Bug 1596769

Summary: Tomcatjss: Add support for TLS_*_SHA384 ciphers
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: tomcatjssAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.6CC: akahat, ekeck, jmagne, mharmsen, nsoman, salmy, toneata
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcatjss-7.2.1-7.el7 Doc Type: No Doc Update
Doc Text:
Previously documented for RHEL 7.5.z Batch Update 3 in https://bugzilla.redhat.com/show_bug.cgi?id=1597180
Story Points: ---
Clone Of:
: 1597180 (view as bug list) Environment:
Last Closed: 2018-10-30 11:48:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1596552    
Bug Blocks: 1597180    
Attachments:
Description Flags
patch to support TLS_*_SHA384 ciphers; patch was against tomcatjss 7.2 jmagne: review+

Description Christina Fu 2018-06-29 16:57:36 UTC
Now that NSS supports the TLS_*_SHA384 ciphers, and JSS is due to support them:
https://pagure.io/jss/issue/4
tomcatjss should too in order for RHCS to support them.

Comment 4 Christina Fu 2018-06-29 22:12:23 UTC
Created attachment 1455581 [details]
patch to support TLS_*_SHA384 ciphers; patch was against tomcatjss 7.2

Comment 5 Christina Fu 2018-06-29 23:06:53 UTC
commit 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 (HEAD -> TOMCATJSS_7_2_BRANCH, origin/TOMCATJSS_7_2_BRANCH)
Author: Christina Fu <cfu>
Date:   Fri Jun 29 15:04:43 2018 -0700

    Ticket #11 Add support for TLS_*_SHA384 ciphers
    
    This patch adds support for TLS_*_SHA384 ciphers which NSS now supports.
    
    fixes: https://pagure.io/tomcatjss/issue/11

Comment 6 Christina Fu 2018-06-29 23:51:07 UTC
Test procedure:

First, make sure you have the newest JSS that contains the fix to
https://bugzilla.redhat.com/show_bug.cgi?id=1596552

Test Goal is to make sure that the new ciphers have been added.

The following is what I did (of course there are other ways):

* I have an ECC CA;  shut it down
* I changed server.xml so that all ciphers are stripped; then
   -  add TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
   - add debug="true"
* start the CA
* check /tmp/tomcatjss.log
  I find 
2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c
* then I connected to it via browser, both ee and agent worked.
* Then just to be safe, I ran ssltap and observed that TLS/ECDHE-ECDSA/AES256-GCM/SHA384 was being picked as the connection.

You should also setup an RSA CA and try the RSA ciphers. I did not do that myself.  The ones you want to test are TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

For reference.  The new ciphers added are:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (don't test this one; it's for DSA keys)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Comment 11 Amol K 2018-08-17 09:06:37 UTC
I tested this Bugzilla on the version: 10.5.9-5.el7

As steps mentioned in the comment #6, I set up the ECC CA and RSA CA.

- Setup the Algorithms for both ECC CA and RSA CA.
- I visited the ECC CA Agent page, EE page and it worked.
- I visited the RSA CA Agent page, EE page and it worked.

Nmap algorithm scan output:
ECC CA:

# nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com                                                                                                  

PORT      STATE SERVICE  VERSION
20443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (prime256v1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (prime256v1) - A


RSA CA:

# nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com
                                                                            
PORT      STATE SERVICE  VERSION
20443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A


Verifying this Bugzilla

Comment 13 errata-xmlrpc 2018-10-30 11:48:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3310