Bug 1597180

Summary: Tomcatjss: Add support for TLS_*_SHA384 ciphers [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: tomcatjssAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.6CC: akahat, cfu, ekeck, jmagne, mharmsen, mthacker, nsoman, salmy, toneata
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcatjss-7.2.1-7.el7_5 Doc Type: Enhancement
Doc Text:
This update adds support for TLS_*_SHA384 ciphers to TomcatJSS.
 Story Points: ---
Clone Of: 1596769 Environment:
Last Closed: 2018-08-16 14:20:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1596769    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-07-02 08:11:50 UTC 
This bug has been copied from bug #1596769 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Matthew Harmsen 2018-07-02 16:09:19 UTC 
QE Verification Procedure:

* see https://bugzilla.redhat.com/show_bug.cgi?id=1596769#c6
Comment 6 Amol K 2018-07-23 12:49:02 UTC 
I tested this Bugzilla on 10.5.1-14.el7_5 version. 

(In reply to Matthew Harmsen from comment #2)
> QE Verification Procedure:
>
> * see https://bugzilla.redhat.com/show_bug.cgi?id=1596769#c6

I tried the above steps, and it works as expected.

Steps which I tried:

1. ECC CA: 
 1. Stoped CA.
 2. Modify the ciphers. Start CA.
 3. Able to reach the CA Agent and EE page.
 4. I could see that the specified algorithm in the server.xml is used for the communication. 
 For ECC I use: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Wireshark Output:
```
# tshark -r /tmp/csqa_4_2.pcap -Y "ssl.handshake && frame.number==6" -T pdml | grep 'ssl.handshake.ciphersuite'
        <field name="ssl.handshake.ciphersuite" showname="Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)" size="2" pos="142" show="49196" value="c02c"/>
```

2. RSA CA:
 1. Stoped CA.
 2. Modify the ciphers. Start CA.
 3. Able to reach the CA Agent and EE page.
 4. I could see that the specified algorithm in the server.xml is used for the communication. 
 For RSA I use: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


Wireshark Output: 
```
# tshark -r /tmp/csqa_4_7.pcap -Y "ssl.handshake && frame.number==18" -T pdml | grep 'ssl.handshake.ciphersuite'
        <field name="ssl.handshake.ciphersuite" showname="Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)" size="2" pos="142" show="49200" value="c030"/>

```


Verifying this Bugzilla.
Comment 8 errata-xmlrpc 2018-08-16 14:20:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2455