tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Coty Sutherland <>
Subject Re: More, Re: Question about vulnerability report
Date Mon, 08 Aug 2016 18:47:27 GMT
Vulnerability scanners are always iffy when it comes to finding actual
issues IMO. They're good for running a quick scan to get an overall
feel for weaknesses, but the effectiveness varies from tool to tool
(some only check versions, etc). I think that the best way to test if
you're vulnerable to POODLE is to try and connect via SSLv3, as you've
already done, or with s_client (openssl s_client -ssl3 -connect
$HOST:$PORT). If that fails to connect, then you're good. As far as
the TLS issues, TLSv1.0 is vulnerable to BEAST
( so you
may want to consider disabling CBC ciphers, or even upgrading to java7
if that's causing your audit to fail.

On Mon, Aug 8, 2016 at 2:31 PM, James H. H. Lampert
<> wrote:
> Hmm. This is interesting.
> says that neither our server nor the customer server is
> vulnerable to POODLE.
> But says ours IS vulnerable to POODLE. Then (when I click "View
> Result") it says it isn't. Then (when I actually run the test again) it once
> again says it is. (I haven't tested the customer site because results are
> posted on the test home page, which would compromise the customer's
> privacy.)
> Some other POODLE test sites don't appear to work at all. Others say we're
> not vulerable.
> Manually testing both servers with
>> curl -v3 -X HEAD
> from a BASH session on my Mac, as per
> <>
> comes back with the desired "failed handshake" message on both servers.
> --
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message