diff --git a/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch b/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch new file mode 100644 index 0000000..bf55593 --- /dev/null +++ b/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch @@ -0,0 +1,98 @@ +From 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 29 Jun 2018 15:04:43 -0700 +Subject: [PATCH] Ticket #11 Add support for TLS_*_SHA384 ciphers + +This patch adds support for TLS_*_SHA384 ciphers which NSS now supports. + +fixes: https://pagure.io/tomcatjss/issue/11 +--- + .../tomcat/util/net/jss/JSSSocketFactory.java | 43 +++++++++++++++++++++- + 1 file changed, 41 insertions(+), 2 deletions(-) + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index f974a89..b38b091 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -290,6 +290,22 @@ public class JSSSocketFactory implements + SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA); ++ ++ // TLS_*_SHA384 ++ cipherMap.put("TLS_RSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); ++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); ++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + } + + private static HashMap eccCipherMap = new HashMap(); +@@ -338,6 +354,22 @@ public class JSSSocketFactory implements + eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"); + */ ++ ++ // TLS_*_SHA384 ++ eccCipherMap.put(SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384, ++ "TLS_RSA_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, ++ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, ++ "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ++ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, ++ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, ++ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); + } + + private AbstractEndpoint endpoint; +@@ -429,23 +461,30 @@ public class JSSSocketFactory implements + } + if (cipherid != 0) { + try { +- debugWrite("JSSSocketFactory setSSLCiphers: " + cipherstr ++ debugWrite("JSSSocketFactory setSSLCiphers: setting: " + cipherstr + + ": 0x" + Integer.toHexString(cipherid) + "\n"); + SSLSocket.setCipherPreferenceDefault(cipherid, state); ++ debugWrite("JSSSocketFactory setSSLCiphers: done setting: " + cipherstr ++ + ": 0x" + Integer.toHexString(cipherid) + "\n"); + } catch (Exception e) { +- System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e); ++ String errMsg = "SSLSocket.setCipherPreferenceDefault exception on: " + cipherstr + " : " +e; ++ System.err.println(errMsg); ++ debugWrite("JSSSocketFactory setSSLCiphers: " + errMsg); + if (eccCipherMap.containsKey(cipherid)) { ++ debugWrite("JSSSocketFactory setSSLCiphers: Warning: cipher exists in eccCipherMap"); + System.err + .println("Warning: SSL ECC cipher \"" + + text + + "\" unsupported by NSS. " + + "This is probably O.K. unless ECC support has been installed."); + } else { ++ debugWrite("JSSSocketFactory setSSLCiphers: Error: cipher does not exist in eccCipherMap"); + System.err.println("Error: SSL cipher \"" + text + + "\" unsupported by NSS"); + } + } + } else { ++ debugWrite("JSSSocketFactory setSSLCiphers: Error: cipher not recognized by tomcatjss"); + System.err.println("Error: SSL cipher \"" + text + + "\" not recognized by tomcatjss"); + } +-- +2.14.4 + diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec index 90c490d..e3bcced 100644 --- a/SPECS/tomcatjss.spec +++ b/SPECS/tomcatjss.spec @@ -1,6 +1,6 @@ Name: tomcatjss Version: 7.2.1 -Release: 6%{?dist} +Release: 7%{?dist} Summary: JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS URL: http://pki.fedoraproject.org/ License: LGPLv2+ @@ -20,9 +20,9 @@ BuildRequires: apache-commons-lang BuildRequires: java-devel BuildRequires: jpackage-utils >= 0:1.7.5-15 %if 0%{?fedora} -BuildRequires: jss >= 4.4.2-2 +BuildRequires: jss >= 4.4.4-3 %else -BuildRequires: jss >= 4.4.0-7 +BuildRequires: jss >= 4.4.0-13 %endif %if 0%{?fedora} >= 23 BuildRequires: tomcat >= 8.0.18 @@ -38,9 +38,9 @@ Requires: java %endif Requires: jpackage-utils >= 0:1.7.5-15 %if 0%{?fedora} -Requires: jss >= 4.4.2-2 +Requires: jss >= 4.4.4-3 %else -Requires: jss >= 4.4.0-7 +Requires: jss >= 4.4.0-13 %endif %if 0%{?fedora} >= 23 Requires: tomcat >= 8.0.18 @@ -60,6 +60,10 @@ Patch2: tomcatjss-Fixed-SSL-cipher-list-parser.patch ## tomcatjss-7.2.1-5 ####################### Patch3: tomcatjss-Comply-with-ASF-trademark-rules.patch +####################### +## tomcatjss-7.2.1-7 +####################### +Patch4: tomcatjss-add-TLS-SHA384-ciphers.patch # The 'tomcatjss' package conflicts with the 'tomcat-native' package # because it uses an underlying NSS security model rather than the @@ -88,6 +92,7 @@ NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 chmod -c -x LICENSE README %build @@ -118,6 +123,11 @@ rm -rf %{buildroot} %{_javadir}/* %changelog +* Mon Jul 2 2018 Matthew Harmsen 7.2.1-7 +- Updated jss build and runtime dependencies +- Bugzilla Bug #1597180 - Tomcatjss: Add support for TLS_*_SHA384 ciphers + [rhel-7.5.z] (cfu) + * Mon Jun 12 2017 Matthew Harmsen 7.2.1-6 - Bugzilla Bug #1460040 - Comply with ASF trademark rules (mharmsen)