RE: Appscan Issues
Dear Amith, Thanks... I will me more detailed. We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector configuration. Regards, Amith Can you use sslEnabledProtocols="TLSv1.2,TLSv1.1" SSLEnabled="true" in connector tag as below. Thanks and Regards Deepak -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: Friday, April 08, 2016 9:29 AM To: users@tomcat.apache.org Subject: Re: Appscan Issues Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith: > Hi, > Appscan was performed on our application and 2 issues were encountered. Could anyone please let me know how to resolve these issues ? We use tomcat7. > > Browser Exploit Against SSL/TLS (a.k.a. BEAST) > RC4 cipher suites were detected > (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) Sure. Remove SSL support. Seriously: With the level of information that you give, what's the level of detail that you expect back? Are you using tomcat only? Do you front it with Apache httpd? nginx? Any loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have tomcat, what's the configuration of your https connector? Which of the options that are documented in the connector's documentation ( http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you need help with? Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org "Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: Appscan Issues
On 08/04/2016 14:40, Kikkeri, Amith wrote: > Thanks... I will me more detailed. > We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector > configuration. > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile=" " >keystorePass=" "/> As of the next Tomcat 7 release, you should see improved defaults. For more details see: http://wiki.apache.org/tomcat/Security/Ciphers The best achievable results will depend on the Java version you use and whether or not you use the JCE Unlimited Strength Jurisdiction Policy Files. Mark > > > > Regards, > Amith > > > > -Original Message- > From: Olaf Kock [mailto:tom...@olafkock.de] > Sent: Friday, April 08, 2016 9:29 AM > To: users@tomcat.apache.org > Subject: Re: Appscan Issues > > > > Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith: >> Hi, >> Appscan was performed on our application and 2 issues were encountered. >> Could anyone please let me know how to resolve these issues ? We use tomcat7. >> >> Browser Exploit Against SSL/TLS (a.k.a. BEAST) >> RC4 cipher suites were detected >> (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) > Sure. Remove SSL support. > > Seriously: With the level of information that you give, what's the level of > detail that you expect back? > > Are you using tomcat only? Do you front it with Apache httpd? nginx? Any > loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have > tomcat, what's the configuration of your https connector? Which of the > options that are documented in the connector's documentation > (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you > need help with? > > Olaf > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Appscan Issues
Am 09.04.2016 um 18:20 schrieb Christopher Schultz: > Olaf, > > On 4/8/16 9:49 AM, Olaf Kock wrote: > > > I'm typically configuring a HTTPS end point in Apache httpd and > > forward to tomcat. I feel that the documentation for explicit > > cipher-choice in Apache httpd is a lot better (and more widespread > > up to date) than for tomcat, but you definitely can correctly > > configure it in tomcat as well. > > > I just hope you're not running as root in order to bind to port 443 > > - in that case you have different (and bigger) problems. > > More recent Tomcats support OpenSSL-style ciphersuite configuration > (which means the the httpd documentation is valid for configuring the > cipher suites). I don't think it's available in Tomcat 7, though. > > -chris That's good news, and I'm definitely looking into this. Although my personal preference is still to have httpd in front - if only for mod_rewrite, offloading static content, taking care of binding privileged ports and - in some installations - as load balancer. But it's good to know that the options are there and the configuration is similar in both cases. Thanks, Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Appscan Issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf, On 4/8/16 9:49 AM, Olaf Kock wrote: > Am 08.04.2016 um 15:40 schrieb Kikkeri, Amith: >> Thanks... I will me more detailed. We don't use Apache HTTPD or >> ngnix. It's just tomcat7. Below is my connector configuration. >> >> > protocol="org.apache.coyote.http11.Http11Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> clientAuth="false" sslProtocol="TLS" keystoreFile=" " >> keystorePass=" "/> > You'll have to explicitly configure the ciphers. That can be done > by configuring the connector > (https://wiki.apache.org/tomcat/HowTo/SSLCiphers) to use or > prohibit one or the other cipher > (https://wiki.apache.org/tomcat/Security/Ciphers) - or use one of > the links that I've posted in my previous answer. > > I'm typically configuring a HTTPS end point in Apache httpd and > forward to tomcat. I feel that the documentation for explicit > cipher-choice in Apache httpd is a lot better (and more widespread > up to date) than for tomcat, but you definitely can correctly > configure it in tomcat as well. > > I just hope you're not running as root in order to bind to port 443 > - in that case you have different (and bigger) problems. More recent Tomcats support OpenSSL-style ciphersuite configuration (which means the the httpd documentation is valid for configuring the cipher suites). I don't think it's available in Tomcat 7, though. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcJK8cACgkQ9CaO5/Lv0PBH+wCght1sWDOGrTwXXicU5UU5ChSJ JWQAn1RzugmQ3XofaRqICSob7xdobW/7 =o0+a -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Appscan Issues
Am 08.04.2016 um 15:40 schrieb Kikkeri, Amith: > Thanks... I will me more detailed. > We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector > configuration. > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >keystoreFile=" " >keystorePass=" "/> You'll have to explicitly configure the ciphers. That can be done by configuring the connector (https://wiki.apache.org/tomcat/HowTo/SSLCiphers) to use or prohibit one or the other cipher (https://wiki.apache.org/tomcat/Security/Ciphers) - or use one of the links that I've posted in my previous answer. I'm typically configuring a HTTPS end point in Apache httpd and forward to tomcat. I feel that the documentation for explicit cipher-choice in Apache httpd is a lot better (and more widespread up to date) than for tomcat, but you definitely can correctly configure it in tomcat as well. I just hope you're not running as root in order to bind to port 443 - in that case you have different (and bigger) problems. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Appscan Issues
Thanks... I will me more detailed. We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my connector configuration. Regards, Amith -Original Message- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: Friday, April 08, 2016 9:29 AM To: users@tomcat.apache.org Subject: Re: Appscan Issues Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith: > Hi, > Appscan was performed on our application and 2 issues were encountered. Could > anyone please let me know how to resolve these issues ? We use tomcat7. > > Browser Exploit Against SSL/TLS (a.k.a. BEAST) > RC4 cipher suites were detected > (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) Sure. Remove SSL support. Seriously: With the level of information that you give, what's the level of detail that you expect back? Are you using tomcat only? Do you front it with Apache httpd? nginx? Any loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have tomcat, what's the configuration of your https connector? Which of the options that are documented in the connector's documentation (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you need help with? Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Appscan Issues
Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith: > Hi, > Appscan was performed on our application and 2 issues were encountered. Could > anyone please let me know how to resolve these issues ? We use tomcat7. > > Browser Exploit Against SSL/TLS (a.k.a. BEAST) > RC4 cipher suites were detected > (Remove support of SSLv3/TLS1.0 cipher suites with CBC.) Sure. Remove SSL support. Seriously: With the level of information that you give, what's the level of detail that you expect back? Are you using tomcat only? Do you front it with Apache httpd? nginx? Any loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only have tomcat, what's the configuration of your https connector? Which of the options that are documented in the connector's documentation (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do you need help with? Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org