tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve G. Johnson" <>
Subject SSLv3/TLS man-in-middle vulnerability
Date Mon, 18 Jan 2010 16:03:26 GMT

We recently installed Tomcat 5.5.23 in Windows server to support the Infor
WebUI (webtop) application.
We installed a cerificate and are using SSl on port 8443. This all works

The local IT Security team ran an HP "Web Inspect" and it showed a High
vulnerability for SSLv3/TLS known as CVE-2009-3555.
We are running JVM JRE 1.6.0._17 on the server.
You state on the site at end of
page that this is not a vulnerability depending on a number of factors.
This is very unclear tor us.

The Web Inspect product sated that this must be fixed as follows:
Patches must be applied to the underlying web server and ssl library.
OpenSSL Patch:
Apache Mod-SSL Patch:
These patches may cause issues with sites that require renegotiation.
(Sites requiring public HTTPS access with certain folders
protected by client-side certificates)

What can we do to make the vulnerability shown in Web Inspect go away?


Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message