tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 53481] New: Support SSL_OP_CIPHER_SERVER_PREFERENCE / SSLHonorCipherOrder
Date Thu, 28 Jun 2012 14:27:30 GMT

          Priority: P2
            Bug ID: 53481
           Summary: Support SSL_OP_CIPHER_SERVER_PREFERENCE /
          Severity: normal
    Classification: Unclassified
                OS: All
          Hardware: All
            Status: NEW
           Version: 1.1.24
         Component: Library
           Product: Tomcat Native

Currently, Tomcat Native does not have an equivalent of the mod_ssl
SSLHonorCipherOrder directive and is thus vulnerable to the SSL BEAST attack.

for the docs on this directive, and
on why and how it mitigates the BEAST attack.

Please incorporate an option named SSLHonorCipherOrder that sets the OpenSSL

P.S., not sure whether to qualify this as bug or enhancement, but since it
concerns a security issue I filed it as a bug.

P.S.2, I'm willing to create a patch myself, but since I don't have an Tomcat
Native build env that will probably take some time... It's a really small

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message