Bug 1554056

Summary: JSS: Add support for TLS_*_SHA384 ciphers
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: jssAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.6CC: aakkiang, akahat, cfu, jmagne, msauton, rhcs-maint
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jss-4.4.4-3.el7 Doc Type: No Doc Update
Doc Text:
See Doc Text in BZ#1596552.
 Story Points: ---
Clone Of: 1554055
: 1554058 1596552 (view as bug list) Environment:
Last Closed: 2018-10-30 11:00:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1550786, 1554055    
Bug Blocks: 1554058, 1596552    
Attachments:
Description Flags
This patch adds support to TLS_*_SHA384 ciphers jmagne: review+

Comment 2 Matthew Harmsen 2018-03-11 05:26:04 UTC 
It was determined that certain SHA384 FIPS ciphers should be enabled by default for RSA:

    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_GCM_SHA384

and the following SHA384 FIPS ciphers should be enabled by default for ECC:

    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Reference:  Bug 1554055 - Permit certain SHA384 FIPS ciphers to be enabled by default for RSA and ECC . . .
Comment 4 Christina Fu 2018-06-29 00:49:06 UTC 
Created attachment 1455410 [details]
This patch adds support to TLS_*_SHA384 ciphers

This patch adds support to TLS_*_SHA384 ciphers.

It also adds an optional test that for specific ciphers in tests/SSLClientAuth.java.
Comment 5 Jack Magne 2018-06-29 01:25:37 UTC 
Comment on attachment 1455410 [details]
This patch adds support to TLS_*_SHA384 ciphers

Looks good and everything makes sense. Also there is some new test code.
Comment 6 Christina Fu 2018-06-29 01:30:31 UTC 
commit 82f4b9a032f942fdc005e12a408c8e87c9ea0f36 (HEAD -> JSS_4_4_BRANCH)
Author: Christina Fu <cfu>
Date:   Thu Jun 28 17:42:36 2018 -0700

    Ticket #4 Add support for TLS_*_SHA384 ciphers
    
    This patch adds support for TLS_*_SHA384 ciphers.
    
    Fixes https://pagure.io/jss/issue/4
Comment 7 Christina Fu 2018-06-29 01:35:46 UTC 
test procedure:

follow instruction in testSpecificCiphers() of
jss/org/mozilla/jss/tests/SSLClientAuth.java

compile and test per instruction in 
jss/README
Comment 10 Amol K 2018-08-17 09:11:11 UTC 
I tested this Bugzilla on the version: 10.5.9-5.el7

To test this Bugzilla I followed the steps which I used to verify Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1596769#

It working as expected.

Verifying this Bugzilla
Comment 11 Amol K 2018-08-17 09:12:37 UTC 
Steps used to verify this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1596769#c11
Comment 13 errata-xmlrpc 2018-10-30 11:00:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3188