You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Edward Bicker <gu...@travelin.com> on 2012/09/15 17:10:07 UTC
Re: Is there a REAL solution to the
Yeah, but I thought OpenSSL had a patch for this that worked.
Read...#2635: 1/n-1 record splitting technique for CVE-2011-3389
-----Original Message-----
>From: Brian Braun <br...@gmail.com>
>Sent: Sep 14, 2012 11:12 PM
>To: Tomcat Users List <us...@tomcat.apache.org>
>Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
>
>Hi,
>
>Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
>7.x?
>For more info about this attack:
>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
>
>My toughts and questions, as far as I have investigated this issue:
>
>- Disabling the TLS1.0 protocol would be too restrictive, because there are
>still browser versions in use that don't support TLS1.1 or TLS1.2.
>- Should we restrict the ciphers in use? If so, which ones should we offer
>for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means
>JSSE instead of OpenSSL)?
>- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this
>issue?
>
>Thanks in advace.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is there a REAL solution to the
Posted by Brian Braun <br...@gmail.com>.
Thanks a lot for the tip Edward. I will research it. However, I would have
to stop using JSSE in Tomcat and start using APR. Maybe I should, I really
don't know if it is supposed to be better than JSSE but I will investigate.
On Sat, Sep 15, 2012 at 10:10 AM, Edward Bicker <gu...@travelin.com> wrote:
> Yeah, but I thought OpenSSL had a patch for this that worked.
> Read...#2635: 1/n-1 record splitting technique for CVE-2011-3389
>
>
> -----Original Message-----
> >From: Brian Braun <br...@gmail.com>
> >Sent: Sep 14, 2012 11:12 PM
> >To: Tomcat Users List <us...@tomcat.apache.org>
> >Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389)
> for Tomcat 7.x
> >
> >Hi,
> >
> >Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat
> >7.x?
> >For more info about this attack:
> >http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
> >
> >My toughts and questions, as far as I have investigated this issue:
> >
> >- Disabling the TLS1.0 protocol would be too restrictive, because there
> are
> >still browser versions in use that don't support TLS1.1 or TLS1.2.
> >- Should we restrict the ciphers in use? If so, which ones should we offer
> >for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means
> >JSSE instead of OpenSSL)?
> >- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve
> this
> >issue?
> >
> >Thanks in advace.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>