Very good, I appreciate the feedback.
Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Wednesday, December 05, 2012 9:02 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support "SSLHonorCipherOrder" yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud Sent: Tuesday, December 04, 2012 9:31 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud <knut-cau...@forkalsrud.org> wrote: In the days of Resin 2.1.4 and onwards <http://www.caucho.com/resin-3.1/changes/changes-2.xtp> there was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45f c49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman <aaron.free...@layerz.com> wrote: SSL BEAST _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest =============================== Paul Cowan, Software Engineer Caucho Technology co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
