The tomcatjss patch address:
*Bug 1203407* <https://bugzilla.redhat.com/show_bug.cgi?id=1203407>
-tomcatjss: missing ciphers
2nd patch is the accompanying dogtag change to remove references to the
unsupported ciphers. There is no critical dependency of the new tomcatjss.
thanks,
Christina
diff -up src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu 2016-06-30 15:52:40.536775347 -0600
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java 2016-06-30 15:54:40.636612569 -0600
@@ -96,8 +96,12 @@ public class JSSSocketFactory implements
SSLSocket.SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA);
cipherMap.put("SSL3_RSA_WITH_DES_CBC_SHA",
SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA);
+
cipherMap.put("SSL3_RSA_WITH_3DES_EDE_CBC_SHA",
SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
+ // deprecated SSL3.0 names replaced by IANA-registered TLS names
+ cipherMap.put("TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+ SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
cipherMap.put("SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
SSLSocket.SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
@@ -116,14 +120,23 @@ public class JSSSocketFactory implements
SSLSocket.SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
cipherMap.put("SSL3_DHE_DSS_WITH_DES_CBC_SHA",
SSLSocket.SSL3_DHE_DSS_WITH_DES_CBC_SHA);
+
cipherMap.put("SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+ // deprecated SSL3.0 names replaced by IANA-registered TLS names
+ cipherMap.put("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+ SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+
cipherMap.put("SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
SSLSocket.SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
cipherMap.put("SSL3_DHE_RSA_WITH_DES_CBC_SHA",
SSLSocket.SSL3_DHE_RSA_WITH_DES_CBC_SHA);
+
cipherMap.put("SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
+ // deprecated SSL3.0 names replaced by IANA-registered TLS names
+ cipherMap.put("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+ SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
cipherMap.put("SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5",
SSLSocket.SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5);
@@ -257,13 +270,21 @@ public class JSSSocketFactory implements
SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
- cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
- SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+/* unsupported by nss
+ cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+ SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+*/
+ cipherMap.put("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+ SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
+ cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+ SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+ cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+ SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
}
private static HashMap<Integer, String> eccCipherMap = new HashMap<Integer, String>();
@@ -308,6 +329,10 @@ public class JSSSocketFactory implements
"TLS_ECDH_RSA_WITH_NULL_SHA");
eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA,
"TLS_ECDH_ECDSA_WITH_NULL_SHA");
+/* unsupported by nss
+ eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
+*/
}
private AbstractEndpoint endpoint;
@@ -393,6 +418,7 @@ public class JSSSocketFactory implements
+ ": 0x" + Integer.toHexString(cipherid) + "\n");
SSLSocket.setCipherPreferenceDefault(cipherid, state);
} catch (Exception e) {
+ System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e);
if (eccCipherMap.containsKey(cipherid)) {
System.err
.println("Warning: SSL ECC cipher \""
From c0bf4a016709d000f81df2262cb73f2a660a2a42 Mon Sep 17 00:00:00 2001
From: Christina Fu <[email protected]>
Date: Thu, 30 Jun 2016 15:01:42 -0700
Subject: [PATCH] Bugzilla #1203407 tomcatjss: missing ciphers
This patch removes references to the ciphers currently unsupported by NSS:
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
---
base/server/python/pki/server/deployment/pkiparser.py | 3 ---
base/server/share/conf/ciphers.info | 4 ++--
base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ----
3 files changed, 2 insertions(+), 9 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index dc5d7f636bd6a1fbbb779c917d431dadd8f2c887..d940e2c94cdbe937ba15d4d8cedc756390013aa2 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -971,7 +971,6 @@ class PKIConfigParser:
"-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
- "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA," + \
@@ -1006,8 +1005,6 @@ class PKIConfigParser:
"-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
"-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
- "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +\
"-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
index 69aaeaa67cd79586c88df7cf28d641ccde5a27e2..71face58aea4d8b021451231dcc6866ff5e12e78 100644
--- a/base/server/share/conf/ciphers.info
+++ b/base/server/share/conf/ciphers.info
@@ -67,8 +67,8 @@
#
##
# For RSA servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
#
#
# For ECC servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 979b047d7c76451e6c404b8b87402c880e2b0cd5..4a2558b75ac1b9dc56e840280f06d05d961934ee 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -879,12 +879,8 @@ public class CryptoUtil {
SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
- cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
- SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
- cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
- SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
}
--
2.4.3
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
