Hi Mark, thank you for the feedback!
On Tue, Feb 26, 2013 at 2:27 AM, Mark Thomas <ma...@apache.org> wrote: > On 25/02/2013 08:42, Robert Klemme wrote: >> >> Hi there, >> >> I have been confronted with a Nessus scan result which claims >> vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found >> this and the report states: >> >> "The remote service has one of two configurations that are known to be >> required for the CRIME attack: >> - SSL / TLS compression is enabled. > > It is this one. That's what I figured. >> - TLS advertises the SPDY protocol earlier than version 4. > > There is no spdy support in any released Tomcat version. OK, that confirms what I was able to dig up. >> We have in server.xml: >> >> <Connector SSLCertificateFile="/path" SSLCipherSuite="*******" >> protocol="HTTP/1.1" connectionTimeout="20000" >> SSLCertificateKeyFile="/path" secure="true" scheme="https" >> maxThreads="500" port="4712" maxSavePostSize="0" server="***" >> SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8" >> SSLEnabled="true" /> > > > That is the APR/native HTTPS connector. So one solution would be to remove APR lib from the system. Another one would be to change above to <Connector SSLCertificateFile="/path" SSLCipherSuite="*******" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLCertificateKeyFile="/path" secure="true" scheme="https" maxThreads="500" port="4712" maxSavePostSize="0" server="***" SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8" SSLEnabled="true" /> and add all necessary configurations to make that work. And I guess a third option is to use export OPENSSL_NO_DEFAULT_ZLIB=1 before starting the JVM. >> Now, what to make of this? To me it seems only compression could be >> the culprit but is there any other way to enable compression for HTTPS >> than to include "compression"? Or does the TLS negotiation ignore >> setting "compression"? I could not find indication of any option to >> control compression in the Javadocs >> >> http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/package-summary.html > > > You won't. My recollection is that Java does not support compression. OK, then it's no surprise that they do not mention it in the Javadocs. :-) > APR/native does. An option was recently added. See: > https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 I found that but wasn't aware that this is actually used in Tomcat. > There is no 6.0.x release with the necessary options yet. Do you know whether there will be? Kind regards robert -- remember.guy do |as, often| as.you_can - without end http://blog.rubybestpractices.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org