Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3E6D5E79B for ; Wed, 9 Jan 2013 02:55:38 +0000 (UTC) Received: (qmail 12581 invoked by uid 500); 9 Jan 2013 02:55:34 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 12526 invoked by uid 500); 9 Jan 2013 02:55:34 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 12378 invoked by uid 99); 9 Jan 2013 02:55:34 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Jan 2013 02:55:34 +0000 X-ASF-Spam-Status: No, hits=-1.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (nike.apache.org: transitioning domain of baron@hawaii.edu does not designate 67.53.202.228 as permitted sender) Received: from [67.53.202.228] (HELO slimemold.creativedynamo.com) (67.53.202.228) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Jan 2013 02:55:26 +0000 Received: from praenomen.mgt.hawaii.edu (pat01.its.hawaii.edu [128.171.1.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by slimemold.creativedynamo.com (Postfix) with ESMTPSA id 56D27BFF2B for ; Tue, 8 Jan 2013 16:55:04 -1000 (HST) Date: Tue, 8 Jan 2013 16:55:02 -1000 From: Baron Fujimoto To: Tomcat Users Subject: Restricting ciphers Message-ID: <20130109025501.GC23284@praenomen.mgt.hawaii.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Checked: Checked by ClamAV on apache.org I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35. My understanding is that the attack applies only to CBC ciphers, and that RC4 ciphers are not vulnerable, so I am attempting to restrict the set of ciphers that Tomcat uses with the following config for a connector: However, when I test this by attempting connections with a script[*] that iterates through the set of ciphers available to openssl, it appears to successfully connect with the following set of ciphers: AES128-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC-SHA EDH-RSA-DES-CBC3-SHA EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC4-MD5 EXP-RC4-MD5 RC4-MD5 RC4-MD5 RC4-SHA [*] The script basically parses the output of the following command: openssl s_client -cipher "$cipher" -connect $SERVER Am I misunderstanding the use of the "ciphers" parameter? Or is there perhaps something in my testing methodology that accounts for these unexpected results? Any advice would be appreciated. Aloha, -baron -- Baron Fujimoto :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org