tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Sat, 15 Sep 2012 07:57:32 GMT
Brian Braun <brianbraun@gmail.com> wrote:

>Hi,
>
>Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for
>Tomcat
>7.x?
>For more info about this attack:
>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
>
>My toughts and questions, as far as I have investigated this issue:
>
>- Disabling the TLS1.0 protocol would be too restrictive, because there
>are
>still browser versions in use that don't support TLS1.1 or TLS1.2.
>- Should we restrict the ciphers in use? If so, which ones should we
>offer
>for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which
>means
>JSSE instead of OpenSSL)?

Any strong ciphers available with your JVM that don't use CBC.

>- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve
>this
>issue?

Unlikely. What it may do is give you more cipher options. Java 7 also - I think but haven't
check my recollection - supports the later TLS versions.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message