Re: SSLv3/TLS man-in-middle vulnerability
On 19/01/2010 02:31, Steve G. Johnson wrote: Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / - !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / - !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- - !-- See proxy documentation for more information about using this. -- - !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas ma...@apache.org To Tomcat Users List 01/19/2010 06:48 users@tomcat.apache.org AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle Tomcat Users vulnerability List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Mark - For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? Oh and make sure the following line is in the server.xml file to start the APR lifecycle listener. Listener className=org.apache.catalina.core.AprLifecycleListener / Steve, you can download the latest APR lib from the Tomcat website. Follow the Tomcat Native link and get the one for your environment. Jeff -Original Message- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 9:08 AM To: Tomcat Users List Subject: Re: SSLv3/TLS man-in-middle vulnerability Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / - !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / - !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- - !-- See proxy documentation for more information about using this. -- - !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas ma...@apache.org To Tomcat Users List 01/19/2010 06:48 users@tomcat.apache.org AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle Tomcat Users vulnerability List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr
RE: SSLv3/TLS man-in-middle vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO Connector, as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Subject: Re: SSLv3/TLS man-in-middle vulnerability Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / Add the following attribute to the above: protocol=org.apache.coyote.http11.Http11NioProtocol Leave the AJP Connector alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
You're right. I'd completely forgotten the SSL. Odd, since I do nothing but SSL here. As I recall, it's re-issue your certificate in OpenSSL format (or convert it) and change the SSL specific parameters as follows: Drop the sslProtocol and keystore* attributes and replace with SSLEngine=on SSLCertificateFile=path SSLCertificateKeyFile=path SSLPassword=password Yes, re-issuing the cert or converting it will be a hassle, but is well documented on the website, as are the above attributes/parameters. I addressed this as an answer to Mark's original suggestion, and I quote: Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. But the 1.1.19 APR has the workaround available now. Jeff -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:29 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO Connector, as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. You ignored Filip's post: NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around. http://marc.info/?l=tomcat-userm=126384310705143w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Hi Charles, FYI: This is in my listener list: Listener className=org.apache.catalina.core.AprLifecycleListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.storeconfig.StoreConfigLifecycleListener/ Added the protocol entry and now trying to start Tomcat manager results in page cannot be displayed. Removing entry it starts. Added as follows: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS protocol=org.apache.coyote.http11.Http11NioProtocol keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Caldarale, Charles R Chuck.Caldarale@ To unisys.com Tomcat Users List users@tomcat.apache.org 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability Tomcat Users List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/18/2010 From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Subject: Re: SSLv3/TLS man-in-middle vulnerability Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / Add the following attribute to the above: protocol=org.apache.coyote.http11.Http11NioProtocol Leave the AJP Connector alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability FYI: This is in my listener list: Listener className=org.apache.catalina.core.AprLifecycleListener / If the tcnative library isn't found, the above listener will simply display a message stating so in the logs, so it doesn't hurt to have it in there. But do check the logs to make sure that message is being displayed. Added the protocol entry and now trying to start Tomcat manager results in page cannot be displayed. You need to move up to 6.0.20, as mentioned earlier. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Ah, didn't exactly ignore it, just forgot about it. I'd already removed it from the thread. Good point. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:56 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. You ignored Filip's post: NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around. http://marc.info/?l=tomcat-userm=126384310705143w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability If you have to stay with 5.5.23, you'll need to go with the ARP SSL connector. (slap me if I'm still wrong Charles, but I checked the doc and there doesn't appear to be support for NIO in 5.5.x) That is correct; NIO was introduced with Tomcat 6.0. There are noticeable performance and security improvements in 6.0.x, so that would be the preferred approach, even if APR is used. Migration to 6.0.x is pretty much painless: http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSLv3/TLS man-in-middle vulnerability
We recently installed Tomcat 5.5.23 in Windows server to support the Infor WebUI (webtop) application. We installed a cerificate and are using SSl on port 8443. This all works fine. The local IT Security team ran an HP Web Inspect and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. The Web Inspect product sated that this must be fixed as follows: Patches must be applied to the underlying web server and ssl library. OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz Apache Mod-SSL Patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 /CVE-2009-3555-2.2.patch These patches may cause issues with sites that require renegotiation. (Sites requiring public HTTPS access with certain folders protected by client-side certificates) What can we do to make the vulnerability shown in Web Inspect go away? Thanks. Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Steve, it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. You definitely _should_ fix it, since data integrity can not be assured on your https connections any more. I have little to no Windows experienc; but my understanding is, that while running Tomcat on Windows Server, it will make use of the SSL/TLS libraries provided by Windows. Means: the Openssl solution will not work your your. You would have to wait until MS provides a patch (some Windows guy should correct me on this if I'm mistaken). Meanwhile you should investigate if you can fix it by clever choosing the Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de Steve G. Johnson johnson_stev...@solarturbines.com 01/18/2010 05:04 PM Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject SSLv3/TLS man-in-middle vulnerability The local IT Security team ran an HP Web Inspect and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
Re: SSLv3/TLS man-in-middle vulnerability
On 18/01/2010 11:03, Steve G. Johnson wrote: We recently installed Tomcat 5.5.23 in Windows server to support the Infor WebUI (webtop) application. We installed a cerificate and are using SSl on port 8443. This all works fine. The local IT Security team ran an HP Web Inspect and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. The Web Inspect product sated that this must be fixed as follows: Patches must be applied to the underlying web server and ssl library. OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz Apache Mod-SSL Patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 /CVE-2009-3555-2.2.patch These patches may cause issues with sites that require renegotiation. (Sites requiring public HTTPS access with certain folders protected by client-side certificates) What can we do to make the vulnerability shown in Web Inspect go away? You have a couple of options, depending on which connector you are using. BIO NIO connectors - use JSSE for SSL - JSSE is provided by the JDK - a fix will require a fix the JDK - talk to your JDK vendor - the next 6.0.x release (coming soon) will contain a workaround APR/native connector - uses OpenSSL for SSL - OpenSSL is provided by the OpenSSL project - a fix requires a fix in OpenSSL - APR/native 1.1.19 includes a workaround for this issue Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 18/01/2010 11:37, Jens Neu wrote: Steve, it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. You definitely _should_ fix it, since data integrity can not be assured on your https connections any more. I have little to no Windows experienc; but my understanding is, that while running Tomcat on Windows Server, it will make use of the SSL/TLS libraries provided by Windows. Means: the Openssl solution will not work your your. You would have to wait until MS provides a patch (some Windows guy should correct me on this if I'm mistaken). You are mistaken. BIO NIO use JSSE from the JDK. APR/native does use OpenSSL. Meanwhile you should investigate if you can fix it by clever choosing the Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :) See my other reply on this thread for details. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 01/18/2010 10:18 AM, Mark Thomas wrote: On 18/01/2010 11:03, Steve G. Johnson wrote: We recently installed Tomcat 5.5.23 in Windows server to support the Infor WebUI (webtop) application. We installed a cerificate and are using SSl on port 8443. This all works fine. The local IT Security team ran an HP Web Inspect and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. The Web Inspect product sated that this must be fixed as follows: Patches must be applied to the underlying web server and ssl library. OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz Apache Mod-SSL Patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 /CVE-2009-3555-2.2.patch These patches may cause issues with sites that require renegotiation. (Sites requiring public HTTPS access with certain folders protected by client-side certificates) What can we do to make the vulnerability shown in Web Inspect go away? You have a couple of options, depending on which connector you are using. BIO NIO connectors - use JSSE for SSL - JSSE is provided by the JDK - a fix will require a fix the JDK - talk to your JDK vendor - the next 6.0.x release (coming soon) will contain a workaround NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request So if using Tomcat 6, then NIO is a work around Filip APR/native connector - uses OpenSSL for SSL - OpenSSL is provided by the OpenSSL project - a fix requires a fix in OpenSSL - APR/native 1.1.19 includes a workaround for this issue Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas ma...@apache.org To Tomcat Users List 01/18/2010 09:19 users@tomcat.apache.org AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle Tomcat Users vulnerability List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/17/2010 On 18/01/2010 11:03, Steve G. Johnson wrote: We recently installed Tomcat 5.5.23 in Windows server to support the Infor WebUI (webtop) application. We installed a cerificate and are using SSl on port 8443. This all works fine. The local IT Security team ran an HP Web Inspect and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. The Web Inspect product sated that this must be fixed as follows: Patches must be applied to the underlying web server and ssl library. OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz Apache Mod-SSL Patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 /CVE-2009-3555-2.2.patch These patches may cause issues with sites that require renegotiation. (Sites requiring public HTTPS access with certain folders protected by client-side certificates) What can we do to make the vulnerability shown in Web Inspect go away? You have a couple of options, depending on which connector you are using. BIO NIO connectors - use JSSE for SSL - JSSE is provided by the JDK - a fix will require a fix the JDK - talk to your JDK vendor - the next 6.0.x release (coming soon) will contain a workaround APR/native connector - uses OpenSSL for SSL - OpenSSL is provided by the OpenSSL project - a fix requires a fix in OpenSSL - APR/native 1.1.19 includes a workaround for this issue Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
