Yeah, but I thought OpenSSL had a patch for this that worked. Read...#2635: 1/n-1 record splitting technique for CVE-2011-3389
-----Original Message----- >From: Brian Braun <brianbr...@gmail.com> >Sent: Sep 14, 2012 11:12 PM >To: Tomcat Users List <users@tomcat.apache.org> >Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for >Tomcat 7.x > >Hi, > >Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat >7.x? >For more info about this attack: >http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 > >My toughts and questions, as far as I have investigated this issue: > >- Disabling the TLS1.0 protocol would be too restrictive, because there are >still browser versions in use that don't support TLS1.1 or TLS1.2. >- Should we restrict the ciphers in use? If so, which ones should we offer >for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means >JSSE instead of OpenSSL)? >- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this >issue? > >Thanks in advace. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org