Thanks,
Aaron
*From:*resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman
*Sent:* Wednesday, December 05, 2012 10:51 AM
*To:* 'General Discussion for the Resin application server'
*Subject:* Re: [Resin-interest] BEAST SSL Attack
Very good, I appreciate the feedback.
Thanks,
Aaron
*From:*resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan
*Sent:* Wednesday, December 05, 2012 9:02 AM
*To:* General Discussion for the Resin application server
*Subject:* Re: [Resin-interest] BEAST SSL Attack
Hi Folks,
Resin does not support "SSLHonorCipherOrder" yet. We already
received a request from another customer and there is a feature
request for this here:
http://bugs.caucho.com/view.php?id=5282
This is an OpenSSL feature, not JSSE. We'll be implementing it in
an upcoming release. Probably it will be in 4.0.44, as .43 is due
for release soon.
Thanks,
Paul
On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:
Knut,
Thanks a bunch for your reply. I saw you referencing another email
you sent, but this is the only one I saw come through the group.
At any rate, we are already using the cipher-suites feature, but in
this case that's not enough. They are telling us that we actually
have to be able to prioritize the order that the suites are
negotiated on the server side. The only cipher suites guaranteed
not to have the BEAST attack issue are ones that aren't wide-spread
yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that
will suffice for PCI compliance.
This bug for Tomcat addresses the issue and gives good details about
a directive, SSLHonorCipherOrder, that handles the
problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
Any other ideas for Resin?
Aaron
*From:*resin-interest-boun...@caucho.com
<mailto:resin-interest-boun...@caucho.com>[mailto:resin-interest-boun...@caucho.com]*On
Behalf Of*Knut Forkalsrud
*Sent:*Tuesday, December 04, 2012 9:31 PM
*To:*General Discussion for the Resin application server
*Subject:*Re: [Resin-interest] BEAST SSL Attack
Actually, I got it wrong in my previous mail. The feature should be
working.
There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593
On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud
<knut-cau...@forkalsrud.org <mailto:knut-cau...@forkalsrud.org>> wrote:
In the days of Resin2.1.4 and onwards
<http://www.caucho.com/resin-3.1/changes/changes-2.xtp>there was
such a feature, however it seems to have lapsed. I remember because
there was a similar issue with MSIE
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.
I my good old copy of Resin 3.1.8 there are remains the feature.
If you bring up the source code for
com.caucho.vfs.JsseSSLFactory.create(host, port)
you will find a block of code commented out.
Then there was a second incarnation where you could specify cipher
suites. That seems to have dies some time around Aug 2009 with the
commit:
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java
I suspect you could get it going again if you have the fortitude to
play around with Resin's source code and build your own.
Good luck,
Knut Forkalsrud
On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman
<aaron.free...@layerz.com <mailto:aaron.free...@layerz.com>> wrote:
SSL BEAST
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com <mailto:resin-interest@caucho.com>
http://maillist.caucho.com/mailman/listinfo/resin-interest
===============================
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com <mailto:co...@caucho.com>
http://blog.caucho.com
http://twitter.com/cauchoresin
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest