Bug 1460040
| Summary: | Comply with ASF trademark rules | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | tomcatjss | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | alee, cfu, edewata, extras-qa, kwright, lmiksik, mharmsen, ssidhaye |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | tomcatjss-7.2.1-6.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS was not compliant with ASF trademark rules outlined in http://tomcat.apache.org/legal.html.
Consequence:
The Apache Tomcat organization insisted that we become compliant with ASF trademark rules.
Fix:
We made all the agreed upon changes to the README and the spec file so that all information displayed to a user would be in compliance with the ASF trademark rules.
Result:
JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS is now in compliance with ASF trademark rules.
|
Story Points: | --- |
| Clone Of: | 1460037 | Environment: | |
| Last Closed: | 2017-08-01 21:09:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1460037 | ||
| Bug Blocks: | |||
|
Description
Matthew Harmsen
2017-06-08 21:58:54 UTC
[root@csqa4-guest01 ~]# rpm -qi tomcatjss Name : tomcatjss Version : 7.2.1 Release : 6.el7 Architecture: noarch Install Date: Sunday 18 June 2017 11:40:57 PM EDT Group : System Environment/Libraries Size : 51869 License : LGPLv2+ Signature : (none) Source RPM : tomcatjss-7.2.1-6.el7.src.rpm Build Date : Tuesday 13 June 2017 11:21:42 AM EDT Build Host : x86-020.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS Description : JSS Connector for Apache Tomcat, installed via the tomcatjss package, is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that uses Java Security Services (JSS), a Java interface to Network Security Services (NSS). NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package because it uses an underlying NSS security model rather than the OpenSSL security model, so these two packages may not co-exist. The spec file changes are inline with the comments above. However some of the contents of README file are not inline with the above comments. Especially text mentioned for sslOptions, ssl2Ciphers etc Here is what I see the README from srpm: tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to Network Security Services(NSS). tomcatjss defines a number of attributes for a Connector including: clientauth: specify if client authentication is required in the connector (or port), it can be true or false. If true then client authentication is required. sslOptions: specify a comma-delimited list of ssl options to pass into the ssl implementation. Each option takes the form of: option=[true|false]. tomcatjss supports the options: ssl2, ssl3, tls. ssl2Ciphers: specify a list of SSL2 ciphers that tomcatjss should accept or reject from the client. You can use + to denote "accept", - means "reject". ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept or reject from the client. You can use + to denote "accept", - means "reject". tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept or reject from the client. You can use + to denote "accept", - means "reject". serverCertNickFile: a file in which specify the nickname of the server certificate. The file should contain a single line that contains the nickname. passwordFile: specify a file in which a password that is required to access NSS's security database. Each entry in the file needs to appear on its own line and has the form: token_name=password certdbDir: specify the directory the NSS security database resides in. passwordClass: specify the class that will be used to read the password. sslProtocol: needs to be SSL sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation in order to use the plugin Here is an example of a secure connector: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" keyStoreType="PKCS11" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" strictCiphers="false" clientAuth="agent" clientauth="agent" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf" passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki/redhat.com-foobar/alias" /> If this is OK for now I can mark this bug as verified, but a need to confirm this before doing that. Sumedh, Since you are looking at the tarball inside the SRPM without any patches applied, you are seeing the original text, since RHEL 7.4 only allowed us to re-base tarballs up to a set date; after that point, all changes must be applied via patches which are applied to the fixed tarball. The changes to the README are enclosed in the patch entitled "tomcatjss-Comply-with-ASF-trademark-rules.patch" and are applied appropriately to "tomcatcatjss-7.2.1-6.el7.noarch.rpm". Hence, to see the changes in the consumed RPM: # rpm -qlp tomcatjss-7.2.1-6.el7.noarch.rpm /usr/share/doc/tomcatjss-7.2.1 /usr/share/doc/tomcatjss-7.2.1/LICENSE /usr/share/doc/tomcatjss-7.2.1/README /usr/share/java/tomcatjss-7.2.1.jar /usr/share/java/tomcatjss.jar If you view "/usr/share/doc/tomcatjss-7.2.1/README" you should see all of the changes documented above. -- Matt Thank you Matt.
1. tomcatjss.spec file has following summary:
Summary: JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS
2. tomcatjss.spec has following description:
%description
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).
NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package
because it uses an underlying NSS security model rather than the
OpenSSL security model, so these two packages may not co-exist.
3. tomcatjss.spec file %changelog has following changes:
- Bugzilla Bug #1344804 - Build failure on RHEL 7.3
(patch for Bugzilla Bug #1245786 - Build failure on F23 was backported to
RHEL 7 to coincide with Apache Tomcat version change to 7.0.68+)
- Bugzilla Bug #1198450 - Support for Apache Tomcat 8
- Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and
TLS v1.2
https://pagure.io/dogtagpki/issue/283 has the changes:
Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar' and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package
4. README file:
# rpm -qlp tomcatjss-7.2.1-6.el7.noarch.rpm
/usr/share/doc/tomcatjss-7.2.1
/usr/share/doc/tomcatjss-7.2.1/LICENSE
/usr/share/doc/tomcatjss-7.2.1/README
/usr/share/java/tomcatjss-7.2.1.jar
/usr/share/java/tomcatjss.jar
File /usr/share/doc/tomcatjss-7.2.1/README has all the changes for ASF requirement.
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).
JSS Connector for Apache Tomcat defines a number of attributes for a Connector
including:
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.
ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject"
ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".
tlsCiphers: specifies a list of TLS ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".
Marking the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2079 |