tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <>
Subject Re: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Wed, 19 Sep 2012 18:16:24 GMT

You know what a turtle is?


On 15 Sep 2012, at 13:30, Martin Gainty <> wrote:

> Good Morning Brian
> from what Im seeing this is a Redhat Enterprise 4,5,6 bug which effects any of the secure
protocols such as sftp, scp and ssl  and you would need to implement the RH patch
> dsiable TLS 1.0 and implement either TLS 1.1 or TLS 1.2 protocols in its place
> disable applets
> disable WebSockets
> disable Cipher Block Chaining (CBC) ciphers
> make sure  1/(n-1) split is being implemented
> replace your JSSE with a JSSE that supports  jsse.enableCBCProtection
> this update from tomas tells the story
> "A mitigation for this flaw was implemented in the Network Security Services (NSS) library.
> It uses 1/(n-1) record splitting as mentioned in comment #19.
> This mitigation was added in NSS version 3.13 (which is used in Firefox 9 and later)
and is enabled by default upstream.
> Environment variable NSS_SSL_CBC_RANDOM_IV can be used to disable the mitigation when
it causes failures to connect to servers that are intolerant to such record splitting (see
comment #23).  Setting the environment variable value to 0 disables the mitigation."
> use FF9 as your corporate browser
> anyone from Redhat have anything
useful to say on this matter?
> Martin Gainty
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so
bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer
Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und
entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails
koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te deer mandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.
>> Date: Fri, 14 Sep 2012 22:12:30 -0500
>> Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
>> From:
>> To:
>> Hi,
>> Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
>> 7.x?
>> For more info about this attack:
>> My toughts and questions, as far as I have investigated this issue:
>> - Disabling the TLS1.0 protocol would be too restrictive, because there are
>> still browser versions in use that don't support TLS1.1 or TLS1.2.
>> - Should we restrict the ciphers in use? If so, which ones should we offer
>> for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means
>> JSSE instead of OpenSSL)?
>> - Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this
>> issue?
>> Thanks in advace.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message