Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 025BDDFC4 for ; Sat, 15 Sep 2012 12:30:07 +0000 (UTC) Received: (qmail 55863 invoked by uid 500); 15 Sep 2012 12:30:03 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 55341 invoked by uid 500); 15 Sep 2012 12:29:57 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 55299 invoked by uid 99); 15 Sep 2012 12:29:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Sep 2012 12:29:55 +0000 X-ASF-Spam-Status: No, hits=3.2 required=5.0 tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mgainty@hotmail.com designates 65.55.111.81 as permitted sender) Received: from [65.55.111.81] (HELO blu0-omc2-s6.blu0.hotmail.com) (65.55.111.81) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Sep 2012 12:29:47 +0000 Received: from BLU142-W8 ([65.55.111.71]) by blu0-omc2-s6.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 15 Sep 2012 05:29:26 -0700 Message-ID: Content-Type: multipart/alternative; boundary="_1d9c943e-d30f-416b-a5df-bd1cb9075b46_" X-Originating-IP: [75.68.3.126] From: Martin Gainty To: Tomcat Users List Subject: RE: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x Date: Sat, 15 Sep 2012 08:29:26 -0400 Importance: Normal In-Reply-To: References: MIME-Version: 1.0 X-OriginalArrivalTime: 15 Sep 2012 12:29:26.0688 (UTC) FILETIME=[BECB1200:01CD933D] X-Virus-Checked: Checked by ClamAV on apache.org --_1d9c943e-d30f-416b-a5df-bd1cb9075b46_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Good Morning Brian from what Im seeing this is a Redhat Enterprise 4=2C5=2C6 bug which effects= any of the secure protocols such as sftp=2C scp and ssl and you would nee= d to implement the RH patch dsiable TLS 1.0 and implement either TLS 1.1 or TLS 1.2 protocols in its pl= ace disable applets disable WebSockets disable Cipher Block Chaining (CBC) ciphers make sure 1/(n-1) split is being implemented=20 replace your JSSE with a JSSE that supports jsse.enableCBCProtection this update from tomas tells the story "A mitigation for this flaw was implemented in the Network Security Service= s (NSS) library. =20 It uses 1/(n-1) record splitting as mentioned in comment #19.=20 This mitigation was added in NSS version 3.13 (which is used in Firefox 9 = and later) and is enabled by default upstream. =20 Environment variable NSS_SSL_CBC_RANDOM_IV can be used to disable the mitig= ation when it causes failures to connect to servers that are intolerant to = such record splitting (see comment #23). Setting the environment variable = value to 0 disables the mitigation." use FF9 as your corporate browser https://bugzilla.redhat.com/show_bug.cgi?id=3D737506does anyone from Redhat= have anything useful to say on this matter? Martin Gainty=20 ______________________________________________=20 Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit= =E9 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng= er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter= leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l= ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin= dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w= ir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes= pas le destinataire pr=E9vu=2C nous te deer mandons avec bont=E9 que pour = satisfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris= =E9e ou la copie de ceci est interdite. Ce message sert =E0 l'information s= eulement et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9ta= nt donn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulati= on=2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu four= ni. > Date: Fri=2C 14 Sep 2012 22:12:30 -0500 > Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) f= or Tomcat 7.x > From: brianbraun@gmail.com > To: users@tomcat.apache.org >=20 > Hi=2C >=20 > Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat > 7.x? > For more info about this attack: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2011-3389 >=20 > My toughts and questions=2C as far as I have investigated this issue: >=20 > - Disabling the TLS1.0 protocol would be too restrictive=2C because there= are > still browser versions in use that don't support TLS1.1 or TLS1.2. > - Should we restrict the ciphers in use? If so=2C which ones should we of= fer > for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means > JSSE instead of OpenSSL)? > - Will upgrading to the latest JVM (as of today=2C Sept 14th 2012) solve = this > issue? >=20 > Thanks in advace. = --_1d9c943e-d30f-416b-a5df-bd1cb9075b46_--