LDAP/Realm with TLS in Tomcat 6/7?
Dear all, is there a lib/method/whatever to achieve Realm Auth in Tomcat > 5.x where username/password are protected by TLS? org.apache.catalina.realm.JNDIRealm works with Tomcat 5, but not in 6 :-( best regards Jens www.biotronik.com BIOTRONIK - Celebrating 50 years of excellence Founded in 1963 with the development of the first German pacemaker, BIOTRONIK has brought innovations and the highest quality standards to the cardiac rhythm management and vascular intervention fields in more than 100 countries around the world. We’ve developed advanced technologies such as BIOTRONIK Home Monitoring®, Closed Loop Stimulation (CLS) and Orsiro, the industry's first hybrid drug eluting stent. BIOTRONIK also offers the broadest portfolio of cardiac devices with ProMRI®, an advanced technology that gives patients access to magnetic resonance (MR) scanning. BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Geschäftsführende Direktoren: Christoph Böhmer, Dr. Lothar Krings This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Jens Neu ist außer Haus.
I will be out of the office starting 08/06/2010 and will not return until 09/13/2010. Please contact Christoph Kaminski (christoph.kamin...@biotronik.com) or Thoralf Freitag (thoralf.frei...@biotronik.com) instead.
Re: TLS+SSLv3 but no SSLv2
Chris, thanks for all your help, everyting is up and running. I settled for 'ALL:!EXP:!LOW:!SSLv2' which is exaclty what I need. > You should take a look at this guy's tool, here: > http://www.unspecific.com/2009/02/16/ssl-cipher-check this looks helpful, unfortunately the script (not the page) seems to be 404 :( regards from Berlin Jens Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Christopher Schultz 01/22/2010 07:47 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject Re: TLS+SSLv3 but no SSLv2 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 12:51 PM, Jens Neu wrote: > Christopher, > > maybe that was a bit premature, running with > SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2": > > openssl s_client -ssl2 -connect server:8443 > CONNECTED(0003) > --- > SSL handshake has read 1135 bytes and written 236 bytes > --- > New, SSLv2, Cipher is DES-CBC3-MD5 > Server public key is 1024 bit > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv2 > Cipher: DES-CBC3-MD5 > Session-ID: 21D7302FAF313F61DF24661249FCF7FD > Session-ID-ctx: > Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0 > Key-Arg : 448CA2E3F880EF06 > Start Time: 1264182312 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- :( > --- > Ciphers common between both SSL endpoints: > RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 > EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 In my environment, openssl reports: $ openssl ciphers 'SSLv2'| sed -e 's/:/\n/g' DES-CBC3-MD5 <- you got this one DES-CBC-MD5 EXP-RC2-CBC-MD5 RC2-CBC-MD5 EXP-RC4-MD5 RC4-MD5 Looks like all those are the same ones, meaning that 100% of the openssl SSLv2 ciphers are available from Tomcat. Stupid question: did you re-start Tomcat after making the SSLCipher change? Again, here's what I get for the cipher string we've been trying: $ openssl ciphers 'ALL:!SSLv2:+HIGH:+MEDIUM'| sed -e 's/:/\n/g' ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EDH-RSA-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 I don't see any of the SSLv2 ciphers in there except for RC4-MD5, which I suppose would still allow you to connect. One thing I noticed is that your cipher string is not valid: $ openssl ciphers '-ALL:+HIGH:+MEDIUM:!SSLv2'| sed -e 's/:/\n/g' Error in cipher list 16374:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1185: You have to have something without - or + prefixing it. Apparently, you have to start with a list before you start modifying it :) Try the string I have above and see if that works. RC4-MD5 might still work, though. You should take a look at this guy's tool, here: http://www.unspecific.com/2009/02/16/ssl-cipher-check Our production server's httpd is configured to use "HIGH:MEDIUM:-SSLv2" and the results of the above script confirm that only decent ciphers are available: $ ./ssl-cipher-check.pl [mysite] Testing [mysite]:443 SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:RC4-SHA - ENABLED - STRONG 128 bits SSLv3:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits SSLv3:AES128-SHA - ENABLED - STRONG 128 bits SSLv3:AES256-SHA - ENABLED - STRONG 256 bits TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:RC4-SHA - ENABLED - STRONG 128 bits TLSv1:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits TLSv1:AES128-SHA - ENABLED - STRONG 128 bits TLSv1:AES256-SHA - ENABLED - STRONG 256 bits *WARNING* 6 WEAK Ciphers Enabled. Total Ciphers Enabled: 22 I was unable to verify that any WEAK ciphers were enabled, and I cound 16 enabled ciphers, not 22. So, maybe this script isn't the greatest thing around :) With "HIGH:MEDIUM:-SSLv2", I cannot connect using "openssl s_client - -ssl2", which is a good thing. Try a different/better cipher string. Always check against "openssl cipher" to make sure that it's kosher before enabling it in your server
Re: TLS+SSLv3 but no SSLv2
Christopher, maybe that was a bit premature, running with SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2": openssl s_client -ssl2 -connect server:8443 CONNECTED(0003) ... --- Ciphers common between both SSL endpoints: RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 --- SSL handshake has read 1135 bytes and written 236 bytes --- New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher: DES-CBC3-MD5 Session-ID: 21D7302FAF313F61DF24661249FCF7FD Session-ID-ctx: Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0 Key-Arg : 448CA2E3F880EF06 Start Time: 1264182312 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: TLS+SSLv3 but no SSLv2
Christopher, yes, thats it! Merci bien :-) I was reading http://www.openssl.org/docs/apps/ciphers.html "for reference", thats where I got scared that I had to check all of them for 128bit. Didn't know that SSLCipher= is actually understood by openssl. Its Friday finally :) Jens Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Christopher Schultz 01/22/2010 06:36 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject Re: TLS+SSLv3 but no SSLv2 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 12:30 PM, Jens Neu wrote: > Christopher, > > my "Problem" is that I have a requirement that SSLv2 shall be forbidden, > but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was > hoping to tackle this with > > SSLProtocol="TLSv1+SSLv3" > SSLCipher="-ALL:+HIGH:+MEDIUM" > > without manually selecting all ciphers. Since I'm on apr/openssl, I assume > that my available ciphers are what gives me "openssl ciphers"? > So this leaves me with no other option than crawling through all the > ciphers? Certainly looking forward to it ;-) How about SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2"? The APR documentation points you to the openssl documentation for reference. The above SSLCipher yields: $ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g' ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 Are those acceptable? You don't have to list all the ciphers if you don't want to. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM =mFDc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: TLS+SSLv3 but no SSLv2
Christopher, my "Problem" is that I have a requirement that SSLv2 shall be forbidden, but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was hoping to tackle this with SSLProtocol="TLSv1+SSLv3" SSLCipher="-ALL:+HIGH:+MEDIUM" without manually selecting all ciphers. Since I'm on apr/openssl, I assume that my available ciphers are what gives me "openssl ciphers"? So this leaves me with no other option than crawling through all the ciphers? Certainly looking forward to it ;-) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Christopher Schultz 01/22/2010 06:05 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject Re: TLS+SSLv3 but no SSLv2 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 1/22/2010 11:10 AM, Jens Neu wrote: > on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the > SSLProtocol: > > "Protocol which may be used for communicating with clients. The default is > "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and > "SSLv2+SSLv3"." > > Does this really mean that I can not allow a "TLSv1+SSLv3" setting while > forbidding SSLv2? It seems so to me, since setting SSLProtocol to this > obvioulsy defaults to "ALL" :-( I agree with Chuck: TLSv1 ~= SSLv3. Although the "protocol" attribute has a limited set of values you can choose, you can always set the ciphers you will allow using the "ciphers" attribute. This will allow you to pick and choose the ciphers regardless of the overall "protocol" that you choose. The ciphers available depend upon your environment, but these are the ones I can see in mine: java version "1.6.0_12" Java(TM) SE Runtime Environment (build 1.6.0_12-b04) Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode) Default Cipher * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA * SSL_DHE_DSS_WITH_DES_CBC_SHA * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA * SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 * SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA * SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE =NL0x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
RE: TLS+SSLv3 but no SSLv2
unfortunately the behaviour for SSLProtocol="TLSv1" is: j...@eluveitie:~> openssl s_client -ssl3 -connect server:8443 CONNECTED(0003) 9167:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40 9167:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: while openssl s_client -tls1 -connect server:8443 works just fine. On top I also could not get IE 6.x to work with this, even with checking the "TLS 1.0" setting in the "Internet Options". -Jens Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de "Caldarale, Charles R" 01/22/2010 05:42 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject RE: TLS+SSLv3 but no SSLv2 > From: Jens Neu [mailto:jens@biotronik.com] > Subject: TLS+SSLv3 but no SSLv2 > > Does this really mean that I can not allow a "TLSv1+SSLv3" setting > while forbidding SSLv2? I was under the impression that specifying TLSv1 would include SSLv3, since there are provisions within TLS to handle SSLv3. Note that TLSv1.0 - TLVv1.2 and SSLv3 all have the same major version number. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
TLS+SSLv3 but no SSLv2
Dear all, on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the SSLProtocol: "Protocol which may be used for communicating with clients. The default is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and "SSLv2+SSLv3"." Does this really mean that I can not allow a "TLSv1+SSLv3" setting while forbidding SSLv2? It seems so to me, since setting SSLProtocol to this obvioulsy defaults to "ALL" :-( regards Jens Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: SSLv3/TLS man-in-middle vulnerability
Steve, it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. You definitely _should_ fix it, since data integrity can not be assured on your https connections any more. I have little to no Windows experienc; but my understanding is, that while running Tomcat on Windows Server, it will make use of the SSL/TLS libraries provided by Windows. Means: the Openssl solution will not work your your. You would have to wait until MS provides a patch (some Windows guy should correct me on this if I'm mistaken). Meanwhile you should investigate if you can fix it by clever choosing the Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de "Steve G. Johnson" 01/18/2010 05:04 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject SSLv3/TLS man-in-middle vulnerability The local IT Security team ran an HP "Web Inspect" and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: CVE-2009-3555 fix in tomcat-native-1.1.19?! [solved]
yes, thats it, zero html write. Thank you for opening my eyes, maybe I should not have done that on a Friday evening :) Totally fixated on that tlsv1 alert I was... regards from Berlin! Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Mladen Turk 01/15/2010 06:13 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject Re: CVE-2009-3555 fix in tomcat-native-1.1.19?! On 01/15/2010 05:35 PM, Jens Neu wrote: > Dear all, > > > the GET / HTTP/1.0 until the "R" is manually inserted, I expect something > like > > > 2860:error:1409444C:SSL routines:SSL3_READ_BYTES:tlsv1 alert no > renegotiation:./ ssl/s3_pkt.c:1053:SSL alert number 100 > > > but certainly no RENEGOTIATION. Any hints? > Tomcat Native handles that like mod_ssl (actually I backported the mod_ssl code for that) by simply dropping the connection. I see you have 0 length write, so that's fine right? Regard -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
CVE-2009-3555 fix in tomcat-native-1.1.19?!
Dear all, I just installed the tomcat-native-1.1.19 APR connector alongside tomcat-6.0.20 - since my understanding of its CHANGELOG.txt is, that the renegotiation vulnerability should be gone when using this APR connector, despite my openssl version beeing below 0.9.8l (since I'm on CentOS/RHEL5). It installed fine, tomcat runs fine to, APR connector is used (according to catalina.out), everything seems shiny BUT: 7:j...@eluveitie:~> openssl s_client -connect 10.0.8.193:8443 CONNECTED(0003) [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 3A9B50B20A6B3F62DE137E5642240DE0018863D3ED86B8EADAA5E46436D589E5 Session-ID-ctx: Master-Key: C579C042442C519FE02CF96A050EDAAD208C421E2FD1CA6E20DC818A13A7ABC5306AACFFDF36A440A3E1FED43CCDCB59 Key-Arg : None Start Time: 1263572654 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- GET / HTTP/1.0 Host:evil.com R RENEGOTIATING depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com verify error:num=19:self signed certificate in certificate chain verify return:0 5253:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: the GET / HTTP/1.0 until the "R" is manually inserted, I expect something like 2860:error:1409444C:SSL routines:SSL3_READ_BYTES:tlsv1 alert no renegotiation:./ ssl/s3_pkt.c:1053:SSL alert number 100 but certainly no RENEGOTIATION. Any hints? System is CentOS 5.4, packages: openssl-0.9.8e-12.el5 apr-devel-1.2.7-11.el5_3.1 apr-1.2.7-11.el5_3.1 thanks in advance! (probably will be afk for the weekend) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
