tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Klemme <shortcut...@googlemail.com>
Subject Re: Nessus scan claims vulnerability in Tomcat 6
Date Tue, 26 Feb 2013 11:09:40 GMT
Hi Mark,

thank you for the feedback!

On Tue, Feb 26, 2013 at 2:27 AM, Mark Thomas <markt@apache.org> wrote:
> On 25/02/2013 08:42, Robert Klemme wrote:
>>
>> Hi there,
>>
>> I have been confronted with a Nessus scan result which claims
>> vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
>> this and the report states:
>>
>> "The remote service has one of two configurations that are known to be
>> required for the CRIME attack:
>> - SSL / TLS compression is enabled.
>
> It is this one.

That's what I figured.

>> - TLS advertises the SPDY protocol earlier than version 4.
>
> There is no spdy support in any released Tomcat version.

OK, that confirms what I was able to dig up.

>> We have in server.xml:
>>
>> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
>> protocol="HTTP/1.1" connectionTimeout="20000"
>> SSLCertificateKeyFile="/path" secure="true" scheme="https"
>> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
>> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
>> SSLEnabled="true" />
>
>
> That is the APR/native HTTPS connector.

So one solution would be to remove APR lib from the system. Another
one would be to change above to

<Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000"
SSLCertificateKeyFile="/path" secure="true" scheme="https"
maxThreads="500" port="4712" maxSavePostSize="0" server="***"
SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
SSLEnabled="true" />

and add all necessary configurations to make that work.  And I guess a
third option is to use

export OPENSSL_NO_DEFAULT_ZLIB=1

before starting the JVM.

>> Now, what to make of this?  To me it seems only compression could be
>> the culprit but is there any other way to enable compression for HTTPS
>> than to include "compression"?  Or does the TLS negotiation ignore
>> setting "compression"?  I could not find indication of any option to
>> control compression in the Javadocs
>>
>> http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html
>
>
> You won't. My recollection is that Java does not support compression.

OK, then it's no surprise that they do not mention it in the Javadocs. :-)

> APR/native does. An option was recently added. See:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324

I found that but wasn't aware that this is actually used in Tomcat.

> There is no 6.0.x release with the necessary options yet.

Do you know whether there will be?

Kind regards

robert

-- 
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message