tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James H. H. Lampert" <jam...@touchtonecorp.com>
Subject Re: More, Re: Question about vulnerability report
Date Tue, 09 Aug 2016 16:36:51 GMT
On 8/9/16, 9:25 AM, Christopher Schultz wrote:
> There /is/ a POODLE variation which is against TLS 1.0 - 1.2 [1]. If
> SSLv3 is completely disabled (TLS1.0 is okay), then you aren't
> vulnerable to "classic" POODLE. If you aren't using CBC-based cipher
> suites with TLS1.0 - TLS1.2, then you should be okay.
>
> With a Java 1.6 (1.6.0_26) client, my server refuses connections due
> to too-small DH pairs when left to its own devices[2]. When the client
> is restricted to certain ciphers, these cipher suites are usable:
>
>   Accepted    TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA
>   Accepted    TLSv1 TLS_RSA_WITH_AES_256_CBC_SHA
>   Accepted    TLSv1 SSL_RSA_WITH_3DES_EDE_CBC_SHA
>
> Of course, those CBC-based cipher suites are the ones vulnerable to
> the TLS flavor of POODLE.
>
> Ivan Ristic tends to know what he's doing, so I think you can trust
> Qualys's server-testing tool.

My understanding is that it is only certain implementations of TLSv1.0 
that are vulnerable to POODLE-TLS.

The weirdest part is that everything I've tried (including the manual 
test) tells ME that neither our Tomcat server, nor the customer's, were 
accepting SSLv3 connections even before we began this exercise, and that 
all our customers' Tomcat servers, at least the ones we're responsible 
for, are similarly rejecting SSLv3, and have been for some time.  And 
yet, whoever is doing their security audit is saying that we NEED to 
disable SSLv3. I'd sure like to know what they're using, that's telling 
them it isn't already disabled.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message