Mark,
Since we do not know how to "switch connectors", or install OpenSSL, and do
not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
is to wait until Tomcat is fixed ("coming soon").
Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.
Mark Thomas
<ma...@apache.org
> To
Tomcat Users List
01/18/2010 09:19 <users@tomcat.apache.org>
AM cc
Subject
Please respond to Re: SSLv3/TLS man-in-middle
"Tomcat Users vulnerability
List"
<us...@tomcat.apa
che.org>
Caterpillar: Confidential Green Retain Until: 02/17/2010
On 18/01/2010 11:03, Steve G. Johnson wrote:
>
> We recently installed Tomcat 5.5.23 in Windows server to support the
Infor
> WebUI (webtop) application.
> We installed a cerificate and are using SSl on port 8443. This all works
> fine.
>
> The local IT Security team ran an HP "Web Inspect" and it showed a High
> vulnerability for SSLv3/TLS known as CVE-2009-3555.
> We are running JVM JRE 1.6.0._17 on the server.
> You state on the http://tomcat.apache.org/security-5.html site at end of
> page that this is not a vulnerability depending on a number of factors.
> This is very unclear tor us.
>
> The Web Inspect product sated that this must be fixed as follows:
> "
> Patches must be applied to the underlying web server and ssl library.
> OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz
> Apache Mod-SSL Patch:
> http://www.apache.org/dist/httpd/patches/apply_to_2.2.14
> /CVE-2009-3555-2.2.patch
> These patches may cause issues with sites that require renegotiation.
> (Sites requiring public HTTPS access with certain folders
> protected by client-side certificates)
> "
>
> What can we do to make the vulnerability shown in Web Inspect go away?
You have a couple of options, depending on which connector you are using.
BIO & NIO connectors
- use JSSE for SSL
- JSSE is provided by the JDK
- a fix will require a fix the JDK - talk to your JDK vendor
- the next 6.0.x release (coming soon) will contain a workaround
APR/native connector
- uses OpenSSL for SSL
- OpenSSL is provided by the OpenSSL project
- a fix requires a fix in OpenSSL
- APR/native 1.1.19 includes a workaround for this issue
Right now, the quickest way to fix this is to switch to the APR/native
connector and use 1.1.19
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
