("security.overridePropertiesFile"))) {
             String extraPropFile = System.getProperty
 diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
 --- a/src/java.base/share/conf/security/java.security	Wed Oct 26 03:51:39 2016 +0100
 +++ b/src/java.base/share/conf/security/java.security	Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
 security.overridePropertiesFile=true
 #
 +# Determines whether this properties file will be appended to
 +# using the system properties file stored at
 +# /etc/crypto-policies/back-ends/java.config
 +#
 +security.useSystemPropertiesFile=true
 +
 +#
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 #
--- a/SOURCES/pr3695-toggle_system_crypto_policy.patch
+++ b/SOURCES/pr3695-toggle_system_crypto_policy.patch
@ -0,0 +1,78 @@
 # HG changeset patch
 # User andrew
 # Date 1545198926 0
 #      Wed Dec 19 05:55:26 2018 +0000
 # Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
 # Parent  81f07f6d1f8b7b51b136d3974c61bc8bb513770c
 PR3695: Allow use of system crypto policy to be disabled by the user
 Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
 diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
 --- a/src/java.base/share/classes/java/security/Security.java
 +++ b/src/java.base/share/classes/java/security/Security.java
@@ -125,31 +125,6 @@
         }
         if ("true".equalsIgnoreCase(props.getProperty
 -                ("security.useSystemPropertiesFile"))) {
 -
 -            // now load the system file, if it exists, so its values
 -            // will win if they conflict with the earlier values
 -            try (BufferedInputStream bis =
 -                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 -                props.load(bis);
 -                loadedProps = true;
 -
 -                if (sdebug != null) {
 -                    sdebug.println("reading system security properties file " +
 -                                   SYSTEM_PROPERTIES);
 -                    sdebug.println(props.toString());
 -                }
 -            } catch (IOException e) {
 -                if (sdebug != null) {
 -                    sdebug.println
 -                        ("unable to load security properties from " +
 -                         SYSTEM_PROPERTIES);
 -                    e.printStackTrace();
 -                }
 -            }
 -        }
 -
 -        if ("true".equalsIgnoreCase(props.getProperty
                 ("security.overridePropertiesFile"))) {
             String extraPropFile = System.getProperty
@@ -215,6 +190,33 @@
             }
         }
 +        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
 +        if (disableSystemProps == null &&
 +            "true".equalsIgnoreCase(props.getProperty
 +                ("security.useSystemPropertiesFile"))) {
 +
 +            // now load the system file, if it exists, so its values
 +            // will win if they conflict with the earlier values
 +            try (BufferedInputStream bis =
 +                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 +                props.load(bis);
 +                loadedProps = true;
 +
 +                if (sdebug != null) {
 +                    sdebug.println("reading system security properties file " +
 +                                   SYSTEM_PROPERTIES);
 +                    sdebug.println(props.toString());
 +                }
 +            } catch (IOException e) {
 +                if (sdebug != null) {
 +                    sdebug.println
 +                        ("unable to load security properties from " +
 +                         SYSTEM_PROPERTIES);
 +                    e.printStackTrace();
 +                }
 +            }
 +        }
 +
         if (!loadedProps) {
             initializeStatic();
             if (sdebug != null) {
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
@ -5,7 +5,6 @@ TREE=${1}
 TYPE=${2}
 ZIP_SRC=src/java.base/share/native/libzip/zlib/
 FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
 JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
 GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
 PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@ -32,21 +31,15 @@ cd ${TREE}
 echo "Removing built-in libs (they will be linked)"
-# On full runs, allow for zlib & freetype having already been deleted by minimal
+# On full runs, allow for zlib having already been deleted by minimal
 echo "Removing zlib"
 if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
 	echo "${ZIP_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${ZIP_SRC}
 echo "Removing freetype"
 if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
 	echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi
 rm -rvf ${FREETYPE_SRC}
-# Minimal is limited to just zlib and freetype so finish here
+# Minimal is limited to just zlib so finish here
 if test "x${TYPE}" = "xminimal"; then
    echo "Finished.";
    exit 0;
--- a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@ -1,7 +1,7 @@
-diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
-index adfaf57d29e..abf89bbf327 100644
+index 534bdae5a16..2df2b59cbf6 100644
--- a/src/java.base/share/conf/security/java.security
+--- openjdk/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
 security.provider.tbd=Apple
 #endif
@ -9,4 +9,4 @@ index adfaf57d29e..abf89bbf327 100644
 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 #
- # Security providers used when FIPS mode support is active
+ # A list of preferred providers for specific algorithms. These providers will
--- a/SOURCES/rh1655466-global_crypto_and_fips.patch
+++ b/SOURCES/rh1655466-global_crypto_and_fips.patch
@ -0,0 +1,205 @@
 diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
 --- openjdk.orig/src/java.base/share/classes/java/security/Security.java
 +++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
         if (disableSystemProps == null &&
             "true".equalsIgnoreCase(props.getProperty
                 ("security.useSystemPropertiesFile"))) {
 -
 -            // now load the system file, if it exists, so its values
 -            // will win if they conflict with the earlier values
 -            try (BufferedInputStream bis =
 -                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
 -                props.load(bis);
 +            if (SystemConfigurator.configure(props)) {
                 loadedProps = true;
 -
 -                if (sdebug != null) {
 -                    sdebug.println("reading system security properties file " +
 -                                   SYSTEM_PROPERTIES);
 -                    sdebug.println(props.toString());
 -                }
 -            } catch (IOException e) {
 -                if (sdebug != null) {
 -                    sdebug.println
 -                        ("unable to load security properties from " +
 -                         SYSTEM_PROPERTIES);
 -                    e.printStackTrace();
 -                }
             }
         }
 diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
 new file mode 100644
 --- /dev/null
 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
 +/*
 + * Copyright (c) 2019, Red Hat, Inc.
 + *
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 + *
 + * This code is free software; you can redistribute it and/or modify it
 + * under the terms of the GNU General Public License version 2 only, as
 + * published by the Free Software Foundation.
 + *
 + * This code is distributed in the hope that it will be useful, but WITHOUT
 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 + * version 2 for more details (a copy is included in the LICENSE file that
 + * accompanied this code).
 + *
 + * You should have received a copy of the GNU General Public License version
 + * 2 along with this work; if not, write to the Free Software Foundation,
 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 + *
 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 + * or visit www.oracle.com if you need additional information or have any
 + * questions.
 + */
 +
 +package java.security;
 +
 +import java.io.BufferedInputStream;
 +import java.io.FileInputStream;
 +import java.io.IOException;
 +
 +import java.nio.file.Files;
 +import java.nio.file.Path;
 +
 +import java.util.Iterator;
 +import java.util.Map.Entry;
 +import java.util.Properties;
 +import java.util.function.Consumer;
 +import java.util.regex.Matcher;
 +import java.util.regex.Pattern;
 +
 +import sun.security.util.Debug;
 +
 +/**
 + * Internal class to align OpenJDK with global crypto-policies.
 + * Called from java.security.Security class initialization,
 + * during startup.
 + *
 + */
 +
 +class SystemConfigurator {
 +
 +    private static final Debug sdebug =
 +            Debug.getInstance("properties");
 +
 +    private static final String CRYPTO_POLICIES_BASE_DIR =
 +            "/etc/crypto-policies";
 +
 +    private static final String CRYPTO_POLICIES_JAVA_CONFIG =
 +            CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
 +
 +    private static final String CRYPTO_POLICIES_CONFIG =
 +            CRYPTO_POLICIES_BASE_DIR + "/config";
 +
 +    private static final class SecurityProviderInfo {
 +        int number;
 +        String key;
 +        String value;
 +        SecurityProviderInfo(int number, String key, String value) {
 +            this.number = number;
 +            this.key = key;
 +            this.value = value;
 +        }
 +    }
 +
 +    /*
 +     * Invoked when java.security.Security class is initialized, if
 +     * java.security.disableSystemPropertiesFile property is not set and
 +     * security.useSystemPropertiesFile is true.
 +     */
 +    static boolean configure(Properties props) {
 +        boolean loadedProps = false;
 +
 +        try (BufferedInputStream bis =
 +                new BufferedInputStream(
 +                        new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
 +            props.load(bis);
 +            loadedProps = true;
 +            if (sdebug != null) {
 +                sdebug.println("reading system security properties file " +
 +                        CRYPTO_POLICIES_JAVA_CONFIG);
 +                sdebug.println(props.toString());
 +            }
 +        } catch (IOException e) {
 +            if (sdebug != null) {
 +                sdebug.println("unable to load security properties from " +
 +                        CRYPTO_POLICIES_JAVA_CONFIG);
 +                e.printStackTrace();
 +            }
 +        }
 +
 +        try {
 +            if (enableFips()) {
 +                if (sdebug != null) { sdebug.println("FIPS mode detected"); }
 +                loadedProps = false;
 +                // Remove all security providers
 +                Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
 +                while (i.hasNext()) {
 +                    Entry<Object, Object> e = i.next();
 +                    if (((String) e.getKey()).startsWith("security.provider")) {
 +                        if (sdebug != null) { sdebug.println("Removing provider: " + e); }
 +                        i.remove();
 +                    }
 +                }
 +                // Add FIPS security providers
 +                String fipsProviderValue = null;
 +                for (int n = 1;
 +                     (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
 +                    String fipsProviderKey = "security.provider." + n;
 +                    if (sdebug != null) {
 +                        sdebug.println("Adding provider " + n + ": " +
 +                                fipsProviderKey + "=" + fipsProviderValue);
 +                    }
 +                    props.put(fipsProviderKey, fipsProviderValue);
 +                }
 +                loadedProps = true;
 +            }
 +        } catch (Exception e) {
 +            if (sdebug != null) {
 +                sdebug.println("unable to load FIPS configuration");
 +                e.printStackTrace();
 +            }
 +        }
 +        return loadedProps;
 +    }
 +
 +    /*
 +     * FIPS is enabled only if crypto-policies are set to "FIPS"
 +     * and the com.redhat.fips property is true.
 +     */
 +    private static boolean enableFips() throws Exception {
 +        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 +        if (fipsEnabled) {
 +            String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
 +            if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
 +            Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
 +            return pattern.matcher(cryptoPoliciesConfig).find();
 +        } else {
 +            return false;
 +        }
 +    }
 +}
 diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
 --- openjdk.orig/src/java.base/share/conf/security/java.security
 +++ openjdk/src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
 #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 #
 +# Security providers used when global crypto-policies are set to FIPS.
 +#
 +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
 +fips.provider.2=SUN
 +fips.provider.3=SunEC
 +fips.provider.4=SunJSSE
 +
 +#
 # A list of preferred providers for specific algorithms. These providers will
 # be searched for matching algorithms before the list of registered providers.
 # Entries containing errors (parsing, etc) will be ignored. Use the
--- a/SOURCES/rh1818909-fips_default_keystore_type.patch
+++ b/SOURCES/rh1818909-fips_default_keystore_type.patch
@ -0,0 +1,52 @@
 diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
 --- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java	Thu Jan 23 18:22:31 2020 -0300
 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java	Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
                     }
                     props.put(fipsProviderKey, fipsProviderValue);
                 }
 +                // Add other security properties
 +                String keystoreTypeValue = (String) props.get("fips.keystore.type");
 +                if (keystoreTypeValue != null) {
 +                    String nonFipsKeystoreType = props.getProperty("keystore.type");
 +                    props.put("keystore.type", keystoreTypeValue);
 +                    if (keystoreTypeValue.equals("PKCS11")) {
 +                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
 +                    	// must be "NONE". See JDK-8238264.
 +                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
 +                    }
 +                    if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
 +                        // If no trustStoreType has been set, use the
 +                        // previous keystore.type under FIPS mode. In
 +                        // a default configuration, the Trust Store will
 +                        // be 'cacerts' (JKS type).
 +                        System.setProperty("javax.net.ssl.trustStoreType",
 +                                nonFipsKeystoreType);
 +                    }
 +                    if (sdebug != null) {
 +                        sdebug.println("FIPS mode default keystore.type = " +
 +                                keystoreTypeValue);
 +                        sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
 +                        		System.getProperty("javax.net.ssl.keyStore", ""));
 +                        sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
 +                                System.getProperty("javax.net.ssl.trustStoreType", ""));
 +                    }
 +                }
                 loadedProps = true;
             }
         } catch (Exception e) {
 diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
 --- openjdk.orig/src/java.base/share/conf/security/java.security	Thu Jan 23 18:22:31 2020 -0300
 +++ openjdk/src/java.base/share/conf/security/java.security	Mon Mar 02 19:20:17 2020 -0300
@@ -299,6 +299,11 @@
 keystore.type=pkcs12
 #
 +# Default keystore type used when global crypto-policies are set to FIPS.
 +#
 +fips.keystore.type=PKCS11
 +
 +#
 # Controls compatibility mode for JKS and PKCS12 keystore types.
 #
 # When set to 'true', both JKS and PKCS12 keystore types support loading
--- a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
+++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
@ -0,0 +1,318 @@
 diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 index f9baf8c9742..60fa75cab45 100644
 --- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,11 +1,13 @@
 /*
 - * Copyright (c) 2019, Red Hat, Inc.
 + * Copyright (c) 2019, 2020, Red Hat, Inc.
  *
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
 - * published by the Free Software Foundation.
 + * published by the Free Software Foundation.  Oracle designates this
 + * particular file as subject to the "Classpath" exception as provided
 + * by Oracle in the LICENSE file that accompanied this code.
  *
  * This code is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@ import java.nio.file.Path;
 import java.util.Iterator;
 import java.util.Map.Entry;
 import java.util.Properties;
 -import java.util.function.Consumer;
 -import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 +import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
 +import jdk.internal.access.SharedSecrets;
 import sun.security.util.Debug;
 /**
@@ -47,7 +49,7 @@ import sun.security.util.Debug;
  *
  */
 -class SystemConfigurator {
 +final class SystemConfigurator {
     private static final Debug sdebug =
             Debug.getInstance("properties");
@@ -61,15 +63,16 @@ class SystemConfigurator {
     private static final String CRYPTO_POLICIES_CONFIG =
             CRYPTO_POLICIES_BASE_DIR + "/config";
 -    private static final class SecurityProviderInfo {
 -        int number;
 -        String key;
 -        String value;
 -        SecurityProviderInfo(int number, String key, String value) {
 -            this.number = number;
 -            this.key = key;
 -            this.value = value;
 -        }
 +    private static boolean systemFipsEnabled = false;
 +
 +    static {
 +        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
 +            new JavaSecuritySystemConfiguratorAccess() {
 +                @Override
 +                public boolean isSystemFipsEnabled() {
 +                    return SystemConfigurator.isSystemFipsEnabled();
 +                }
 +            });
     }
     /*
@@ -128,9 +131,9 @@ class SystemConfigurator {
                     String nonFipsKeystoreType = props.getProperty("keystore.type");
                     props.put("keystore.type", keystoreTypeValue);
                     if (keystoreTypeValue.equals("PKCS11")) {
 -                    	// If keystore.type is PKCS11, javax.net.ssl.keyStore
 -                    	// must be "NONE". See JDK-8238264.
 -                    	System.setProperty("javax.net.ssl.keyStore", "NONE");
 +                        // If keystore.type is PKCS11, javax.net.ssl.keyStore
 +                        // must be "NONE". See JDK-8238264.
 +                        System.setProperty("javax.net.ssl.keyStore", "NONE");
                     }
                     if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
                         // If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@ class SystemConfigurator {
                         sdebug.println("FIPS mode default keystore.type = " +
                                 keystoreTypeValue);
                         sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
 -                        		System.getProperty("javax.net.ssl.keyStore", ""));
 +                                System.getProperty("javax.net.ssl.keyStore", ""));
                         sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
                                 System.getProperty("javax.net.ssl.trustStoreType", ""));
                     }
                 }
                 loadedProps = true;
 +                systemFipsEnabled = true;
             }
         } catch (Exception e) {
             if (sdebug != null) {
@@ -160,13 +164,30 @@ class SystemConfigurator {
         return loadedProps;
     }
 +    /**
 +     * Returns whether or not global system FIPS alignment is enabled.
 +     *
 +     * Value is always 'false' before java.security.Security class is
 +     * initialized.
 +     *
 +     * Call from out of this package through SharedSecrets:
 +     *   SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 +     *           .isSystemFipsEnabled();
 +     *
 +     * @return  a boolean value indicating whether or not global
 +     *          system FIPS alignment is enabled.
 +     */
 +    static boolean isSystemFipsEnabled() {
 +        return systemFipsEnabled;
 +    }
 +
     /*
      * FIPS is enabled only if crypto-policies are set to "FIPS"
      * and the com.redhat.fips property is true.
      */
     private static boolean enableFips() throws Exception {
 -        boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 -        if (fipsEnabled) {
 +        boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
 +        if (shouldEnable) {
             String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
             if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
             Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
 diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
 new file mode 100644
 index 00000000000..a31e93ec02e
 --- /dev/null
 +++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,30 @@
 +/*
 + * Copyright (c) 2020, Red Hat, Inc.
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 + *
 + * This code is free software; you can redistribute it and/or modify it
 + * under the terms of the GNU General Public License version 2 only, as
 + * published by the Free Software Foundation.  Oracle designates this
 + * particular file as subject to the "Classpath" exception as provided
 + * by Oracle in the LICENSE file that accompanied this code.
 + *
 + * This code is distributed in the hope that it will be useful, but WITHOUT
 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 + * version 2 for more details (a copy is included in the LICENSE file that
 + * accompanied this code).
 + *
 + * You should have received a copy of the GNU General Public License version
 + * 2 along with this work; if not, write to the Free Software Foundation,
 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 + *
 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 + * or visit www.oracle.com if you need additional information or have any
 + * questions.
 + */
 +
 +package jdk.internal.access;
 +
 +public interface JavaSecuritySystemConfiguratorAccess {
 +    boolean isSystemFipsEnabled();
 +}
 diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
 index f6d3638c3dd..5a2c9eb0c46 100644
 --- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
 +++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
@@ -81,6 +81,7 @@ public class SharedSecrets {
     private static JavaSecuritySpecAccess javaSecuritySpecAccess;
     private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
     private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
 +    private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
     public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
         javaUtilCollectionAccess = juca;
@@ -442,4 +443,12 @@ public class SharedSecrets {
             MethodHandles.lookup().ensureInitialized(c);
         } catch (IllegalAccessException e) {}
     }
 +
 +    public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
 +        javaSecuritySystemConfiguratorAccess = jssca;
 +    }
 +
 +    public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
 +        return javaSecuritySystemConfiguratorAccess;
 +    }
 }
 diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
 index 6ffdfeda18d..775b185fb06 100644
 --- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -32,6 +32,7 @@ import java.security.cert.*;
 import java.util.*;
 import java.util.concurrent.locks.ReentrantLock;
 import javax.net.ssl.*;
 +import jdk.internal.access.SharedSecrets;
 import sun.security.action.GetPropertyAction;
 import sun.security.provider.certpath.AlgorithmChecker;
 import sun.security.validator.Validator;
@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
         private static final List<CipherSuite> serverDefaultCipherSuites;
         static {
 -            supportedProtocols = Arrays.asList(
 -                ProtocolVersion.TLS13,
 -                ProtocolVersion.TLS12,
 -                ProtocolVersion.TLS11,
 -                ProtocolVersion.TLS10,
 -                ProtocolVersion.SSL30,
 -                ProtocolVersion.SSL20Hello
 -            );
 -
 -            serverDefaultProtocols = getAvailableProtocols(
 -                    new ProtocolVersion[] {
 -                ProtocolVersion.TLS13,
 -                ProtocolVersion.TLS12,
 -                ProtocolVersion.TLS11,
 -                ProtocolVersion.TLS10
 -            });
 +            if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 +                    .isSystemFipsEnabled()) {
 +                // RH1860986: TLSv1.3 key derivation not supported with
 +                // the Security Providers available in system FIPS mode.
 +                supportedProtocols = Arrays.asList(
 +                    ProtocolVersion.TLS12,
 +                    ProtocolVersion.TLS11,
 +                    ProtocolVersion.TLS10
 +                );
 +
 +                serverDefaultProtocols = getAvailableProtocols(
 +                        new ProtocolVersion[] {
 +                    ProtocolVersion.TLS12,
 +                    ProtocolVersion.TLS11,
 +                    ProtocolVersion.TLS10
 +                });
 +            } else {
 +                supportedProtocols = Arrays.asList(
 +                    ProtocolVersion.TLS13,
 +                    ProtocolVersion.TLS12,
 +                    ProtocolVersion.TLS11,
 +                    ProtocolVersion.TLS10,
 +                    ProtocolVersion.SSL30,
 +                    ProtocolVersion.SSL20Hello
 +                );
 +
 +                serverDefaultProtocols = getAvailableProtocols(
 +                        new ProtocolVersion[] {
 +                    ProtocolVersion.TLS13,
 +                    ProtocolVersion.TLS12,
 +                    ProtocolVersion.TLS11,
 +                    ProtocolVersion.TLS10
 +                });
 +            }
             supportedCipherSuites = getApplicableSupportedCipherSuites(
                     supportedProtocols);
@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
             ProtocolVersion[] candidates;
             if (refactored.isEmpty()) {
                 // Client and server use the same default protocols.
 -                candidates = new ProtocolVersion[] {
 -                        ProtocolVersion.TLS13,
 -                        ProtocolVersion.TLS12,
 -                        ProtocolVersion.TLS11,
 -                        ProtocolVersion.TLS10
 -                    };
 +                if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 +                        .isSystemFipsEnabled()) {
 +                    // RH1860986: TLSv1.3 key derivation not supported with
 +                    // the Security Providers available in system FIPS mode.
 +                    candidates = new ProtocolVersion[] {
 +                            ProtocolVersion.TLS12,
 +                            ProtocolVersion.TLS11,
 +                            ProtocolVersion.TLS10
 +                        };
 +                } else {
 +                    candidates = new ProtocolVersion[] {
 +                            ProtocolVersion.TLS13,
 +                            ProtocolVersion.TLS12,
 +                            ProtocolVersion.TLS11,
 +                            ProtocolVersion.TLS10
 +                        };
 +                }
             } else {
                 // Use the customized TLS protocols.
                 candidates =
 diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 index 894e26dfad8..8b16378b96b 100644
 --- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
 +++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,6 +27,8 @@ package sun.security.ssl;
 import java.security.*;
 import java.util.*;
 +
 +import jdk.internal.access.SharedSecrets;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
 /**
@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
         ps("SSLContext", "TLSv1.2",
             "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
 -        ps("SSLContext", "TLSv1.3",
 -            "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
 +        if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
 +                .isSystemFipsEnabled()) {
 +            // RH1860986: TLSv1.3 key derivation not supported with
 +            // the Security Providers available in system FIPS mode.
 +            ps("SSLContext", "TLSv1.3",
 +                "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
 +        }
         ps("SSLContext", "TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext",
             List.of("SSL"), null);
--- a/SOURCES/rh1915071-always_initialise_configurator_access.patch
+++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch
@ -0,0 +1,70 @@
 diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
 index f1633afb627..ce32c939253 100644
 --- openjdk/src/java.base/share/classes/java/security/Security.java
 +++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
 import jdk.internal.event.EventHelper;
 import jdk.internal.event.SecurityPropertyModificationEvent;
 +import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
 import jdk.internal.access.SharedSecrets;
 import jdk.internal.util.StaticProperty;
 import sun.security.util.Debug;
@@ -74,6 +75,15 @@ public final class Security {
     }
     static {
 +        // Initialise here as used by code with system properties disabled
 +        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
 +            new JavaSecuritySystemConfiguratorAccess() {
 +                @Override
 +                public boolean isSystemFipsEnabled() {
 +                    return SystemConfigurator.isSystemFipsEnabled();
 +                }
 +            });
 +
         // doPrivileged here because there are multiple
         // things in initialize that might require privs.
         // (the FileInputStream call and the File.exists call,
@@ -194,9 +204,8 @@ public final class Security {
         }
         String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
 -        if (disableSystemProps == null &&
 -            "true".equalsIgnoreCase(props.getProperty
 -                ("security.useSystemPropertiesFile"))) {
 +        if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
 +            "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
             if (SystemConfigurator.configure(props)) {
                 loadedProps = true;
             }
 diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 index 60fa75cab45..10b54aa4ce4 100644
 --- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
 +++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -38,8 +38,6 @@ import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.regex.Pattern;
 -import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
 -import jdk.internal.access.SharedSecrets;
 import sun.security.util.Debug;
 /**
@@ -65,16 +63,6 @@ final class SystemConfigurator {
     private static boolean systemFipsEnabled = false;
 -    static {
 -        SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
 -            new JavaSecuritySystemConfiguratorAccess() {
 -                @Override
 -                public boolean isSystemFipsEnabled() {
 -                    return SystemConfigurator.isSystemFipsEnabled();
 -                }
 -            });
 -    }
 -
     /*
      * Invoked when java.security.Security class is initialized, if
      * java.security.disableSystemPropertiesFile property is not set and
--- a/SPECS/java-17-openjdk.spec
+++ b/SPECS/java-17-openjdk.spec
`@ -1,2 +1,2 @@`
	`SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz`	`SOURCES/openjdk-jdk17-jdk-17+33.tar.xz`
	`SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz`	`SOURCES/tapsets-icedtea-3.15.0.tar.xz`
`@ -1,2 +1,2 @@`
	`95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz`	`e2edecf5fbb3d791367caf2a0e148d643ad7e9cf SOURCES/openjdk-jdk17-jdk-17+33.tar.xz`
	`c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz`	`7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz`