Bug 1596769 - Tomcatjss: Add support for TLS_*_SHA384 ciphers
Summary: Tomcatjss: Add support for TLS_*_SHA384 ciphers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tomcatjss
Version: 7.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1596552
Blocks: 1597180
TreeView+ depends on / blocked
 
Reported: 2018-06-29 16:57 UTC by Christina Fu
Modified: 2018-10-30 11:48 UTC (History)
7 users (show)

Fixed In Version: tomcatjss-7.2.1-7.el7
Doc Type: No Doc Update
Doc Text:
Previously documented for RHEL 7.5.z Batch Update 3 in https://bugzilla.redhat.com/show_bug.cgi?id=1597180
Clone Of:
: 1597180 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:48:01 UTC
Target Upstream Version:


Attachments (Terms of Use)
patch to support TLS_*_SHA384 ciphers; patch was against tomcatjss 7.2 (5.23 KB, patch)
2018-06-29 22:12 UTC, Christina Fu
jmagne: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3310 None None None 2018-10-30 11:48:09 UTC

Description Christina Fu 2018-06-29 16:57:36 UTC
Now that NSS supports the TLS_*_SHA384 ciphers, and JSS is due to support them:
https://pagure.io/jss/issue/4
tomcatjss should too in order for RHCS to support them.

Comment 4 Christina Fu 2018-06-29 22:12:23 UTC
Created attachment 1455581 [details]
patch to support TLS_*_SHA384 ciphers; patch was against tomcatjss 7.2

Comment 5 Christina Fu 2018-06-29 23:06:53 UTC
commit 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 (HEAD -> TOMCATJSS_7_2_BRANCH, origin/TOMCATJSS_7_2_BRANCH)
Author: Christina Fu <cfu@redhat.com>
Date:   Fri Jun 29 15:04:43 2018 -0700

    Ticket #11 Add support for TLS_*_SHA384 ciphers
    
    This patch adds support for TLS_*_SHA384 ciphers which NSS now supports.
    
    fixes: https://pagure.io/tomcatjss/issue/11

Comment 6 Christina Fu 2018-06-29 23:51:07 UTC
Test procedure:

First, make sure you have the newest JSS that contains the fix to
https://bugzilla.redhat.com/show_bug.cgi?id=1596552

Test Goal is to make sure that the new ciphers have been added.

The following is what I did (of course there are other ways):

* I have an ECC CA;  shut it down
* I changed server.xml so that all ciphers are stripped; then
   -  add TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
   - add debug="true"
* start the CA
* check /tmp/tomcatjss.log
  I find 
2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: 0xc024
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c
[29/Jun/2018:14:46:49][main]: JSSSocketFactory setSSLCiphers: done setting: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: 0xc02c
* then I connected to it via browser, both ee and agent worked.
* Then just to be safe, I ran ssltap and observed that TLS/ECDHE-ECDSA/AES256-GCM/SHA384 was being picked as the connection.

You should also setup an RSA CA and try the RSA ciphers. I did not do that myself.  The ones you want to test are TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

For reference.  The new ciphers added are:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (don't test this one; it's for DSA keys)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Comment 11 Amol K 2018-08-17 09:06:37 UTC
I tested this Bugzilla on the version: 10.5.9-5.el7

As steps mentioned in the comment #6, I set up the ECC CA and RSA CA.

- Setup the Algorithms for both ECC CA and RSA CA.
- I visited the ECC CA Agent page, EE page and it worked.
- I visited the RSA CA Agent page, EE page and it worked.

Nmap algorithm scan output:
ECC CA:

# nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com                                                                                                  

PORT      STATE SERVICE  VERSION
20443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (prime256v1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (prime256v1) - A


RSA CA:

# nmap -sV --script ssl-enum-ciphers -p 20443 pki1.example.com
                                                                            
PORT      STATE SERVICE  VERSION
20443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A


Verifying this Bugzilla

Comment 13 errata-xmlrpc 2018-10-30 11:48:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3310


Note You need to log in before you can comment on or make changes to this bug.