#700 Disable all DES-based ciphers
Closed: migrated 2 years ago by dmoluguw. Opened 9 years ago by mharmsen.

'tomcatjss' is a JSSE module for Tomcat that uses JSS, a Java interface to Network Security Services (NSS). As such, it retrieves its active ciphers via reading them from a Tomcat 7 'server.xml' configuration file. The following DES ciphers are "configurable" for 'tomcatjss' (JSSSocketFactory.java):

    ssl2:
        SSL2_DES_64_CBC_WITH_MD5
        SSL2_DES_192_EDE3_CBC_WITH_MD5
    ssl3:
        SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL3_RSA_WITH_DES_CBC_SHA
        SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
        SSL3_DH_DSS_WITH_DES_CBC_SHA
        SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL3_DH_RSA_WITH_DES_CBC_SHA
        SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        SSL3_DHE_DSS_WITH_DES_CBC_SHA
        SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL3_DHE_RSA_WITH_DES_CBC_SHA
        SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
        SSL3_DH_ANON_WITH_DES_CBC_SHA
        SSL_RSA_FIPS_WITH_DES_CBC_SHA
    tls:
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

The remaining portion of the initial description of this ticket was relocated to its own TRAC ticket:

TRAC Ticket #706 - Disable '+SSL3_RSA_WITH_DES_CBC_SHA' as
                   '-SSL3_RSA_WITH_DES_CBC_SHA' in 'pkiparser.py'

'jss' is a java native interface which provides a bridge for java-based applications to use native NSS.

'jss' contains a list of cipher suites that are implemented by NSS in 'org/mozilla/jss/ssl/SSLSocket.java'; only cipher suites implemented by NSS are enabled by default.

All java-based tools utilize JSS as their crypto interface to NSS, and need to be reviewed individually to determine if they contain any DES issues.

[06/04/2014] - Moving to Milestone 10.2 (June) as this may be addressed by other required tomcatjss work due for RHEL 6.

Moved from Dogtag 10.2 (June) --> Dogtag 10.2 (July).

After discussions, decided to move this to 10.2.3.

Per Dogtag 10.2.X meeting of 01/14/2015: Milestone 10.2 Backlog

Per 10.2.3 TRIAGE meeting of 02/26/2015: 10.3

NOTE: Moved from 10.2 Backlog since it was not a documentation/man page issue.

Metadata Update from @mharmsen:
- Issue assigned to cfu
- Issue set to the milestone: 10.4

5 years ago

Per CS/DS meeting of 04/24/2017: 10.5

Metadata Update from @mharmsen:
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue set to the milestone: 10.5 (was: 10.4)

5 years ago

Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)

5 years ago

[20171025] - Offline Triage ==> 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1269

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata