tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Restricting ciphers
Date Wed, 09 Jan 2013 13:33:06 GMT

Baron org.apache.catalina.connector.Connector:  public void setProtocol(String protocol) {
       if (AprLifecycleListener.isAprAvailable()) {
            if ("HTTP/1.1".equals(protocol)) {
                setProtocolHandlerClassName
                    ("org.apache.coyote.http11.Http11AprProtocol");
            } else if ("AJP/1.3".equals(protocol)) {
                setProtocolHandlerClassName
                    ("org.apache.coyote.ajp.AjpAprProtocol");
            } else if (protocol != null) {
                setProtocolHandlerClassName(protocol);
            } else {
                setProtocolHandlerClassName
                    ("org.apache.coyote.http11.Http11AprProtocol");
            }
        } else {
            if ("HTTP/1.1".equals(protocol)) {
                setProtocolHandlerClassName
                    ("org.apache.coyote.http11.Http11Protocol");
            } else if ("AJP/1.3".equals(protocol)) {
                setProtocolHandlerClassName
                    ("org.apache.coyote.ajp.AjpProtocol");
            } else if (protocol != null) {
                setProtocolHandlerClassName(protocol);
            }
        }    }
setProtocol assigns protocolHandlerClassName="org.apache.coyote.http11.Http11AprProtocol"
 public Connector(String protocol) {
        setProtocol(protocol);
        // Instantiate protocol handler
        try {
            Class<?> clazz = Class.forName(protocolHandlerClassName);
            this.protocolHandler = (ProtocolHandler) clazz.newInstance();
        } catch (Exception e) {
            log.error
                (sm.getString
                 ("coyoteConnector.protocolHandlerInstantiationFailed", e));
        }
    }
  /*** Return a configured property. */
    public Object getProperty(String name) {
        String repl = name;
        if (replacements.get(name) != null) {
            repl = replacements.get(name);
        }
        return IntrospectionUtils.getProperty(protocolHandler, repl);
    } org.apache.tomcat.util.IntrospectionUtils
  public static Object getProperty(Object o, String name) {
        String getter = "get" + capitalize(name);
        String isGetter = "is" + capitalize(name);        try {
            Method methods[] = findMethods(o.getClass());
            Method getPropertyMethod = null;            // First, the ideal case - a getFoo()
method
            for (int i = 0; i < methods.length; i++) {
                Class<?> paramT[] = methods[i].getParameterTypes();
                if (getter.equals(methods[i].getName()) && paramT.length == 0) {
                    return methods[i].invoke(o, (Object[]) null);</snip> org.apache.coyote.http11.Http11AprProtocol
public void init() throws Exception {
        endpoint.setName(getName());    public String getName() {
        String encodedAddr = "";
        if (getAddress() != null) {
            encodedAddr = "" + getAddress();
            if (encodedAddr.startsWith("/"))
                encodedAddr = encodedAddr.substring(1);
            encodedAddr = URLEncoder.encode(encodedAddr) + "-";
        }
        return ("http-" + encodedAddr + endpoint.getPort());
    } return the SSLCipherSuite() for the specified endpoint
public String getSSLCipherSuite() { return endpoint.getSSLCipherSuite(); } (assume Endpoint
is Apr and Not Nio or Jio)

org.apache.tomcat.util.net.AprEndpoint protected String SSLCipherSuite = "ALL";
    public String getSSLCipherSuite() { return SSLCipherSuite; }
    public void setSSLCipherSuite(String SSLCipherSuite) { this.SSLCipherSuite = SSLCipherSuite;
}
you found a bug!
Martin Gainty 
______________________________________________ 
We have awaken a sleeping bear and filled him with a terrible resolve...Admiral Yamamoto...7
December 1941 > Date: Tue, 8 Jan 2013 16:55:02 -1000
> From: baron@hawaii.edu
> To: users@tomcat.apache.org
> Subject: Restricting ciphers
> 
> I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
> My understanding is that the attack applies only to CBC ciphers, and that
> RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
> ciphers that Tomcat uses with the following config for a connector:
> 
>   <Connector protocol="HTTP/1.1" SSLEnabled="true"
>              address="0.0.0.0"
>              port="8443"
>              maxThreads="150" scheme="https" secure="true"
>              keystoreFile="/path/to/keystore"
>              keystoreType="pkcs12"
>              ciphers="TLS_RSA_WITH_RC4_128_SHA,
>                       TLS_RSA_WITH_RC4_128_MD5,
>                       SSL_CK_RC4_128_WITH_MD5"
>              clientAuth="false" sslProtocol="TLS" />
> 
> However, when I test this by attempting connections with a script[*] that
> iterates through the set of ciphers available to openssl, it appears to
> successfully connect with the following set of ciphers:
> 
> AES128-SHA
> DES-CBC-SHA
> DES-CBC3-SHA
> DHE-RSA-AES128-SHA
> EDH-RSA-DES-CBC-SHA
> EDH-RSA-DES-CBC3-SHA
> EXP-DES-CBC-SHA
> EXP-EDH-RSA-DES-CBC-SHA
> EXP-RC4-MD5
> EXP-RC4-MD5
> RC4-MD5
> RC4-MD5
> RC4-SHA
> 
> [*] The script basically parses the output of the following command:
>     openssl s_client -cipher "$cipher" -connect $SERVER
> 
> Am I misunderstanding the use of the "ciphers" parameter? Or is there
> perhaps something in my testing methodology that accounts for these
> unexpected results?  Any advice would be appreciated.
> 
> Aloha,
> -baron
> -- 
> Baron Fujimoto <baron@hawaii.edu> :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message