tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Bicker <>
Subject Re: Is there a REAL solution to the
Date Sat, 15 Sep 2012 15:10:07 GMT
Yeah, but I thought OpenSSL had a patch for this that worked.
Read...#2635: 1/n-1 record splitting technique for CVE-2011-3389

-----Original Message-----
>From: Brian Braun <>
>Sent: Sep 14, 2012 11:12 PM
>To: Tomcat Users List <>
>Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
>Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
>For more info about this attack:
>My toughts and questions, as far as I have investigated this issue:
>- Disabling the TLS1.0 protocol would be too restrictive, because there are
>still browser versions in use that don't support TLS1.1 or TLS1.2.
>- Should we restrict the ciphers in use? If so, which ones should we offer
>for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means
>JSSE instead of OpenSSL)?
>- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this
>Thanks in advace.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message