From 452a218890227aa08810b126db6cfc81f9195eff Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 16 2018 12:49:31 +0000
Subject: import tomcatjss-7.2.1-7.el7_5


---

diff --git a/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch b/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch
new file mode 100644
index 0000000..bf55593
--- /dev/null
+++ b/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch
@@ -0,0 +1,98 @@
+From 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Fri, 29 Jun 2018 15:04:43 -0700
+Subject: [PATCH] Ticket #11 Add support for TLS_*_SHA384 ciphers
+
+This patch adds support for TLS_*_SHA384 ciphers which NSS now supports.
+
+fixes: https://pagure.io/tomcatjss/issue/11
+---
+ .../tomcat/util/net/jss/JSSSocketFactory.java      | 43 +++++++++++++++++++++-
+ 1 file changed, 41 insertions(+), 2 deletions(-)
+
+diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
+index f974a89..b38b091 100644
+--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
+@@ -290,6 +290,22 @@ public class JSSSocketFactory implements
+                 SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+         cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+                 SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
++
++        // TLS_*_SHA384
++        cipherMap.put("TLS_RSA_WITH_AES_256_GCM_SHA384",
++                SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384);
++        cipherMap.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
++                SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384);
++        cipherMap.put("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
++                SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384);
++        cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
++                SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
++        cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
++                SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
++        cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
++                SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
++        cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
++                SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
+     }
+ 
+     private static HashMap<Integer, String> eccCipherMap = new HashMap<Integer, String>();
+@@ -338,6 +354,22 @@ public class JSSSocketFactory implements
+         eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+                 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
+ */
++
++        // TLS_*_SHA384
++        eccCipherMap.put(SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384,
++                "TLS_RSA_WITH_AES_256_GCM_SHA384");
++        eccCipherMap.put(SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
++                "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
++        eccCipherMap.put(SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
++                "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384");
++        eccCipherMap.put(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384");
++        eccCipherMap.put(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
++                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
++        eccCipherMap.put(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
++                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
++        eccCipherMap.put(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
++                "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
+     }
+ 
+     private AbstractEndpoint endpoint;
+@@ -429,23 +461,30 @@ public class JSSSocketFactory implements
+             }
+             if (cipherid != 0) {
+                 try {
+-                    debugWrite("JSSSocketFactory setSSLCiphers:  " + cipherstr
++                    debugWrite("JSSSocketFactory setSSLCiphers: setting: " + cipherstr
+                             + ": 0x" + Integer.toHexString(cipherid) + "\n");
+                     SSLSocket.setCipherPreferenceDefault(cipherid, state);
++                    debugWrite("JSSSocketFactory setSSLCiphers: done setting: " + cipherstr
++                            + ": 0x" + Integer.toHexString(cipherid) + "\n");
+                 } catch (Exception e) {
+-                    System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e);
++                    String errMsg = "SSLSocket.setCipherPreferenceDefault exception on: " + cipherstr + " : " +e;
++                    System.err.println(errMsg);
++                    debugWrite("JSSSocketFactory setSSLCiphers: " + errMsg);
+                     if (eccCipherMap.containsKey(cipherid)) {
++                        debugWrite("JSSSocketFactory setSSLCiphers: Warning: cipher exists in eccCipherMap");
+                         System.err
+                                 .println("Warning: SSL ECC cipher \""
+                                         + text
+                                         + "\" unsupported by NSS. "
+                                         + "This is probably O.K. unless ECC support has been installed.");
+                     } else {
++                        debugWrite("JSSSocketFactory setSSLCiphers: Error: cipher does not exist in eccCipherMap");
+                         System.err.println("Error: SSL cipher \"" + text
+                                 + "\" unsupported by NSS");
+                     }
+                 }
+             } else {
++                debugWrite("JSSSocketFactory setSSLCiphers: Error: cipher not recognized by tomcatjss");
+                 System.err.println("Error: SSL cipher \"" + text
+                         + "\" not recognized by tomcatjss");
+             }
+-- 
+2.14.4
+
diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec
index 90c490d..e3bcced 100644
--- a/SPECS/tomcatjss.spec
+++ b/SPECS/tomcatjss.spec
@@ -1,6 +1,6 @@
 Name:     tomcatjss
 Version:  7.2.1
-Release:  6%{?dist}
+Release:  7%{?dist}
 Summary:  JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS
 URL:      http://pki.fedoraproject.org/
 License:  LGPLv2+
@@ -20,9 +20,9 @@ BuildRequires:    apache-commons-lang
 BuildRequires:    java-devel
 BuildRequires:    jpackage-utils >= 0:1.7.5-15
 %if 0%{?fedora}
-BuildRequires:    jss >= 4.4.2-2
+BuildRequires:    jss >= 4.4.4-3
 %else
-BuildRequires:    jss >= 4.4.0-7
+BuildRequires:    jss >= 4.4.0-13
 %endif
 %if 0%{?fedora} >= 23
 BuildRequires:    tomcat >= 8.0.18
@@ -38,9 +38,9 @@ Requires:         java
 %endif
 Requires:         jpackage-utils >= 0:1.7.5-15
 %if 0%{?fedora}
-Requires:         jss >= 4.4.2-2
+Requires:         jss >= 4.4.4-3
 %else
-Requires:         jss >= 4.4.0-7
+Requires:         jss >= 4.4.0-13
 %endif
 %if 0%{?fedora} >= 23
 Requires:         tomcat >= 8.0.18
@@ -60,6 +60,10 @@ Patch2:           tomcatjss-Fixed-SSL-cipher-list-parser.patch
 ## tomcatjss-7.2.1-5
 #######################
 Patch3:           tomcatjss-Comply-with-ASF-trademark-rules.patch
+#######################
+## tomcatjss-7.2.1-7
+#######################
+Patch4:           tomcatjss-add-TLS-SHA384-ciphers.patch
 
 # The 'tomcatjss' package conflicts with the 'tomcat-native' package
 # because it uses an underlying NSS security model rather than the
@@ -88,6 +92,7 @@ NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 chmod -c -x LICENSE README
 
 %build
@@ -118,6 +123,11 @@ rm -rf %{buildroot}
 %{_javadir}/*
 
 %changelog
+* Mon Jul  2 2018 Matthew Harmsen <mharmsen@redhat.com> 7.2.1-7
+- Updated jss build and runtime dependencies
+- Bugzilla Bug #1597180 - Tomcatjss: Add support for TLS_*_SHA384 ciphers
+  [rhel-7.5.z] (cfu)
+
 * Mon Jun 12 2017 Matthew Harmsen <mharmsen@redhat.com> 7.2.1-6
 - Bugzilla Bug #1460040 - Comply with ASF trademark rules (mharmsen)