date:20130118

Re: [Resin-interest] BEAST SSL Attack

2013-01-18 Thread Aaron Freeman

OK, just keep us posted.

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Friday, January 18, 2013 10:01 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

 

On Jan 18, 2013, at 10:18 AM, Aaron Freeman 
wrote:





We're getting scanned today.   Any hope on this?

 

I just tested that Resin snapshot - the  is not in that
jar.  I think there was a mistake in the SCM checkin or Scott may have built
the archive to soon.  We'll try to put up a new snapshot today/soon, but I'm
not certain it's possible with various other bug fixes in progress.

 

Thanks,

Paul

 

 

Thanks,

 

Aaron

 

 

From:  
resin-interest-boun...@caucho.com [mailto:resin-
 interest-boun...@caucho.com] On Behalf
Of Aaron Freeman
Sent: Monday, January 14, 2013 2:01 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Still needing a little assistance on this one.

Thanks,

 

Aaron

 

 

From:  
resin-interest-boun...@caucho.com [mailto:resin-
 interest-boun...@caucho.com] On Behalf
Of Aaron Freeman
Sent: Thursday, January 10, 2013 2:12 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
 under the  node, we get this error:

 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80:  is an
unexpected tag (parent  starts at 75).

 

78: password

79:
!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

80: true

81: 

82: 

 

 syntax: ( (@ca-certificate-file | )?

  & (@ca-certificate-path | )?

  & (@ca-revocation-file | )?

  & (@ca-revocation-path | )?

  & (@certificate-file | )

  & (@certificate-chain-file | )?

  & (@certificate-key-file | )?

  & (@cipher-suite | )?

  & (@crypto-device | )?

  & (@password | )

  & (@protocol | )?

  & (@session-cache | )?

  & (@session-cache-timeout | )?

  & (@unclean-shutdown | )?

  & (@verify-client | )?

  & (@verify-depth | )?)

 

 

>From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

include   : /usr/include

lib   :

libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] BEAST SSL Attack

2013-01-18 Thread Paul Cowan


On Jan 18, 2013, at 10:18 AM, Aaron Freeman  wrote:

> We’re getting scanned today.   Any hope on this?

I just tested that Resin snapshot - the  is not in that 
jar.  I think there was a mistake in the SCM checkin or Scott may have built 
the archive to soon.  We'll try to put up a new snapshot today/soon, but I'm 
not certain it's possible with various other bug fixes in progress.

Thanks,
Paul

>  
> Thanks,
>  
> Aaron
>  
>  
> From: resin-interest-boun...@caucho.com 
> [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
> Sent: Monday, January 14, 2013 2:01 PM
> To: 'General Discussion for the Resin application server'
> Subject: Re: [Resin-interest] BEAST SSL Attack
>  
> Still needing a little assistance on this one.
> Thanks,
>  
> Aaron
>  
>  
> From: resin-interest-boun...@caucho.com 
> [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
> Sent: Thursday, January 10, 2013 2:12 PM
> To: 'General Discussion for the Resin application server'
> Subject: Re: [Resin-interest] BEAST SSL Attack
>  
> Hmm, we were able to swap out jsse for openssl and get that working without 
> any issues using the snapshot you recommend below.  However when we add 
>  under the  node, we get this error:
>  
> [root@alpha bin]# ./www.sh start
> /opt/sendthisfile/server/conf/www.xml:80:  is an 
> unexpected tag (parent  starts at 75).
>  
> 78: password
> 79: 
> !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
> 80: true
> 81: 
> 82: 
>  
>  syntax: ( (@ca-certificate-file | )?
>   & (@ca-certificate-path | )?
>   & (@ca-revocation-file | )?
>   & (@ca-revocation-path | )?
>   & (@certificate-file | )
>   & (@certificate-chain-file | )?
>   & (@certificate-key-file | )?
>   & (@cipher-suite | )?
>   & (@crypto-device | )?
>   & (@password | )
>   & (@protocol | )?
>   & (@session-cache | )?
>   & (@session-cache-timeout | )?
>   & (@unclean-shutdown | )?
>   & (@verify-client | )?
>   & (@verify-depth | )?)
>  
>  
> From the configuration, this is the version of OpenSSL we are on:
>  
>   OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> include   : /usr/include
> lib   :
> libraries :  -lssl -lcrypto
>  
> Any ideas?
>  
> Thanks,
>  
> Aaron
>  
>  
>  
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] BEAST SSL Attack

2013-01-18 Thread Aaron Freeman

We're getting scanned today.   Any hope on this?

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Monday, January 14, 2013 2:01 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Still needing a little assistance on this one. 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Thursday, January 10, 2013 2:12 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
 under the  node, we get this error:

 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80:  is an
unexpected tag (parent  starts at 75).

 

78: password

79:
!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

80: true

81: 

82: 

 

 syntax: ( (@ca-certificate-file | )?

  & (@ca-certificate-path | )?

  & (@ca-revocation-file | )?

  & (@ca-revocation-path | )?

  & (@certificate-file | )

  & (@certificate-chain-file | )?

  & (@certificate-key-file | )?

  & (@cipher-suite | )?

  & (@crypto-device | )?

  & (@password | )

  & (@protocol | )?

  & (@session-cache | )?

  & (@session-cache-timeout | )?

  & (@unclean-shutdown | )?

  & (@verify-client | )?

  & (@verify-depth | )?)

 

 

>From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

include   : /usr/include

lib   :

libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson
Sent: Tuesday, January 08, 2013 7:42 PM
To: resin-interest@caucho.com
Subject: Re: [Resin-interest] BEAST SSL Attack

 

On 1/5/13 5:14 PM, Keith Fetterman wrote:

Hi Scott,

We need this too.

Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz

The configuration is true in
.

-- Scott


Thanks,
Keith

On 1/2/2013 1:36 PM, Scott Ferguson wrote:

On 1/2/13 11:58 AM, Aaron Freeman wrote:

We have now been scanned and been found to be non-compliant due to lack of
the ability to order ciphers.   Is there any timeframe we might expect even
a snapshot to have this capability?


I'll see if I can get a snapshot this week.

-- Scott

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Wednesday, December 05, 2012 10:51 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support "SSLHonorCipherOrder" yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a
directive, SSLHonorCipherOrder, that handles the problem:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEA

Re: [Resin-interest] BEAST SSL Attack

Re: [Resin-interest] BEAST SSL Attack

Re: [Resin-interest] BEAST SSL Attack

3 matches

Site Navigation

Mail list logo

Footer information