tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <brianbr...@gmail.com>
Subject Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Sat, 15 Sep 2012 03:12:30 GMT
Hi,

Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
7.x?
For more info about this attack:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

My toughts and questions, as far as I have investigated this issue:

- Disabling the TLS1.0 protocol would be too restrictive, because there are
still browser versions in use that don't support TLS1.1 or TLS1.2.
- Should we restrict the ciphers in use? If so, which ones should we offer
for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means
JSSE instead of OpenSSL)?
- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this
issue?

Thanks in advace.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message