RE: SSLv3/TLS man-in-middle vulnerability
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > If you have to stay with 5.5.23, you'll need to go with the ARP SSL > connector. > > (slap me if I'm still wrong Charles, but I checked the doc and there > doesn't appear to be support for NIO in 5.5.x) That is correct; NIO was introduced with Tomcat 6.0. There are noticeable performance and security improvements in 6.0.x, so that would be the preferred approach, even if APR is used. Migration to 6.0.x is pretty much painless: http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
As Charles said, move up to 6.0.20 and switch to the NIO connector. If you have to stay with 5.5.23, you'll need to go with the ARP SSL connector. (slap me if I'm still wrong Charles, but I checked the doc and there doesn't appear to be support for NIO in 5.5.x) Jeff -Original Message- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 10:24 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability Hi Charles, FYI: This is in my listener list: Added the "protocol" entry and now trying to start Tomcat manager results in "page cannot be displayed". Removing entry it starts. Added as follows: Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. "Caldarale, Charles R" Tomcat Users List 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability "Tomcat Users List" Caterpillar: Confidential Green Retain Until: 02/18/2010 > From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Ah, didn't exactly ignore it, just forgot about it. I'd already removed it from the thread. Good point. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:56 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > In particular, he stated that switching to the NIO connector at this > point wouldn't address it (from my reading of his post), as the fix > will require a JDK/JRE fix from the vendor and a workaround isn't > available yet. You ignored Filip's post: "NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around." http://marc.info/?l=tomcat-user&m=126384310705143&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > FYI: This is in my listener list: > If the tcnative library isn't found, the above listener will simply display a message stating so in the logs, so it doesn't hurt to have it in there. But do check the logs to make sure that message is being displayed. > Added the "protocol" entry and now trying to start Tomcat manager > results in "page cannot be displayed". You need to move up to 6.0.20, as mentioned earlier. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Hi Charles, FYI: This is in my listener list: Added the "protocol" entry and now trying to start Tomcat manager results in "page cannot be displayed". Removing entry it starts. Added as follows: Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. "Caldarale, Charles R" Tomcat Users List 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability "Tomcat Users List" Caterpillar: Confidential Green Retain Until: 02/18/2010 > From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > In particular, he stated that switching to the NIO connector at this > point wouldn't address it (from my reading of his post), as the fix > will require a JDK/JRE fix from the vendor and a workaround isn't > available yet. You ignored Filip's post: "NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around." http://marc.info/?l=tomcat-user&m=126384310705143&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
You're right. I'd completely forgotten the SSL. Odd, since I do nothing but SSL here. As I recall, it's re-issue your certificate in OpenSSL format (or convert it) and change the SSL specific parameters as follows: Drop the "sslProtocol" and keystore* attributes and replace with SSLEngine="on" SSLCertificateFile="path" SSLCertificateKeyFile="path" SSLPassword="password" Yes, re-issuing the cert or converting it will be a hassle, but is well documented on the website, as are the above attributes/parameters. I addressed this as an answer to Mark's original suggestion, and I quote: "Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19" In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. But the 1.1.19 APR has the workaround available now. Jeff -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:29 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > For Steve to switch to the APR/native connectors, all he needs to do in > this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO , as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > For Steve to switch to the APR/native connectors, all he needs to do in > this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO , as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Mark -
For Steve to switch to the APR/native connectors, all he needs to do in this
config is download the native libraries and restart, correct? Oh and make sure
the following line is in the server.xml file to start the APR lifecycle
listener.
Steve, you can download the latest APR lib from the Tomcat website. Follow the
"Tomcat Native" link and get the one for your environment.
Jeff
-Original Message-
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com]
Sent: Tuesday, January 19, 2010 9:08 AM
To: Tomcat Users List
Subject: Re: SSLv3/TLS man-in-middle vulnerability
Mark,
Our JRE is 1.6.0_17.
Below are server.xml entries for connectors minus security tag values.
Please suggest changes. Is that all I have to do before Security runs
another HP scan?
Thanks
-
-
-
-
Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.
Mark Thomas
To
Tomcat Users List
01/19/2010 06:48
AM cc
Subject
Please respond to Re: SSLv3/TLS man-in-middle
"Tomcat Users vulnerability
List"
Caterpillar: Confidential Green Retain Until: 02/18/2010
On 19/01/2010 02:31, Steve G. Johnson wrote:
> Mark,
> Since we do not know how to "switch connectors", or install OpenSSL, and
do
> not have JDK on the server (only JRE 1.6.0_17), then I suppose the best
bet
> is to wait until Tomcat is fixed ("coming soon").
You can replace JDK with JRE in what I previously. Switching from BIO to
NIO is a simple change to server.xml, if you are interested.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
*** NOTICE *
This message is intended for the use of the individual or entity to which
it is addressed and may contain information that is privileged,
confidential, and exempt from disclosure under applicable law. If the
reader of this message is not the intended recipient or the employee or
agent responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution, or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by reply or by
telephone (call us collect at 512-343-9100) and immediately delete this
message and all its attachments.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Mark,
Our JRE is 1.6.0_17.
Below are server.xml entries for connectors minus security tag values.
Please suggest changes. Is that all I have to do before Security runs
another HP scan?
Thanks
-
-
-
-
Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.
Mark Thomas
To
Tomcat Users List
01/19/2010 06:48
AM cc
Subject
Please respond to Re: SSLv3/TLS man-in-middle
"Tomcat Users vulnerability
List"
Caterpillar: Confidential Green Retain Until: 02/18/2010
On 19/01/2010 02:31, Steve G. Johnson wrote:
> Mark,
> Since we do not know how to "switch connectors", or install OpenSSL, and
do
> not have JDK on the server (only JRE 1.6.0_17), then I suppose the best
bet
> is to wait until Tomcat is fixed ("coming soon").
You can replace JDK with JRE in what I previously. Switching from BIO to
NIO is a simple change to server.xml, if you are interested.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 19/01/2010 02:31, Steve G. Johnson wrote:
> Mark,
> Since we do not know how to "switch connectors", or install OpenSSL, and do
> not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
> is to wait until Tomcat is fixed ("coming soon").
You can replace JDK with JRE in what I previously. Switching from BIO to
NIO is a simple change to server.xml, if you are interested.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Mark,
Since we do not know how to "switch connectors", or install OpenSSL, and do
not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
is to wait until Tomcat is fixed ("coming soon").
Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.
Mark Thomas
To
Tomcat Users List
01/18/2010 09:19
AM cc
Subject
Please respond to Re: SSLv3/TLS man-in-middle
"Tomcat Users vulnerability
List"
Caterpillar: Confidential Green Retain Until: 02/17/2010
On 18/01/2010 11:03, Steve G. Johnson wrote:
>
> We recently installed Tomcat 5.5.23 in Windows server to support the
Infor
> WebUI (webtop) application.
> We installed a cerificate and are using SSl on port 8443. This all works
> fine.
>
> The local IT Security team ran an HP "Web Inspect" and it showed a High
> vulnerability for SSLv3/TLS known as CVE-2009-3555.
> We are running JVM JRE 1.6.0._17 on the server.
> You state on the http://tomcat.apache.org/security-5.html site at end of
> page that this is not a vulnerability depending on a number of factors.
> This is very unclear tor us.
>
> The Web Inspect product sated that this must be fixed as follows:
> "
> Patches must be applied to the underlying web server and ssl library.
> OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz
> Apache Mod-SSL Patch:
> http://www.apache.org/dist/httpd/patches/apply_to_2.2.14
> /CVE-2009-3555-2.2.patch
> These patches may cause issues with sites that require renegotiation.
> (Sites requiring public HTTPS access with certain folders
> protected by client-side certificates)
> "
>
> What can we do to make the vulnerability shown in Web Inspect go away?
You have a couple of options, depending on which connector you are using.
BIO & NIO connectors
- use JSSE for SSL
- JSSE is provided by the JDK
- a fix will require a fix the JDK - talk to your JDK vendor
- the next 6.0.x release (coming soon) will contain a workaround
APR/native connector
- uses OpenSSL for SSL
- OpenSSL is provided by the OpenSSL project
- a fix requires a fix in OpenSSL
- APR/native 1.1.19 includes a workaround for this issue
Right now, the quickest way to fix this is to switch to the APR/native
connector and use 1.1.19
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 01/18/2010 10:18 AM, Mark Thomas wrote: On 18/01/2010 11:03, Steve G. Johnson wrote: We recently installed Tomcat 5.5.23 in Windows server to support the Infor WebUI (webtop) application. We installed a cerificate and are using SSl on port 8443. This all works fine. The local IT Security team ran an HP "Web Inspect" and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. The Web Inspect product sated that this must be fixed as follows: " Patches must be applied to the underlying web server and ssl library. OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz Apache Mod-SSL Patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 /CVE-2009-3555-2.2.patch These patches may cause issues with sites that require renegotiation. (Sites requiring public HTTPS access with certain folders protected by client-side certificates) " What can we do to make the vulnerability shown in Web Inspect go away? You have a couple of options, depending on which connector you are using. BIO& NIO connectors - use JSSE for SSL - JSSE is provided by the JDK - a fix will require a fix the JDK - talk to your JDK vendor - the next 6.0.x release (coming soon) will contain a workaround NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request So if using Tomcat 6, then NIO is a work around Filip APR/native connector - uses OpenSSL for SSL - OpenSSL is provided by the OpenSSL project - a fix requires a fix in OpenSSL - APR/native 1.1.19 includes a workaround for this issue Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 18/01/2010 11:37, Jens Neu wrote: > Steve, > > it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. > You definitely _should_ fix it, since data integrity can not be assured on > your https connections any more. > > I have little to no Windows experienc; but my understanding is, that while > running Tomcat on Windows Server, it will make use of the SSL/TLS > libraries provided by Windows. Means: the Openssl solution will not work > your your. > You would have to wait until MS provides a patch (some Windows guy should > correct me on this if I'm mistaken). You are mistaken. BIO & NIO use JSSE from the JDK. APR/native does use OpenSSL. > Meanwhile you should investigate if you can fix it by clever choosing the > Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :) See my other reply on this thread for details. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 18/01/2010 11:03, Steve G. Johnson wrote: > > We recently installed Tomcat 5.5.23 in Windows server to support the Infor > WebUI (webtop) application. > We installed a cerificate and are using SSl on port 8443. This all works > fine. > > The local IT Security team ran an HP "Web Inspect" and it showed a High > vulnerability for SSLv3/TLS known as CVE-2009-3555. > We are running JVM JRE 1.6.0._17 on the server. > You state on the http://tomcat.apache.org/security-5.html site at end of > page that this is not a vulnerability depending on a number of factors. > This is very unclear tor us. > > The Web Inspect product sated that this must be fixed as follows: > " > Patches must be applied to the underlying web server and ssl library. > OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz > Apache Mod-SSL Patch: > http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 > /CVE-2009-3555-2.2.patch > These patches may cause issues with sites that require renegotiation. > (Sites requiring public HTTPS access with certain folders > protected by client-side certificates) > " > > What can we do to make the vulnerability shown in Web Inspect go away? You have a couple of options, depending on which connector you are using. BIO & NIO connectors - use JSSE for SSL - JSSE is provided by the JDK - a fix will require a fix the JDK - talk to your JDK vendor - the next 6.0.x release (coming soon) will contain a workaround APR/native connector - uses OpenSSL for SSL - OpenSSL is provided by the OpenSSL project - a fix requires a fix in OpenSSL - APR/native 1.1.19 includes a workaround for this issue Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Steve, it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. You definitely _should_ fix it, since data integrity can not be assured on your https connections any more. I have little to no Windows experienc; but my understanding is, that while running Tomcat on Windows Server, it will make use of the SSL/TLS libraries provided by Windows. Means: the Openssl solution will not work your your. You would have to wait until MS provides a patch (some Windows guy should correct me on this if I'm mistaken). Meanwhile you should investigate if you can fix it by clever choosing the Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de "Steve G. Johnson" 01/18/2010 05:04 PM Please respond to "Tomcat Users List" To Tomcat Users List cc Subject SSLv3/TLS man-in-middle vulnerability The local IT Security team ran an HP "Web Inspect" and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
