Re: SSLv3/TLS man-in-middle vulnerability

Mon, 18 Jan 2010 11:31:45 -0800 

On 01/18/2010 10:18 AM, Mark Thomas wrote:

On 18/01/2010 11:03, Steve G. Johnson wrote:

We recently installed Tomcat 5.5.23 in Windows server to support the Infor
WebUI (webtop) application.
We installed a cerificate and are using SSl on port 8443. This all works
fine.

The local IT Security team ran an HP "Web Inspect" and it showed a High
vulnerability for SSLv3/TLS known as CVE-2009-3555.
We are running JVM JRE 1.6.0._17 on the server.
You state on the http://tomcat.apache.org/security-5.html site at end of
page that this is not a vulnerability depending on a number of factors.
This is very unclear tor us.

The Web Inspect product sated that this must be fixed as follows:
"
Patches must be applied to the underlying web server and ssl library.
OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz
Apache Mod-SSL Patch:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14
/CVE-2009-3555-2.2.patch
These patches may cause issues with sites that require renegotiation.
(Sites requiring public HTTPS access with certain folders
protected by client-side certificates)
"

What can we do to make the vulnerability shown in Web Inspect go away?

You have a couple of options, depending on which connector you are using.

BIO&  NIO connectors
  - use JSSE for SSL
  - JSSE is provided by the JDK
  - a fix will require a fix the JDK - talk to your JDK vendor
  - the next 6.0.x release (coming soon) will contain a workaround
NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request 
So if using Tomcat 6, then NIO is a work around

Filip

APR/native connector
  - uses OpenSSL for SSL
  - OpenSSL is provided by the OpenSSL project
  - a fix requires a fix in OpenSSL
  - APR/native 1.1.19 includes a workaround for this issue

Right now, the quickest way to fix this is to switch to the APR/native
connector and use 1.1.19

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to