Re: [Resin-interest] BEAST SSL Attack
Still needing a little assistance on this one. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add under the node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: is an unexpected tag (parent starts at 75). 78: password 79: !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL 80: true 81: 82: syntax: ( (@ca-certificate-file | )? & (@ca-certificate-path | )? & (@ca-revocation-file | )? & (@ca-revocation-path | )? & (@certificate-file | ) & (@certificate-chain-file | )? & (@certificate-key-file | )? & (@cipher-suite | )? & (@crypto-device | )? & (@password | ) & (@protocol | )? & (@session-cache | )? & (@session-cache-timeout | )? & (@unclean-shutdown | )? & (@verify-client | )? & (@verify-depth | )?) >From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson Sent: Tuesday, January 08, 2013 7:42 PM To: resin-interest@caucho.com Subject: Re: [Resin-interest] BEAST SSL Attack On 1/5/13 5:14 PM, Keith Fetterman wrote: Hi Scott, We need this too. Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz The configuration is true in . -- Scott Thanks, Keith On 1/2/2013 1:36 PM, Scott Ferguson wrote: On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Wednesday, December 05, 2012 10:51 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Wednesday, December 05, 2012 9:02 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support "SSLHonorCipherOrder" yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud Sent: Tuesday, December 04, 2012 9:31 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud wrote: In the days of Resin 2.1.4 and onwards
[Resin-interest] JMS messaging with ClusterTopic not working in resin > 4.0.27
Below is a simple servlet/MDB/resin-web combo that sends/reads a
message. It works in 4.0.27 but does not work in later versions. By
"does not work" I mean that the message does not appear to be sent at
all. At the 'fine' logging level there is an entry like:
[13-01-14 13:47:59.091] {resin-port-8080-39}
ClusterTopic[TestClusterTopic] sending
TextMessageImpl[ID:5dQYaEuP/vkAE8OpoeJQAA]
but never a subsequent entry like:
[13-01-14 13:51:22.083]
{ValueItemProcessor[PacketProcessor[mess...@aaa.app.admin.resin]]}
FileSubscriberQueue[TestClusterTopic] send message
TextMessageImpl[ID:/bKgP3znGffAE8Op2cowAA]
and never an entry indicating that the message was received by either
server in the cluster.
For my testing, the only configuration changes that I made to resin's
out-of-the-box config were the following properties:
log_level : fine
app_servers: 127.0.0.1:6801 127.0.0.1:6802
app-0.http : 8080
app-1.http : 8081
admin_user : test
admin_password : {plain}test
Am I doing something wrong and I just got lucky that it worked in
earlier versions?
Dan
/**
* Servlet implementation class CtTest
*/
public class CtTest extends HttpServlet {
private static final long serialVersionUID = 1L;
@javax.inject.Inject
ClusterTopic _topic;
@Resource(mappedName = "jms/TestConnectionFactory")
JmsConnectionFactory factory = new
com.caucho.jms.JmsConnectionFactory();
/**
* @see HttpServlet#HttpServlet()
*/
public CtTest() {
super();
}
/**
* @see Servlet#init(ServletConfig)
*/
public void init(ServletConfig config) throws ServletException {
try {
// Initialize JMS objects
TopicConnection conn = factory.createTopicConnection();
Session session = conn.createSession(false,
Session.AUTO_ACKNOWLEDGE);
MessageConsumer consumer =
session.createConsumer(_topic);
consumer.setMessageListener(new TestListener());
// Subscribe to the topic.
_topic.subscribeTopic();
conn.start();
} catch (JMSException je) {
System.out.println(je.toString());
}
}
/**
* @see HttpServlet#doGet(HttpServletRequest request,
HttpServletResponse
* response)
*/
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException,
IOException {
try {
// Initialize JMS objects
TopicConnection conn = factory.createTopicConnection();
// Publish the message.
TopicSession jmsSession =
conn.createTopicSession(false, 1);
TopicPublisher publisher =
jmsSession.createPublisher(_topic);
Message msg = jmsSession.createTextMessage("test Get");
System.out.println(" Sending message");
ServletOutputStream out = response.getOutputStream();
publisher.publish(msg);
response.setContentType("text/plain");
out.print("Message Sent");
out.close();
} catch (JMSException je) {
// Do exception handling
}
}
}
@MessageDriven(mappedName="TestClusterTopic",
activationConfig={@ActivationConfigProperty(
propertyName="destinationType", propertyValue="javax.jms.Topic")})
public class TestListener implements MessageListener {
public TestListener()
{
}
public void onMessage(Message msg)
{
try {
System.out.println(String.format(" Received
message: '%s'",
((TextMessage)msg).getText()));
} catch (JMSException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
TestClusterTopic
cttest
com.sendthisfile.trouble.CtTest
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] System.getenv() behaves differently
On 1/14/13 6:15 AM, Mattias Jiderhamn wrote: > I have noticed that System.getenv() behaves differently on our different > Linux servers. > > When running stand-alone Java applications there is no issue, but on at > least one server the environment variables are inherited from the > watchdog process to the Resin process, and on others they are not. This > can be verified with -verbose when starting Resin. > > I cannot find any difference in the setup (startup script + config), but > on the other hand I'm not sure what I should be looking for. > Any ideas? > > (Resin version is 4.0.29) > Can you send a -verbose? When the watchdog spawns Resin, the env is built using System.getenv() on the watchdog, and then a few overrides extend the environment (CLASSPATH, LD_LIBRARY_PATH). -- Scott ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
[Resin-interest] System.getenv() behaves differently
I have noticed that System.getenv() behaves differently on our different Linux servers. When running stand-alone Java applications there is no issue, but on at least one server the environment variables are inherited from the watchdog process to the Resin process, and on others they are not. This can be verified with -verbose when starting Resin. I cannot find any difference in the setup (startup script + config), but on the other hand I'm not sure what I should be looking for. Any ideas? (Resin version is 4.0.29) -- ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
