1596769 – Tomcatjss: Add support for TLS_*_SHA384 ciphers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1596769 - Tomcatjss: Add support for TLS_*_SHA384 ciphers

Summary: Tomcatjss: Add support for TLS_*_SHA384 ciphers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tomcatjss
Sub Component:
Version:	7.6
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1596552
Blocks:	1597180
TreeView+	depends on / blocked

Reported:	2018-06-29 16:57 UTC by Christina Fu
Modified:	2018-10-30 11:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:	tomcatjss-7.2.1-7.el7
Doc Type:	No Doc Update
Doc Text:	Previously documented for RHEL 7.5.z Batch Update 3 in https://bugzilla.redhat.com/show_bug.cgi?id=1597180
Clone Of:
Clones:	1597180 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:48:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
*patch to support TLS__SHA384 ciphers; patch was against tomcatjss 7.2** (5.23 KB, patch) 2018-06-29 22:12 UTC, Christina Fu	jmagne: review+	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3310	0	None	None	None	2018-10-30 11:48:09 UTC

Description Christina Fu 2018-06-29 16:57:36 UTC

Now that NSS supports the TLS_*_SHA384 ciphers, and JSS is due to support them:
https://pagure.io/jss/issue/4
tomcatjss should too in order for RHCS to support them.

Comment 4 Christina Fu 2018-06-29 22:12:23 UTC

Created attachment 1455581 [details]
patch to support TLS_*_SHA384 ciphers; patch was against tomcatjss 7.2

Comment 5 Christina Fu 2018-06-29 23:06:53 UTC

commit 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 (HEAD -> TOMCATJSS_7_2_BRANCH, origin/TOMCATJSS_7_2_BRANCH)
Author: Christina Fu <cfu>
Date:   Fri Jun 29 15:04:43 2018 -0700

    Ticket #11 Add support for TLS_*_SHA384 ciphers
    
    This patch adds support for TLS_*_SHA384 ciphers which NSS now supports.
    
    fixes: https://pagure.io/tomcatjss/issue/11

Comment 6 Christina Fu 2018-06-29 23:51:07 UTC

Test procedure:

First, make sure you have the newest JSS that contains the fix to
https://bugzilla.redhat.com/show_bug.cgi?id=1596552

Test Goal is to make sure that the new ciphers have been added.

The following is what I did (of course there are other ways):

* I have an ECC CA;  shut it down
* I changed server.xml so that all ciphers are stripped; then
   -  add TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
   - add debug="true"
* start the CA
* check /tmp/tomcatjss.log
  I find 
2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c
* then I connected to it via browser, both ee and agent worked.
* Then just to be safe, I ran ssltap and observed that TLS/ECDHE-ECDSA/AES256-GCM/SHA384 was being picked as the connection.

You should also setup an RSA CA and try the RSA ciphers. I did not do that myself.  The ones you want to test are TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

For reference.  The new ciphers added are:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (don't test this one; it's for DSA keys)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Comment 11 Amol K 2018-08-17 09:06:37 UTC

I tested this Bugzilla on the version: 10.5.9-5.el7

As steps mentioned in the comment #6, I set up the ECC CA and RSA CA.

- Setup the Algorithms for both ECC CA and RSA CA.
- I visited the ECC CA Agent page, EE page and it worked.
- I visited the RSA CA Agent page, EE page and it worked.

Nmap algorithm scan output:
ECC CA:

# nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com                                                                                                  

PORT      STATE SERVICE  VERSION
20443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (prime256v1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (prime256v1) - A


RSA CA:

# nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com
                                                                            
PORT      STATE SERVICE  VERSION
20443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A


Verifying this Bugzilla

Comment 13 errata-xmlrpc 2018-10-30 11:48:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3310

Note You need to log in before you can comment on or make changes to this bug.