tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arthur Ramsey <arthur_ram...@mediture.com>
Subject Re: tcnative CVE-2015-4000 (Logjam)
Date Sun, 14 Jun 2015 00:42:44 GMT
I have working binaries for Linux x64 and Windows x64 if anyone needs 
them.  It should still work with newer versions of tomcat 7 providing 
the SSLProtocol is set to TLSv1?  The Windows binary has SSLv2 and SSLv3 
disabled at compile time.

On 6/13/2015 3:30 PM, Arthur Ramsey wrote:
> Building the latest from svn branch 1.1.x seems to work.  I had to do 
> some modifications to get TLSv1.1 and TLSv1.2 when using 
> |SSLProtocol="all" |because I'm using tomcat 7.0.55.
>
> Thanks for the help,
> Arthur
>
> On 6/11/2015 3:34 PM, Arthur Ramsey wrote:
>> On 06/11/2015 02:35 PM, Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Arthur,
>>>
>>> On 6/11/15 2:14 PM, Arthur Ramsey wrote:
>>>> Is anyone aware of a way to mitigate the Logjam attack with tomcat
>>>> 7 and java 7?
>>> Disable DHE_EXPORT on the server?
>> I believe I have, but Qualys SSL Server Test still fails me on the 
>> Logjam check.
>>
>> SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

>>
>>
>>>
>>>> I use tcnative and openssl-1.0.2a both compiled from source in
>>>> production today, but I would be open to JSSE too.  I believe I
>>>> need Java 8 to mitigate CVE-2015-4000 with JSSE.
>>> Why?
>> See 
>> http://stackoverflow.com/questions/30352105/how-to-set-custom-dh-group-in-java-sslengine-to-prevent-logjam-attack
>>>
>>>> I don't see anyway to use a unique 2048-bit or greater DH group
>>>> with tcnative currently.
>>> I believe you are correct; there is a bug in BZ:
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
>>>
>>> It looks like 1.1.34 will have this feature. You can build the current
>>> trunk of the 1.1 branch and probably be okay.
>> Thanks, I'll give it a try.  Scary to use in production, but it may 
>> be my best answer.
>>>
>>>> I'm not sure if there is anything I can do at compile time.  I'd
>>>> rather not change the cipher suites as I want to maintain browser
>>>> support.
>>> You should disable EXPORT certificates no matter what. Or were you
>>> talking about the DH parameters?
>> I was talking about DH parameters.
>>>
>>>> My server configuration passed the Qualys SSL Server Test with
>>>> flying colors until Logjam, so I would be worried about regressions
>>>> on other security fixes if I used JSSE.
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQIcBAEBCAAGBQJVeeL0AAoJEBzwKT+lPKRYkJQQAIyplWF0F65zvlzuQTrsFYPC
>>> Ioh+w4ddwalB1OFzaxGjnulwN9eO91iudqFiZyFpZnh7jV8GOJCQVO5whbBIXvQm
>>> l4RUispklWXNh2ClFfkW2YoXwfZPBhk4um5oVo2KHN7wf3F9AhvA/oz3Ecm2WUdg
>>> lQ7q4+WapZknWS6YdxwMzG7Jl7k6gGgnhfe6SmtEYMDKE8ktTcyAjpHX+NhXXC+e
>>> iCiZ0+DH1lYmUIHdVJu2FIgdui0CVecArJ9ufniiIpbYOnjWFxu+IZGlBuTgoAHg
>>> 8Lu7koGDOOnagSdJ6DNJeEyniRVPA61zcKRIqB1IWJJzgZVIpo8/wF4r9jGFIH3b
>>> x+3cqqSiDLppHar48ENIGbqYRCwybRCiJu3SvKLJ/zRs51ybxKbSXOondPWqIRD/
>>> rbLQN6Z/2nQUeSp7A7iKGQj1CqFSDp5IFBqwvP4A9xWFbqCbwOWUfKhgM8UrToLN
>>> DRbtjdpGZvA0lJqxmR9nKWn9K9nNRcViI2wlcDOB22RFjz2S+fUToylf8utUJbW0
>>> MJ5GdqnPYMp3r0NajnWaY8z1POneaqnLHnW5xnhLA2UgDBoClUA2Xe/UmU+ngUT3
>>> OOJDb52+Xr3V+JvsDuK6cgoHTM7X+2i3+75acigwMyPYO34hA1uanVhx7XTvheqA
>>> XkCixeOIXgynHCDcWYDc
>>> =Lycq
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> Thanks,
>> Arthur
>



Mime
View raw message