On 19/01/2010 02:31, Steve G. Johnson wrote:
Mark,
Since we do not know how to switch connectors, or install OpenSSL, and do
not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
is to wait until Tomcat is fixed (coming soon).
You can replace JDK with JRE in what I
Mark,
Our JRE is 1.6.0_17.
Below are server.xml entries for connectors minus security tag values.
Please suggest changes. Is that all I have to do before Security runs
another HP scan?
Thanks
!--
Define a SSL HTTP/1.1 Connector on port 8443
--
Connector port=8443
To: Tomcat Users List
Subject: Re: SSLv3/TLS man-in-middle vulnerability
Mark,
Our JRE is 1.6.0_17.
Below are server.xml entries for connectors minus security tag values.
Please suggest changes. Is that all I have to do before Security runs
another HP scan?
Thanks
!--
Define a SSL HTTP/1.1
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
Subject: RE: SSLv3/TLS man-in-middle vulnerability
For Steve to switch to the APR/native connectors, all he needs to do in
this config is download the native libraries and restart, correct?
No, the SSL config is completely different
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com]
Subject: Re: SSLv3/TLS man-in-middle vulnerability
Connector port=8443 maxHttpHeaderSize=8192
maxThreads=150
minSpareThreads=25 maxSpareThreads=75 enableLookups=false
disableUploadTimeout=true
and a workaround isn't available
yet. But the 1.1.19 APR has the workaround available now.
Jeff
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Tuesday, January 19, 2010 9:29 AM
To: Tomcat Users List
Subject: RE: SSLv3/TLS man-in-middle vulnerability
From
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
Subject: RE: SSLv3/TLS man-in-middle vulnerability
In particular, he stated that switching to the NIO connector at this
point wouldn't address it (from my reading of his post), as the fix
will require a JDK/JRE fix from the vendor
: Re: SSLv3/TLS man-in-middle vulnerability
Connector port=8443 maxHttpHeaderSize=8192
maxThreads=150
minSpareThreads=25 maxSpareThreads=75 enableLookups=false
disableUploadTimeout=true acceptCount=100 scheme=https
secure
=true clientAuth=false sslProtocol
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com]
Subject: RE: SSLv3/TLS man-in-middle vulnerability
FYI: This is in my listener list:
Listener className=org.apache.catalina.core.AprLifecycleListener /
If the tcnative library isn't found, the above listener will simply
vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
Subject: RE: SSLv3/TLS man-in-middle vulnerability
In particular, he stated that switching to the NIO connector at this
point wouldn't address it (from my reading of his post), as the fix
will require a JDK/JRE fix from
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
Subject: RE: SSLv3/TLS man-in-middle vulnerability
If you have to stay with 5.5.23, you'll need to go with the ARP SSL
connector.
(slap me if I'm still wrong Charles, but I checked the doc and there
doesn't appear to be support
We recently installed Tomcat 5.5.23 in Windows server to support the Infor
WebUI (webtop) application.
We installed a cerificate and are using SSl on port 8443. This all works
fine.
The local IT Security team ran an HP Web Inspect and it showed a High
vulnerability for SSLv3/TLS known as
List users@tomcat.apache.org
To
Tomcat Users List users@tomcat.apache.org
cc
Subject
SSLv3/TLS man-in-middle vulnerability
The local IT Security team ran an HP Web Inspect and it showed a High
vulnerability for SSLv3/TLS known as CVE-2009-3555.
We are running JVM JRE 1.6.0._17 on the server
On 18/01/2010 11:03, Steve G. Johnson wrote:
We recently installed Tomcat 5.5.23 in Windows server to support the Infor
WebUI (webtop) application.
We installed a cerificate and are using SSl on port 8443. This all works
fine.
The local IT Security team ran an HP Web Inspect and it showed
On 18/01/2010 11:37, Jens Neu wrote:
Steve,
it is not a vulnerability of Tomcat, nevertheless it can be fixed by it.
You definitely _should_ fix it, since data integrity can not be assured on
your https connections any more.
I have little to no Windows experienc; but my understanding
On 01/18/2010 10:18 AM, Mark Thomas wrote:
On 18/01/2010 11:03, Steve G. Johnson wrote:
We recently installed Tomcat 5.5.23 in Windows server to support the Infor
WebUI (webtop) application.
We installed a cerificate and are using SSl on port 8443. This all works
fine.
The local IT
Mark,
Since we do not know how to switch connectors, or install OpenSSL, and do
not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
is to wait until Tomcat is fixed (coming soon).
Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.
17 matches
Mail list logo