On a whim we looked to see if there was a new snapshot, and there was, so we tried it. Looks like the honor-cipher-code addition is working great. We were able to get it to show that we are compliant - so we will be doing more internal testing to make sure the snapshot is stable enough and then we will roll it out.
Thanks a bunch! Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Friday, January 18, 2013 10:09 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack OK, just keep us posted. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Friday, January 18, 2013 10:01 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack On Jan 18, 2013, at 10:18 AM, Aaron Freeman <aaron.free...@layerz.com> wrote: We're getting scanned today. Any hope on this? I just tested that Resin snapshot - the <honor-cipher-order> is not in that jar. I think there was a mistake in the SCM checkin or Scott may have built the archive to soon. We'll try to put up a new snapshot today/soon, but I'm not certain it's possible with various other bug fixes in progress. Thanks, Paul Thanks, Aaron From: <mailto:resin-interest-boun...@caucho.com> resin-interest-boun...@caucho.com [mailto:resin- <mailto:interest-boun...@caucho.com> interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: <mailto:resin-interest-boun...@caucho.com> resin-interest-boun...@caucho.com [mailto:resin- <mailto:interest-boun...@caucho.com> interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add <honor-cipher-order> under the <openssl> node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: <honor-cipher-order> is an unexpected tag (parent <openssl> starts at 75). 78: <password>password</password> 79: <cipher-suite>!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL</cipher-su ite> 80: <honor-cipher-order>true</honor-cipher-order> 81: </openssl> 82: </http> <openssl> syntax: ( (@ca-certificate-file | <ca-certificate-file>)? & (@ca-certificate-path | <ca-certificate-path>)? & (@ca-revocation-file | <ca-revocation-file>)? & (@ca-revocation-path | <ca-revocation-path>)? & (@certificate-file | <certificate-file>) & (@certificate-chain-file | <certificate-chain-file>)? & (@certificate-key-file | <certificate-key-file>)? & (@cipher-suite | <cipher-suite>)? & (@crypto-device | <crypto-device>)? & (@password | <password>) & (@protocol | <protocol>)? & (@session-cache | <session-cache>)? & (@session-cache-timeout | <session-cache-timeout>)? & (@unclean-shutdown | <unclean-shutdown>)? & (@verify-client | <verify-client>)? & (@verify-depth | <verify-depth>)?) >From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
