Bug 1597180 - Tomcatjss: Add support for TLS_*_SHA384 ciphers [rhel-7.5.z]
Summary: Tomcatjss: Add support for TLS_*_SHA384 ciphers [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tomcatjss
Version: 7.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1596769
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-02 08:11 UTC by Oneata Mircea Teodor
Modified: 2018-08-16 14:20 UTC (History)
9 users (show)

Fixed In Version: tomcatjss-7.2.1-7.el7_5
Doc Type: Enhancement
Doc Text:
This update adds support for TLS_*_SHA384 ciphers to TomcatJSS.
Clone Of: 1596769
Environment:
Last Closed: 2018-08-16 14:20:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2455 None None None 2018-08-16 14:20:18 UTC

Description Oneata Mircea Teodor 2018-07-02 08:11:50 UTC
This bug has been copied from bug #1596769 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-07-02 16:09:19 UTC
QE Verification Procedure:

* see https://bugzilla.redhat.com/show_bug.cgi?id=1596769#c6

Comment 6 Amol K 2018-07-23 12:49:02 UTC
I tested this Bugzilla on 10.5.1-14.el7_5 version. 

(In reply to Matthew Harmsen from comment #2)
> QE Verification Procedure:
>
> * see https://bugzilla.redhat.com/show_bug.cgi?id=1596769#c6

I tried the above steps, and it works as expected.

Steps which I tried:

1. ECC CA: 
 1. Stoped CA.
 2. Modify the ciphers. Start CA.
 3. Able to reach the CA Agent and EE page.
 4. I could see that the specified algorithm in the server.xml is used for the communication. 
 For ECC I use: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Wireshark Output:
```
# tshark -r /tmp/csqa_4_2.pcap -Y "ssl.handshake && frame.number==6" -T pdml | grep 'ssl.handshake.ciphersuite'
        <field name="ssl.handshake.ciphersuite" showname="Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)" size="2" pos="142" show="49196" value="c02c"/>
```

2. RSA CA:
 1. Stoped CA.
 2. Modify the ciphers. Start CA.
 3. Able to reach the CA Agent and EE page.
 4. I could see that the specified algorithm in the server.xml is used for the communication. 
 For RSA I use: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


Wireshark Output: 
```
# tshark -r /tmp/csqa_4_7.pcap -Y "ssl.handshake && frame.number==18" -T pdml | grep 'ssl.handshake.ciphersuite'
        <field name="ssl.handshake.ciphersuite" showname="Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)" size="2" pos="142" show="49200" value="c030"/>

```


Verifying this Bugzilla.

Comment 8 errata-xmlrpc 2018-08-16 14:20:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2455


Note You need to log in before you can comment on or make changes to this bug.