Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2
On 15/10/2014 13:42, John Blaut wrote: Hi Following the recent announcement of the SSLv3 POODLE vulnerability (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the following configuration: SSLProtocol=TLSv1, it seems that the effect is that besides the SSLv3 protocol even the TLSv1.1 and TLSv1.2 protocols no longer remain available, at least according to the Qualys SSL Labs test: https://www.ssllabs.com/ssltest/ Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No Is there an explanation for this? What configuration is required in order to disable SSLv3 (and SSLv2 of course) whilst still retaining support for all TLS 1.0, 1.1 1.2? TLS Supports some version of TLS; may support other versions TLSv1 Supports RFC 2246: TLS version 1.0 http://www.ietf.org/rfc/rfc2246.txt ; may support other versions TLSv1.1 Supports RFC 4346: TLS version 1.1 http://www.ietf.org/rfc/rfc4346.txt ; may support other versions TLSv1.2 Supports RFC 5246: TLS version 1.2 http://www.ietf.org/rfc/rfc5246.txt ; may support other versions http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2
On 15/10/2014 14:03, John Blaut wrote: I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30. Apologies, yes Apr/Native only supports SSLv2, SSLv3 TLSv1.0 |SSLProtocol| Protocol which may be used for communicating with clients. The default value is |all|, which is equivalent to |SSLv3+TLSv1| with other acceptable values being |SSLv2|, |SSLv3|, |TLSv1| and any combination of the three protocols concatenated with a plus sign. Note that the protocol |SSLv2| is inherently unsafe. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: Java 6u35, 7u07 are available
On 31/08/2012 16:02, Tony Anecito wrote: Hi All, I looked at the release notes and there was nearly nothing there. So justification to update was impossible. Oracle needs to realize that releases with just one security and one time clock change makes it impossible to explain to anyone why we need to update an Enterprise. Just my inital reaction. Used to be you got actual release notes when Sun owned Java. Regards, -Tony Zero-Day Exploit in the Wild enough reason for you? -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: Java 6u35, 7u07 are available
On 31/08/2012 16:22, Jess Holle wrote: Well, don't give Oracle too much credit -- or grief. According to various articles (look them up, I didn't save the URLs), they were notified of these vulnerabilities ~4 months ago. Unfortunately several days ago serious attacks in the wild using these vulnerabilities were discovered -- after which Oracle responded rather quickly. So one can give Oracle hell for not triaging these particular vulnerabilities as needing redress far more quickly than 4 months or laud them for fixing the issue quickly once a zero-day attack was found in the wild. I'd say the reasonable response is somewhere in between and that overall most companies make some mistakes in this area (just look at some of the issue Microsoft has sat on) I try not to criticise Oracle or Sun too much, it kind of went from 'exploit in the wild' to 'very easily obtainable exploit' https://community.rapid7.com/community/metasploit/blog/2012/08/30/weekly-metasploit-update I can understand them being vague about the update, but critically severe seems an appropriate description. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: How to unsubscribe?
On 02/07/2012 10:38, Mario Splivalo wrote: I apologise for asking this question directly to this list, but all of my other inquiries to the users-ow...@tomcat.apache.org were not answered. I tried to unsubscribe from this list many times, but I don't get confirmation email, ever. If someone could contact me directly to have this sorted out, I'd be more than happy. Thank you again, Mario - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Check the inserted footer of your own message. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.netsecspec.co.uk giles.cooc...@netsecspec.co.uk -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: http status 404 error
On 11/05/2012 14:13, Jose María Zaragoza wrote: 2012/5/11 Irene Amatulliiamatu...@cleverdevices.com: Hi, I got this error when trying to access my application's website. The Tomcat service is running, so I don't know why I got this error. The website appeared with no problems when I used it yesterday. I'm not sure if some updates that were applied to the server may have caused this to happen. Thanks. Pid, it's your turn ( smart questions, you know ...) Actually, this is one for Uri Geller I think. -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: http status 404 error
On 11/05/2012 15:19, Konstantin Kolinko wrote: BTW, Tomcat 6.0.20 is 3 years old. Here is a list of known security issues fixed in later releases: http://tomcat.apache.org/security-6.html Strangely enough that URL gives me a 404... perhaps this problem is spreading!! -- Best Regards, Giles Coochey, CCNA Security, CCNA NetSecSpec Ltd giles.cooc...@netsecspec.co.uk Tel: +44 (0) 7983 877 438 Live Messenger: gi...@coochey.net http://www.netsecspec.co.uk http://www.coochey.net smime.p7s Description: S/MIME Cryptographic Signature
Re: How to leave this list?
On 16/03/2012 10:49, Purvis Robert (NHS CONNECTING FOR HEALTH) wrote: I got no error message. I tried about 5 times (just tried again), emailing to users-unsubscr...@tomcat.apache.org as it says in the footer to this list's emails. Rob Are you sure that you are subscribed with the email that you are unsubscribing from? (Sometimes mailforwarding etc... can deceive you on this). The best approach would be to contact the list owner directly, I'm sure they're not intending to send you emails if they knew you didn't want them. -- Best Regards, Giles Coochey NetSecSpec Ltd UK Mobile: +44 7983 877 438 Business Email: giles.cooc...@netsecspec.co.uk Email/MSN/Live Messenger: gi...@coochey.net Skype: gilescoochey smime.p7s Description: S/MIME Cryptographic Signature
Re: What is difference betn tomcat5.exe tomcat5w.exe?
On 10/02/2011 15:44, Mladen Turk wrote: On 02/10/2011 03:17 PM, André Warnier wrote: raghvendra wrote: What is difference betn tomcat5.exe tomcat5w.exe? http://www.lmgtfy.com/?q=difference+tomcat5.exe+%26+tomcat5w.exe%3F only problem with that site is that invariably Google's first result is his very own question on the mailing list archives... -- Best Regards, Giles Coochey NetSecSpec Ltd NL T-Systems Mobile: +31 681 265 086 NL Mobile: +31 626 508 131 GIB Mobile: +350 5401 6693 Email/MSN/Live Messenger: gi...@coochey.net Skype: gilescoochey smime.p7s Description: S/MIME Cryptographic Signature