2013/1/9 Baron Fujimoto <ba...@hawaii.edu>: > I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35. > My understanding is that the attack applies only to CBC ciphers, and that > RC4 ciphers are not vulnerable, so I am attempting to restrict the set of > ciphers that Tomcat uses with the following config for a connector: > > <Connector protocol="HTTP/1.1" SSLEnabled="true" > address="0.0.0.0" > port="8443" > maxThreads="150" scheme="https" secure="true" > keystoreFile="/path/to/keystore" > keystoreType="pkcs12" > ciphers="TLS_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_RC4_128_MD5, > SSL_CK_RC4_128_WITH_MD5" > clientAuth="false" sslProtocol="TLS" /> > > However, when I test this by attempting connections with a script[*] that > iterates through the set of ciphers available to openssl, it appears to > successfully connect with the following set of ciphers: > > AES128-SHA > DES-CBC-SHA > DES-CBC3-SHA > DHE-RSA-AES128-SHA > EDH-RSA-DES-CBC-SHA > EDH-RSA-DES-CBC3-SHA > EXP-DES-CBC-SHA > EXP-EDH-RSA-DES-CBC-SHA > EXP-RC4-MD5 > EXP-RC4-MD5 > RC4-MD5 > RC4-MD5 > RC4-SHA > > [*] The script basically parses the output of the following command: > openssl s_client -cipher "$cipher" -connect $SERVER > > Am I misunderstanding the use of the "ciphers" parameter? Or is there > perhaps something in my testing methodology that accounts for these > unexpected results? Any advice would be appreciated. >
As can be seen from your usage of "keystoreType" attribute, you are using Java implementation of the Connector, not openssl/APR one. You should look into Java documentation for their cipher names. See this thread from October 2009: http://markmail.org/message/zn4namfhypyxum23 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
