You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Klemme <sh...@googlemail.com> on 2013/02/25 17:42:13 UTC
Nessus scan claims vulnerability in Tomcat 6
Hi there,
I have been confronted with a Nessus scan result which claims
vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
this and the report states:
"The remote service has one of two configurations that are known to be
required for the CRIME attack:
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
...
CVE-2012-4929 CVE-2012-4930
"
We have in server.xml:
<Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
protocol="HTTP/1.1" connectionTimeout="20000"
SSLCertificateKeyFile="/path" secure="true" scheme="https"
maxThreads="500" port="4712" maxSavePostSize="0" server="***"
SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
SSLEnabled="true" />
(paths and some other info replaced by dummies)
XML attribute "compression" is not present which according to the docs
means "off".
I cannot find indication that SPDY does even exist in Tomcat 6.
I also could not find anything in the list of vulnerabilities at
http://tomcat.apache.org/security-6.html nor could I by searching for
combinations of "tomcat" with the issue numbers given above.
Now, what to make of this? To me it seems only compression could be
the culprit but is there any other way to enable compression for HTTPS
than to include "compression"? Or does the TLS negotiation ignore
setting "compression"? I could not find indication of any option to
control compression in the Javadocs
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html
Kind regards
robert
--
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Nessus scan claims vulnerability in Tomcat 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 2/26/13 7:04 AM, Mark Thomas wrote:
> On 26/02/2013 03:09, Robert Klemme wrote:
>>
>> I found that but wasn't aware that this is actually used in
>> Tomcat.
>
> SSLDisableCompression on the APR connector as of 7.0.37
>
>>> There is no 6.0.x release with the necessary options yet.
>>
>> Do you know whether there will be?
>
> There will be but I'm not aware of any planned timing at this
> point. The changelog isn't that long but it has been a while since
> the last release so I guess we should start thinking about it.
This has been proposed for Tomcat 6.0.x and there are 2 votes for it
thus far. Once we get another vote, someone (probably I) will commit
the patch and then you just have to wait for another release. 6.0.x
releases are less frequent than 7.0.x because Tomcat 6 is ... mature.
I'm in Portland with several other Tomcat devs and I'm sure I can a)
get someone else to vote for my patch and b) convince someone to roll
a release in the near future.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEs0iEACgkQ9CaO5/Lv0PCBYgCfW4BvnsZQHrJ8JAQvSQuryGzH
g7oAniHyy2NoH/KO/iVjpsPtAHjmjYY9
=8+mX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Nessus scan claims vulnerability in Tomcat 6
Posted by Robert Klemme <sh...@googlemail.com>.
On Tue, Feb 26, 2013 at 4:04 PM, Mark Thomas <ma...@apache.org> wrote:
> On 26/02/2013 03:09, Robert Klemme wrote:
>> So one solution would be to remove APR lib from the system.
>
> Yes, although you will see performance for SSL drop.
Yes, of course. That's not important in our case.
>> export OPENSSL_NO_DEFAULT_ZLIB=1
>>
>> before starting the JVM.
>
> I don't know if OpenSSL will honour that.
I'll let you know once I find out.
>>> There is no 6.0.x release with the necessary options yet.
>>
>> Do you know whether there will be?
>
> There will be but I'm not aware of any planned timing at this point. The
> changelog isn't that long but it has been a while since the last release so
> I guess we should start thinking about it.
Good! Thanks for the update!
Kind regards
robert
--
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Nessus scan claims vulnerability in Tomcat 6
Posted by Mark Thomas <ma...@apache.org>.
On 26/02/2013 03:09, Robert Klemme wrote:
> On Tue, Feb 26, 2013 at 2:27 AM, Mark Thomas <ma...@apache.org> wrote:
>> On 25/02/2013 08:42, Robert Klemme wrote:
>>> I have been confronted with a Nessus scan result which claims
>>> vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
>>> this and the report states:
>>> We have in server.xml:
>>>
>>> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
>>> protocol="HTTP/1.1" connectionTimeout="20000"
>>> SSLCertificateKeyFile="/path" secure="true" scheme="https"
>>> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
>>> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
>>> SSLEnabled="true" />
>>
>>
>> That is the APR/native HTTPS connector.
>
> So one solution would be to remove APR lib from the system.
Yes, although you will see performance for SSL drop.
> Another one would be to change above to
>
> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
> protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000"
> SSLCertificateKeyFile="/path" secure="true" scheme="https"
> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
> SSLEnabled="true" />
>
> and add all necessary configurations to make that work. And I guess a
> third option is to use
Yes, with the same performance issue.
> export OPENSSL_NO_DEFAULT_ZLIB=1
>
> before starting the JVM.
I don't know if OpenSSL will honour that.
>> APR/native does. An option was recently added. See:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
>
> I found that but wasn't aware that this is actually used in Tomcat.
SSLDisableCompression on the APR connector as of 7.0.37
>> There is no 6.0.x release with the necessary options yet.
>
> Do you know whether there will be?
There will be but I'm not aware of any planned timing at this point. The
changelog isn't that long but it has been a while since the last release
so I guess we should start thinking about it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Nessus scan claims vulnerability in Tomcat 6
Posted by Robert Klemme <sh...@googlemail.com>.
Hi Mark,
thank you for the feedback!
On Tue, Feb 26, 2013 at 2:27 AM, Mark Thomas <ma...@apache.org> wrote:
> On 25/02/2013 08:42, Robert Klemme wrote:
>>
>> Hi there,
>>
>> I have been confronted with a Nessus scan result which claims
>> vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
>> this and the report states:
>>
>> "The remote service has one of two configurations that are known to be
>> required for the CRIME attack:
>> - SSL / TLS compression is enabled.
>
> It is this one.
That's what I figured.
>> - TLS advertises the SPDY protocol earlier than version 4.
>
> There is no spdy support in any released Tomcat version.
OK, that confirms what I was able to dig up.
>> We have in server.xml:
>>
>> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
>> protocol="HTTP/1.1" connectionTimeout="20000"
>> SSLCertificateKeyFile="/path" secure="true" scheme="https"
>> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
>> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
>> SSLEnabled="true" />
>
>
> That is the APR/native HTTPS connector.
So one solution would be to remove APR lib from the system. Another
one would be to change above to
<Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000"
SSLCertificateKeyFile="/path" secure="true" scheme="https"
maxThreads="500" port="4712" maxSavePostSize="0" server="***"
SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
SSLEnabled="true" />
and add all necessary configurations to make that work. And I guess a
third option is to use
export OPENSSL_NO_DEFAULT_ZLIB=1
before starting the JVM.
>> Now, what to make of this? To me it seems only compression could be
>> the culprit but is there any other way to enable compression for HTTPS
>> than to include "compression"? Or does the TLS negotiation ignore
>> setting "compression"? I could not find indication of any option to
>> control compression in the Javadocs
>>
>> http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html
>
>
> You won't. My recollection is that Java does not support compression.
OK, then it's no surprise that they do not mention it in the Javadocs. :-)
> APR/native does. An option was recently added. See:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
I found that but wasn't aware that this is actually used in Tomcat.
> There is no 6.0.x release with the necessary options yet.
Do you know whether there will be?
Kind regards
robert
--
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Nessus scan claims vulnerability in Tomcat 6
Posted by Mark Thomas <ma...@apache.org>.
On 25/02/2013 08:42, Robert Klemme wrote:
> Hi there,
>
> I have been confronted with a Nessus scan result which claims
> vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
> this and the report states:
>
> "The remote service has one of two configurations that are known to be
> required for the CRIME attack:
> - SSL / TLS compression is enabled.
It is this one.
> - TLS advertises the SPDY protocol earlier than version 4.
There is no spdy support in any released Tomcat version.
> We have in server.xml:
>
> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
> protocol="HTTP/1.1" connectionTimeout="20000"
> SSLCertificateKeyFile="/path" secure="true" scheme="https"
> maxThreads="500" port="4712" maxSavePostSize="0" server="***"
> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
> SSLEnabled="true" />
That is the APR/native HTTPS connector.
> Now, what to make of this? To me it seems only compression could be
> the culprit but is there any other way to enable compression for HTTPS
> than to include "compression"? Or does the TLS negotiation ignore
> setting "compression"? I could not find indication of any option to
> control compression in the Javadocs
> http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html
You won't. My recollection is that Java does not support compression.
APR/native does. An option was recently added. See:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
There is no 6.0.x release with the necessary options yet.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org