tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Sat, 15 Sep 2012 12:29:26 GMT

Good Morning Brian

from what Im seeing this is a Redhat Enterprise 4,5,6 bug which effects any of the secure
protocols such as sftp, scp and ssl  and you would need to implement the RH patch
dsiable TLS 1.0 and implement either TLS 1.1 or TLS 1.2 protocols in its place
disable applets
disable WebSockets
disable Cipher Block Chaining (CBC) ciphers
make sure  1/(n-1) split is being implemented 
replace your JSSE with a JSSE that supports  jsse.enableCBCProtection

this update from tomas tells the story
"A mitigation for this flaw was implemented in the Network Security Services (NSS) library.
It uses 1/(n-1) record splitting as mentioned in comment #19. 
 This mitigation was added in NSS version 3.13 (which is used in Firefox 9 and later) and
is enabled by default upstream.  
Environment variable NSS_SSL_CBC_RANDOM_IV can be used to disable the mitigation when it causes
failures to connect to servers that are intolerant to such record splitting (see comment #23).
 Setting the environment variable value to 0 disables the mitigation."
use FF9 as your corporate browser anyone from Redhat have anything useful
to say on this matter?
Martin Gainty 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te deer mandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.

> Date: Fri, 14 Sep 2012 22:12:30 -0500
> Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
> From:
> To:
> Hi,
> Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
> 7.x?
> For more info about this attack:
> My toughts and questions, as far as I have investigated this issue:
> - Disabling the TLS1.0 protocol would be too restrictive, because there are
> still browser versions in use that don't support TLS1.1 or TLS1.2.
> - Should we restrict the ciphers in use? If so, which ones should we offer
> for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means
> JSSE instead of OpenSSL)?
> - Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this
> issue?
> Thanks in advace.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message