Created attachment 991464 [details]
Patch to fix TLS issues
[root@ipaqa64vmh tmp]# rpm -qi tomcatjss
Name : tomcatjss Relocations: (not relocatable)
Version : 2.1.0 Vendor: Red Hat, Inc.
Release : 4.el6 Build Date: Sat 14 Feb 2015 10:58:41 AM EST
Install Date: Thu 09 Apr 2015 12:46:30 PM EDT Build Host: x86-026.build.eng.bos.redhat.com
Group : System Environment/Libraries Source RPM: tomcatjss-2.1.0-4.el6.src.rpm
Size : 46787 License: LGPLv2+
Signature : RSA/8, Wed 04 Mar 2015 07:34:24 AM EST, Key ID 938a80caf21541eb
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://pki.fedoraproject.org/
Summary : JSSE implementation using JSS for Tomcat
Verification steps as described in https://bugzilla.redhat.com/show_bug.cgi?id=871171#c41. The setupssl2.sh script needed a modification, remove the following lines:
"<nhosoi> rpattath, on rhel-6.7, 389-ds-base enables TLS1.0 and newer by default."
Additional tests were performed as follows:
1. curl -E "CA_agent:276347752307" --basic -d "serialNumber=0x06" -k "https://<ca-host>:9443/ca/agent/ca/displayBySerial"
9443 is the secure port and the information about the cert was displayed.
Executed the same curl request with ssltap port 1924 when ssltap was running (ssltap -sxl <cs host>:<ca https port>)
2. Tested higher range of TLS
3. Also executed HttpClient -> CA as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1040640#c5
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.