Re: [Resin-interest] BEAST SSL Attack

[Aaron Freeman]

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you sent, 
but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this case 
that’s not enough.   They are telling us that we actually have to be able to 
prioritize the order that the suites are negotiated on the server side.  The 
only cipher suites guaranteed not to have the BEAST attack issue are ones that 
aren’t wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific 
order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a 
directive, SSLHonorCipherOrder, that handles the problem: 
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be working.

There is a ticket describing the feature: 
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org 
wrote:

In the days of Resin 2.1.4 and onwards 
http://www.caucho.com/resin-3.1/changes/changes-2.xtp  there was such a 
feature, however it seems to have lapsed.  I remember because there was a 
similar issue with MSIE 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 

I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, 
port)

you will find a block of code commented out.

 

Then there was a second incarnation where you could specify cipher suites.  
That seems to have dies some time around Aug 2009 with the commit: 
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 

I suspect you could get it going again if you have the fortitude to play around 
with Resin's source code and build your own.

 

Good luck,

 

Knut Forkalsrud

 

 

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com wrote:

SSL BEAST

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] BEAST SSL Attack

[Paul Cowan]

Hi Folks,

Resin does not support SSLHonorCipherOrder yet.  We already received a 
request from another customer and there is a feature request for this here:

http://bugs.caucho.com/view.php?id=5282

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an upcoming 
release.  Probably it will be in 4.0.44, as .43 is due for release soon.

Thanks,
Paul


On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 Knut,
  
 Thanks a bunch for your reply.   I saw you referencing another email you 
 sent, but this is the only one I saw come through the group.
  
 At any rate, we are already using the cipher-suites feature, but in this case 
 that’s not enough.   They are telling us that we actually have to be able to 
 prioritize the order that the suites are negotiated on the server side.  The 
 only cipher suites guaranteed not to have the BEAST attack issue are ones 
 that aren’t wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a 
 specific order that will suffice for PCI compliance.
  
 This bug for Tomcat addresses the issue and gives good details about a 
 directive, SSLHonorCipherOrder, that handles the problem: 
 https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
  
 Any other ideas for Resin?
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
 Sent: Tuesday, December 04, 2012 9:31 PM
 To: General Discussion for the Resin application server
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 Actually, I got it wrong in my previous mail.  The feature should be working.
 There is a ticket describing the feature: 
 http://bugs.caucho.com/view.php?id=3593
  
 
 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org 
 wrote:
 In the days of Resin 2.1.4 and onwards there was such a feature, however it 
 seems to have lapsed.  I remember because there was a similar issue with MSIE 
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.
  
 I my good old copy of Resin 3.1.8 there are remains the feature.
 If you bring up the source code for 
 com.caucho.vfs.JsseSSLFactory.create(host, port)
 you will find a block of code commented out.
  
 Then there was a second incarnation where you could specify cipher suites.  
 That seems to have dies some time around Aug 2009 with the commit: 
 https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java
  
 I suspect you could get it going again if you have the fortitude to play 
 around with Resin's source code and build your own.
  
 Good luck,
  
 Knut Forkalsrud
  
  
 
 On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com 
 wrote:
 SSL BEAST
  
  
 ___
 resin-interest mailing list
 resin-interest@caucho.com
 http://maillist.caucho.com/mailman/listinfo/resin-interest

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest