tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Baron Fujimoto <ba...@hawaii.edu>
Subject Restricting ciphers
Date Wed, 09 Jan 2013 02:55:02 GMT
I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
My understanding is that the attack applies only to CBC ciphers, and that
RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
ciphers that Tomcat uses with the following config for a connector:

  <Connector protocol="HTTP/1.1" SSLEnabled="true"
             address="0.0.0.0"
             port="8443"
             maxThreads="150" scheme="https" secure="true"
             keystoreFile="/path/to/keystore"
             keystoreType="pkcs12"
             ciphers="TLS_RSA_WITH_RC4_128_SHA,
                      TLS_RSA_WITH_RC4_128_MD5,
                      SSL_CK_RC4_128_WITH_MD5"
             clientAuth="false" sslProtocol="TLS" />

However, when I test this by attempting connections with a script[*] that
iterates through the set of ciphers available to openssl, it appears to
successfully connect with the following set of ciphers:

AES128-SHA
DES-CBC-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
EDH-RSA-DES-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EXP-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC4-MD5
RC4-MD5
RC4-MD5
RC4-SHA

[*] The script basically parses the output of the following command:
    openssl s_client -cipher "$cipher" -connect $SERVER

Am I misunderstanding the use of the "ciphers" parameter? Or is there
perhaps something in my testing methodology that accounts for these
unexpected results?  Any advice would be appreciated.

Aloha,
-baron
-- 
Baron Fujimoto <baron@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message