Bug 1203407

Summary: tomcatjss: missing ciphers
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: tomcatjssAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: arubin, cfu, dennis, edewata, extras-qa, gsterlin, jdennis, mharmsen, nkinder, rpattath, tscherf
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tomcatjss-7.1.2-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1203404 Environment:
Last Closed: 2016-11-04 06:35:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1203404    
Bug Blocks:    

Description Christina Fu 2015-03-18 18:39:08 UTC 
+++ This bug was initially created as a clone of Bug #1203404 +++

Description of problem:

It appears that tomcatjss have a few missing ciphers.

in eccCipherMap, but missing in cipherMap: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

need to add to cipherMap: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Nathan Kinder 2015-03-26 18:32:55 UTC 
This results in annoying error messages in the tomcat error log for IPA.  This is a simple fix, so we should address it for RHEL 7.2.
Comment 4 Matthew Harmsen 2016-01-07 02:16:33 UTC 
Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium
Comment 7 Christina Fu 2016-06-30 22:49:47 UTC 
tomcatjss has not yet been built.  This is just for the record for changes on the Dogtag side:
Pushed to master

commit f0ad71e8a4fbae665a6b4875cce5b82895ad74f0
Author: Christina Fu <cfu>
Date:   Thu Jun 30 15:01:42 2016 -0700

    Bugzilla #1203407 tomcatjss: missing ciphers
    
    This patch removes references to the ciphers currently unsupported by NSS:
        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Comment 9 Fedora Update System 2016-07-05 22:08:59 UTC 
tomcatjss-7.1.4-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-167163e928
Comment 10 Fedora Update System 2016-07-10 16:01:23 UTC 
tomcatjss-7.1.4-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-167163e928
Comment 11 Roshni 2016-08-09 19:55:40 UTC 
[root@auto-hv-02-guest02 ~]# rpm -q tomcatjss
tomcatjss-7.1.2-3.el7.noarch

The ciphers specified in the bug description exist in server.xml. Seeing the following log messages in ipaserver-install.log

2016-08-09T19:28:10Z DEBUG Connecting: 10.19.34.7:0
2016-08-09T19:28:10Z DEBUG approved_usage = SSL Server intended_usage = SSL Server
2016-08-09T19:28:10Z DEBUG cert valid True for "CN=auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com,O=IDMQE.LAB.ENG.BOS.REDHAT.COM"
2016-08-09T19:28:10Z DEBUG handshake complete, peer = 10.19.34.7:8443
2016-08-09T19:28:10Z DEBUG Protocol: TLS1.2
2016-08-09T19:28:10Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
2016-08-09T19:28:10Z DEBUG response status 500
2016-08-09T19:28:10Z DEBUG response headers {'content-length': '6208', 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection': 'close', 'date': 'Tue, 09 Aug 2016 19:28:09 GMT', 'content-type': 'text/html;charset=utf-8'}
2016-08-09T19:28:10Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.69 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded\n\torg.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)\n\torg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\n\tsun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)\n</pre></p><p><b>root cause</b> <pre>org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded\n\torg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67)\n\torg.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)\n\torg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\n\tsun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.69 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body></html>'
2016-08-09T19:28:10Z DEBUG Failed to enable profile '%s' (it is probably already enabled)
2016-08-09T19:28:10Z DEBUG request GET https://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8443/ca/rest/account/logout
2016-08-09T19:28:10Z DEBUG request body ''
Comment 12 Christina Fu 2016-08-09 23:34:25 UTC 
For QE:
I thought I put this info down somewhere, but can't seem to find it.  Before this fix, when you start the CS server, you would find something like 
"cipher.... unsupported by NSS " in journalctl.

With this patch, you should not see it.
You can install an earlier tomcatjss version to see the difference.
Comment 13 Roshni 2016-08-10 19:09:52 UTC 
[root@bkr-hv03-guest35 ~]# rpm -qi tomcatjss
Name        : tomcatjss
Version     : 7.1.2
Release     : 3.el7
Architecture: noarch
Install Date: Wed 10 Aug 2016 02:24:37 PM EDT
Group       : System Environment/Libraries
Size        : 49750
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 27 Jul 2016 12:24:08 PM EDT, Key ID 938a80caf21541eb
Source RPM  : tomcatjss-7.1.2-3.el7.src.rpm
Build Date  : Tue 05 Jul 2016 01:59:11 PM EDT
Build Host  : x86-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : JSSE implementation using JSS for Tomcat

Verification steps:

1. ipa-server-install
Do not see the message "<cipher> not recognized by tomcatjss" in jornalctl
Comment 14 Fedora Update System 2016-09-23 00:24:51 UTC 
tomcatjss-7.1.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2016-11-04 06:35:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2446.html