tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <brianbr...@gmail.com>
Subject Re: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Sat, 15 Sep 2012 18:59:09 GMT
Hi Mark,

I was really interested in your advice. I'm glad you answered, thanks!
I'm trying not the disable TLS1.0 because I did a site that is being uses
by unknown people over the internet, and I don't one how many of them are
using a browser that only works with TLS1.0.
Where can I get the list of all available ciphers for Sun JVM 6 update 35?
I would like to get the complete list, and then remove the CBC ones. Right
now I'm using just 3, from which one uses CBC:
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
Besides removing the last one, which ones should I add?





On Sat, Sep 15, 2012 at 2:57 AM, Mark Thomas <markt@apache.org> wrote:

> Brian Braun <brianbraun@gmail.com> wrote:
>
> >Hi,
> >
> >Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for
> >Tomcat
> >7.x?
> >For more info about this attack:
> >http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
> >
> >My toughts and questions, as far as I have investigated this issue:
> >
> >- Disabling the TLS1.0 protocol would be too restrictive, because there
> >are
> >still browser versions in use that don't support TLS1.1 or TLS1.2.
> >- Should we restrict the ciphers in use? If so, which ones should we
> >offer
> >for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which
> >means
> >JSSE instead of OpenSSL)?
>
> Any strong ciphers available with your JVM that don't use CBC.
>
> >- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve
> >this
> >issue?
>
> Unlikely. What it may do is give you more cipher options. Java 7 also - I
> think but haven't check my recollection - supports the later TLS versions.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message