Re: [Resin-interest] BEAST SSL Attack

Aaron Freeman Thu, 10 Jan 2013 12:12:30 -0800

Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
<honor-cipher-order> under the <openssl> node, we get this error:


 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80: <honor-cipher-order> is an
unexpected tag (parent <openssl> starts at 75).

 

78:                     <password>password</password>

79:
<cipher-suite>!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL</cipher-su
ite>

80:                         <honor-cipher-order>true</honor-cipher-order>

81:                     </openssl>

82:             </http>

 

<openssl> syntax: ( (@ca-certificate-file | <ca-certificate-file>)?

                  & (@ca-certificate-path | <ca-certificate-path>)?

                  & (@ca-revocation-file | <ca-revocation-file>)?

                  & (@ca-revocation-path | <ca-revocation-path>)?

                  & (@certificate-file | <certificate-file>)

                  & (@certificate-chain-file | <certificate-chain-file>)?

                  & (@certificate-key-file | <certificate-key-file>)?

                  & (@cipher-suite | <cipher-suite>)?

                  & (@crypto-device | <crypto-device>)?

                  & (@password | <password>)

                  & (@protocol | <protocol>)?

                  & (@session-cache | <session-cache>)?

                  & (@session-cache-timeout | <session-cache-timeout>)?

                  & (@unclean-shutdown | <unclean-shutdown>)?

                  & (@verify-client | <verify-client>)?

                  & (@verify-depth | <verify-depth>)?)

 

 

>From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL     : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

    include   : /usr/include

    lib       :

    libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson
Sent: Tuesday, January 08, 2013 7:42 PM
To: resin-interest@caucho.com
Subject: Re: [Resin-interest] BEAST SSL Attack

 

On 1/5/13 5:14 PM, Keith Fetterman wrote:

Hi Scott,

We need this too.

Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz

The configuration is <honor-cipher-order>true</honor-cipher-order> in
<openssl>.

-- Scott





Thanks,
Keith

On 1/2/2013 1:36 PM, Scott Ferguson wrote:

On 1/2/13 11:58 AM, Aaron Freeman wrote:

We have now been scanned and been found to be non-compliant due to lack of
the ability to order ciphers.   Is there any timeframe we might expect even
a snapshot to have this capability?


I'll see if I can get a snapshot this week.

-- Scott




 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Wednesday, December 05, 2012 10:51 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support "SSLHonorCipherOrder" yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a
directive, SSLHonorCipherOrder, that handles the problem:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be
working.

There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud <knut-cau...@forkalsrud.org>
wrote:

In the days of Resin 2.1.4 and onwards
<http://www.caucho.com/resin-3.1/changes/changes-2.xtp>  there was such a
feature, however it seems to have lapsed.  I remember because there was a
similar issue with MSIE
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 

I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for
com.caucho.vfs.JsseSSLFactory.create(host, port)

you will find a block of code commented out.

 

Then there was a second incarnation where you could specify cipher suites.
That seems to have dies some time around Aug 2009 with the commit:
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45f
c49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 

I suspect you could get it going again if you have the fortitude to play
around with Resin's source code and build your own.

 

Good luck,

 

Knut Forkalsrud

 

 

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman <aaron.free...@layerz.com>
wrote:

SSL BEAST

 

 

_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

 

===============================
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin 

 






_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest







_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest





-- 
-----------------------------------------------------------------
Keith Fetterman                          206-780-5670
Mariner Supply, Inc.                     kfetter...@go2marine.com
http://www.go2marine.com
 
http://www.boatersline.com
 






_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] BEAST SSL Attack

Reply via email to