I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
My understanding is that the attack applies only to CBC ciphers, and that
RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
ciphers that Tomcat uses with the following config for a connector:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
address="0.0.0.0"
port="8443"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/to/keystore"
keystoreType="pkcs12"
ciphers="TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_RC4_128_MD5,
SSL_CK_RC4_128_WITH_MD5"
clientAuth="false" sslProtocol="TLS" />
However, when I test this by attempting connections with a script[*] that
iterates through the set of ciphers available to openssl, it appears to
successfully connect with the following set of ciphers:
AES128-SHA
DES-CBC-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
EDH-RSA-DES-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EXP-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC4-MD5
RC4-MD5
RC4-MD5
RC4-SHA
[*] The script basically parses the output of the following command:
openssl s_client -cipher "$cipher" -connect $SERVER
Am I misunderstanding the use of the "ciphers" parameter? Or is there
perhaps something in my testing methodology that accounts for these
unexpected results? Any advice would be appreciated.
Aloha,
-baron
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
