On 18/01/2010 11:03, Steve G. Johnson wrote: > > We recently installed Tomcat 5.5.23 in Windows server to support the Infor > WebUI (webtop) application. > We installed a cerificate and are using SSl on port 8443. This all works > fine. > > The local IT Security team ran an HP "Web Inspect" and it showed a High > vulnerability for SSLv3/TLS known as CVE-2009-3555. > We are running JVM JRE 1.6.0._17 on the server. > You state on the http://tomcat.apache.org/security-5.html site at end of > page that this is not a vulnerability depending on a number of factors. > This is very unclear tor us. > > The Web Inspect product sated that this must be fixed as follows: > " > Patches must be applied to the underlying web server and ssl library. > OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz > Apache Mod-SSL Patch: > http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 > /CVE-2009-3555-2.2.patch > These patches may cause issues with sites that require renegotiation. > (Sites requiring public HTTPS access with certain folders > protected by client-side certificates) > " > > What can we do to make the vulnerability shown in Web Inspect go away?
You have a couple of options, depending on which connector you are using. BIO & NIO connectors - use JSSE for SSL - JSSE is provided by the JDK - a fix will require a fix the JDK - talk to your JDK vendor - the next 6.0.x release (coming soon) will contain a workaround APR/native connector - uses OpenSSL for SSL - OpenSSL is provided by the OpenSSL project - a fix requires a fix in OpenSSL - APR/native 1.1.19 includes a workaround for this issue Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
