You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/12/18 22:51:15 UTC
[Bug 54324] New: Support is required to disable TLS compression to
prevent against CRIME attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Bug ID: 54324
Summary: Support is required to disable TLS compression to
prevent against CRIME attacks
Product: Tomcat Native
Version: 1.1.24
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: hemani.malik@gmail.com
Classification: Unclassified
Support is required to disable TLS compression to prevent against CRIME
attacks.
Please see:
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
This security issue is flagged for Tomcat during PCI compliance scan.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #2 from Maik Hemani <he...@gmail.com> ---
Is there a road map for releases available for TC Native/Apache/Tomcat in
general?
Perhaps this is related?
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
tcnative is independent from Apache httpd, though it does depend upon the
Apache Portable Runtime library which is "part" of Apache httpd.
In this case, we're only relying on support from OpenSSL, so the version of
Apache httpd is not relevant.
Tomcat 7.x releases have historically come about once per month. There is no
guarantee this will continue, but it's a reasonable bet.
tcnative 1.1.24 was released 2012-06-13. I've just added a number of SSL_OP_*
from OpenSSL 1.0 that were missing to tcnative's option-support capabilities,
and the option-support caps-detection has been added since 1.1.24 so I'm going
to propose 1.1.25 sometime soon.
Once you have both of these (tcnative + Tomcat) supporting
SSL_OP_NO_COMPRESSION then you should be able to pass your audit.
Note that no current versions of mainstream browsers enable SSL compression by
default, so this issue is, for the most part, a non-issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #4 from Rainer Jung <ra...@kippdata.de> ---
Note also, that as a short time workaround you can compile OpenSSL without
compression support.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> ---
It looks like there is movement on getting tcnative 1.1.25 released. I have a
patch for this that I will commit soon.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |53969
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Michael Osipov <19...@gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |1983-01-06@gmx.net
--- Comment #8 from Michael Osipov <19...@gmx.net> ---
(In reply to Konstantin Kolinko from comment #7)
> Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37
Konstantin,
the fix for 6.0.x strays from the convention lowercase name for variables. See
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021
> protected boolean SSLDisableCompression = false;
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Christopher Schultz <ch...@christopherschultz.net> ---
Fixed in trunk and Tomcat 7.0.x. Will be in Tomcat 7.0.36.
Proposed for Tomcat 6.0.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #12 from Jackie Rosen <ja...@hushmail.com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #7 from Konstantin Kolinko <kn...@gmail.com> ---
Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #11 from Michael Osipov <19...@gmx.net> ---
(In reply to Konstantin Kolinko from comment #10)
> (In reply to Michael Osipov from comment #8)
> > (In reply to Konstantin Kolinko from comment #7)
> > > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37
> >
> > Konstantin,
> >
> > the fix for 6.0.x strays from the convention lowercase name for variables.
> > See
> > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/
> > util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021
> >
> > > protected boolean SSLDisableCompression = false;
>
> There is no such convention here (in APR connector).
This is Java convention. members -- unless static final -- are never PascalCase
but camelCase. None is referring to the attributes in the XML config.
> See SSLEnabled, SSLProtocol etc.
> http://tomcat.apache.org/tomcat-6.0-doc/apr.html
>
> (In reply to Sebb from comment #9)
> 1. Nothing is broken by this.
> 2. 6.0.37 is already released. You are too late here. It can still be fixed
> in trunk though.
>
> re-closing as FIXED.
Why don't you fix it then?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Sebb <se...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #9 from Sebb <se...@apache.org> ---
(In reply to Michael Osipov from comment #8)
> (In reply to Konstantin Kolinko from comment #7)
> > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37
>
> Konstantin,
>
> the fix for 6.0.x strays from the convention lowercase name for variables.
> See
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/
> util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021
>
> > protected boolean SSLDisableCompression = false;
And the boolean should be private.
It has both getter and setter so there is no need to expose it outside the
class.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
I'm looking at OpenSSL to see how to do this. Any proper solution will likely
depend on bug 53969 in tcnative, and therefore require tcnative 1.1.25 which
has not yet been released.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54324] Support is required to disable TLS compression to
prevent against CRIME attacks
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #10 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Michael Osipov from comment #8)
> (In reply to Konstantin Kolinko from comment #7)
> > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37
>
> Konstantin,
>
> the fix for 6.0.x strays from the convention lowercase name for variables.
> See
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/
> util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021
>
> > protected boolean SSLDisableCompression = false;
There is no such convention here (in APR connector).
See SSLEnabled, SSLProtocol etc.
http://tomcat.apache.org/tomcat-6.0-doc/apr.html
(In reply to Sebb from comment #9)
1. Nothing is broken by this.
2. 6.0.37 is already released. You are too late here. It can still be fixed in
trunk though.
re-closing as FIXED.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org