1203407 – tomcatjss: missing ciphers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1203407 - tomcatjss: missing ciphers

Summary: tomcatjss: missing ciphers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tomcatjss
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	7.3
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1203404
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-18 18:39 UTC by Christina Fu
Modified:	2016-11-04 06:35 UTC (History)
CC List:	11 users (show)
Fixed In Version:	tomcatjss-7.1.2-3.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1203404
Environment:
Last Closed:	2016-11-04 06:35:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2446	0	normal	SHIPPED_LIVE	tomcatjss bug fix update	2016-11-03 14:03:18 UTC

Description Christina Fu 2015-03-18 18:39:08 UTC

+++ This bug was initially created as a clone of Bug #1203404 +++

Description of problem:

It appears that tomcatjss have a few missing ciphers.

in eccCipherMap, but missing in cipherMap: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

need to add to cipherMap: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Nathan Kinder 2015-03-26 18:32:55 UTC

This results in annoying error messages in the tomcat error log for IPA.  This is a simple fix, so we should address it for RHEL 7.2.

Comment 4 Matthew Harmsen 2016-01-07 02:16:33 UTC

Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium

Comment 7 Christina Fu 2016-06-30 22:49:47 UTC

tomcatjss has not yet been built.  This is just for the record for changes on the Dogtag side:
Pushed to master

commit f0ad71e8a4fbae665a6b4875cce5b82895ad74f0
Author: Christina Fu <cfu>
Date:   Thu Jun 30 15:01:42 2016 -0700

    Bugzilla #1203407 tomcatjss: missing ciphers
    
    This patch removes references to the ciphers currently unsupported by NSS:
        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

Comment 9 Fedora Update System 2016-07-05 22:08:59 UTC

tomcatjss-7.1.4-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-167163e928

Comment 10 Fedora Update System 2016-07-10 16:01:23 UTC

tomcatjss-7.1.4-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-167163e928

Comment 11 Roshni 2016-08-09 19:55:40 UTC

[root@auto-hv-02-guest02 ~]# rpm -q tomcatjss
tomcatjss-7.1.2-3.el7.noarch

The ciphers specified in the bug description exist in server.xml. Seeing the following log messages in ipaserver-install.log

2016-08-09T19:28:10Z DEBUG Connecting: 10.19.34.7:0
2016-08-09T19:28:10Z DEBUG approved_usage = SSL Server intended_usage = SSL Server
2016-08-09T19:28:10Z DEBUG cert valid True for "CN=auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com,O=IDMQE.LAB.ENG.BOS.REDHAT.COM"
2016-08-09T19:28:10Z DEBUG handshake complete, peer = 10.19.34.7:8443
2016-08-09T19:28:10Z DEBUG Protocol: TLS1.2
2016-08-09T19:28:10Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
2016-08-09T19:28:10Z DEBUG response status 500
2016-08-09T19:28:10Z DEBUG response headers {'content-length': '6208', 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection': 'close', 'date': 'Tue, 09 Aug 2016 19:28:09 GMT', 'content-type': 'text/html;charset=utf-8'}
2016-08-09T19:28:10Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.69 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded\n\torg.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)\n\torg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\n\tsun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)\n</pre></p><p><b>root cause</b> <pre>org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded\n\torg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67)\n\torg.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)\n\torg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)\n\torg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)\n\torg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\n\tsun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.GeneratedMethodAccessor42.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:549)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.69 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body></html>'
2016-08-09T19:28:10Z DEBUG Failed to enable profile '%s' (it is probably already enabled)
2016-08-09T19:28:10Z DEBUG request GET https://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8443/ca/rest/account/logout
2016-08-09T19:28:10Z DEBUG request body ''

Comment 12 Christina Fu 2016-08-09 23:34:25 UTC

For QE:
I thought I put this info down somewhere, but can't seem to find it.  Before this fix, when you start the CS server, you would find something like 
"cipher.... unsupported by NSS " in journalctl.

With this patch, you should not see it.
You can install an earlier tomcatjss version to see the difference.

Comment 13 Roshni 2016-08-10 19:09:52 UTC

[root@bkr-hv03-guest35 ~]# rpm -qi tomcatjss
Name        : tomcatjss
Version     : 7.1.2
Release     : 3.el7
Architecture: noarch
Install Date: Wed 10 Aug 2016 02:24:37 PM EDT
Group       : System Environment/Libraries
Size        : 49750
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 27 Jul 2016 12:24:08 PM EDT, Key ID 938a80caf21541eb
Source RPM  : tomcatjss-7.1.2-3.el7.src.rpm
Build Date  : Tue 05 Jul 2016 01:59:11 PM EDT
Build Host  : x86-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : JSSE implementation using JSS for Tomcat

Verification steps:

1. ipa-server-install
Do not see the message "<cipher> not recognized by tomcatjss" in jornalctl

Comment 14 Fedora Update System 2016-09-23 00:24:51 UTC

tomcatjss-7.1.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2016-11-04 06:35:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2446.html

Note You need to log in before you can comment on or make changes to this bug.