In some cases (e.g. in FIPS mode) the admin will need to modify the SSL cipher list in server.xml. Currently the cipher list needs to be specified as a single (and often times long) line without line breaks which makes it difficult to manage and error prone. For example:
<Connector sslRangeCiphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" />
To improve usability the cipher list should support the following format:
<Connector sslRangeCiphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256" />
However, currently this format is not supported by TomcatJSS, causing the following error:
Error: SSL cipher " TLS_DHE_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Error: SSL cipher " TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" not recognized by tomcatjss Error: SSL cipher " TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" not recognized by tomcatjss Error: SSL cipher " TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Error: SSL cipher " TLS_RSA_WITH_AES_128_CBC_SHA256" not recognized by tomcatjss Error: SSL cipher " TLS_RSA_WITH_AES_256_CBC_SHA256" not recognized by tomcatjss
The cipher list parser needs to be modified to support spaces and line breaks.
Metadata Update from @mharmsen: - Custom field component adjusted to '' - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457524 - Custom field type adjusted to defect - Custom field version adjusted to ''
Fixed in master:
Metadata Update from @edewata: - Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1457524)
Metadata Update from @edewata: - Issue assigned to edewata
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue priority set to: major - Issue status updated to: Closed (was: Open)
Metadata Update from @edewata: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457524
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to tomcatjss-7.2.3-1.fc27
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to tomcatjss-7.2.3-4.fc27 (was: tomcatjss-7.2.3-1.fc27)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to tomcatjss-7.2.3-1.fc27 (was: tomcatjss-7.2.3-4.fc27)
Login to comment on this ticket.