tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Nessus scan claims vulnerability in Tomcat 6
Date Tue, 26 Feb 2013 15:04:11 GMT
On 26/02/2013 03:09, Robert Klemme wrote:
> On Tue, Feb 26, 2013 at 2:27 AM, Mark Thomas <markt@apache.org> wrote:
>> On 25/02/2013 08:42, Robert Klemme wrote:

>>> I have been confronted with a Nessus scan result which claims
>>> vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
>>> this and the report states:

>>> We have in server.xml:
>>>
>>> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
>>> protocol="HTTP/1.1" connectionTimeout="20000"
>>> SSLCertificateKeyFile="/path" secure="true" scheme="https"
>>> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
>>> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
>>> SSLEnabled="true" />
>>
>>
>> That is the APR/native HTTPS connector.
>
> So one solution would be to remove APR lib from the system.

Yes, although you will see performance for SSL drop.

> Another one would be to change above to
>
> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
> protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000"
> SSLCertificateKeyFile="/path" secure="true" scheme="https"
> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
> SSLEnabled="true" />
>
> and add all necessary configurations to make that work.  And I guess a
> third option is to use

Yes, with the same performance issue.

> export OPENSSL_NO_DEFAULT_ZLIB=1
>
> before starting the JVM.

I don't know if OpenSSL will honour that.

>> APR/native does. An option was recently added. See:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
>
> I found that but wasn't aware that this is actually used in Tomcat.

SSLDisableCompression on the APR connector as of 7.0.37

>> There is no 6.0.x release with the necessary options yet.
>
> Do you know whether there will be?

There will be but I'm not aware of any planned timing at this point. The 
changelog isn't that long but it has been a while since the last release 
so I guess we should start thinking about it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message