tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53481] New: Support SSL_OP_CIPHER_SERVER_PREFERENCE / SSLHonorCipherOrder
Date Thu, 28 Jun 2012 14:27:30 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

          Priority: P2
            Bug ID: 53481
          Assignee: dev@tomcat.apache.org
           Summary: Support SSL_OP_CIPHER_SERVER_PREFERENCE /
                    SSLHonorCipherOrder
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: mike@normi.net
          Hardware: All
            Status: NEW
           Version: 1.1.24
         Component: Library
           Product: Tomcat Native

Currently, Tomcat Native does not have an equivalent of the mod_ssl
SSLHonorCipherOrder directive and is thus vulnerable to the SSL BEAST attack.

See http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder
for the docs on this directive, and
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
on why and how it mitigates the BEAST attack.

Please incorporate an option named SSLHonorCipherOrder that sets the OpenSSL
option SSL_OP_CIPHER_SERVER_PREFERENCE

P.S., not sure whether to qualify this as bug or enhancement, but since it
concerns a security issue I filed it as a bug.

P.S.2, I'm willing to create a patch myself, but since I don't have an Tomcat
Native build env that will probably take some time... It's a really small
change.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message