Bug 1596769
Summary: | Tomcatjss: Add support for TLS_*_SHA384 ciphers | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> | ||||
Component: | tomcatjss | Assignee: | Christina Fu <cfu> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.6 | CC: | akahat, ekeck, jmagne, mharmsen, nsoman, salmy, toneata | ||||
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | tomcatjss-7.2.1-7.el7 | Doc Type: | No Doc Update | ||||
Doc Text: |
Previously documented for RHEL 7.5.z Batch Update 3 in https://bugzilla.redhat.com/show_bug.cgi?id=1597180
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1597180 (view as bug list) | Environment: | |||||
Last Closed: | 2018-10-30 11:48:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1596552 | ||||||
Bug Blocks: | 1597180 | ||||||
Attachments: |
|
Description
Christina Fu
2018-06-29 16:57:36 UTC
Created attachment 1455581 [details]
patch to support TLS_*_SHA384 ciphers; patch was against tomcatjss 7.2
commit 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 (HEAD -> TOMCATJSS_7_2_BRANCH, origin/TOMCATJSS_7_2_BRANCH) Author: Christina Fu <cfu> Date: Fri Jun 29 15:04:43 2018 -0700 Ticket #11 Add support for TLS_*_SHA384 ciphers This patch adds support for TLS_*_SHA384 ciphers which NSS now supports. fixes: https://pagure.io/tomcatjss/issue/11 Test procedure: First, make sure you have the newest JSS that contains the fix to https://bugzilla.redhat.com/show_bug.cgi?id=1596552 Test Goal is to make sure that the new ciphers have been added. The following is what I did (of course there are other ways): * I have an ECC CA; shut it down * I changed server.xml so that all ciphers are stripped; then - add TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - add debug="true" * start the CA * check /tmp/tomcatjss.log I find 2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024 [29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024 [29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c [29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c * then I connected to it via browser, both ee and agent worked. * Then just to be safe, I ran ssltap and observed that TLS/ECDHE-ECDSA/AES256-GCM/SHA384 was being picked as the connection. You should also setup an RSA CA and try the RSA ciphers. I did not do that myself. The ones you want to test are TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 For reference. The new ciphers added are: TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (don't test this one; it's for DSA keys) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 I tested this Bugzilla on the version: 10.5.9-5.el7 As steps mentioned in the comment #6, I set up the ECC CA and RSA CA. - Setup the Algorithms for both ECC CA and RSA CA. - I visited the ECC CA Agent page, EE page and it worked. - I visited the RSA CA Agent page, EE page and it worked. Nmap algorithm scan output: ECC CA: # nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com PORT STATE SERVICE VERSION 20443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1 |_http-server-header: Apache-Coyote/1.1 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (prime256v1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (prime256v1) - A RSA CA: # nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com PORT STATE SERVICE VERSION 20443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1 |_http-server-header: Apache-Coyote/1.1 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A Verifying this Bugzilla Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3310 |