Re: [Resin-interest] BEAST SSL Attack
On a whim we looked to see if there was a new snapshot, and there was, so we tried it. Looks like the honor-cipher-code addition is working great. We were able to get it to show that we are compliant - so we will be doing more internal testing to make sure the snapshot is stable enough and then we will roll it out. Thanks a bunch! Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Friday, January 18, 2013 10:09 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack OK, just keep us posted. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Friday, January 18, 2013 10:01 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote: We're getting scanned today. Any hope on this? I just tested that Resin snapshot - the honor-cipher-order is not in that jar. I think there was a mistake in the SCM checkin or Scott may have built the archive to soon. We'll try to put up a new snapshot today/soon, but I'm not certain it's possible with various other bug fixes in progress. Thanks, Paul Thanks, Aaron From: mailto:resin-interest-boun...@caucho.com resin-interest-boun...@caucho.com [mailto:resin- mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: mailto:resin-interest-boun...@caucho.com resin-interest-boun...@caucho.com [mailto:resin- mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su ite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
We're getting scanned today. Any hope on this? Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su ite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson Sent: Tuesday, January 08, 2013 7:42 PM To: resin-interest@caucho.com Subject: Re: [Resin-interest] BEAST SSL Attack On 1/5/13 5:14 PM, Keith Fetterman wrote: Hi Scott, We need this too. Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz The configuration is honor-cipher-ordertrue/honor-cipher-order in openssl. -- Scott Thanks, Keith On 1/2/2013 1:36 PM, Scott Ferguson wrote: On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Wednesday, December 05, 2012 10:51 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Wednesday, December 05, 2012 9:02 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives
Re: [Resin-interest] BEAST SSL Attack
On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote: We’re getting scanned today. Any hope on this? I just tested that Resin snapshot - the honor-cipher-order is not in that jar. I think there was a mistake in the SCM checkin or Scott may have built the archive to soon. We'll try to put up a new snapshot today/soon, but I'm not certain it's possible with various other bug fixes in progress. Thanks, Paul Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-suite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
OK, just keep us posted. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Friday, January 18, 2013 10:01 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote: We're getting scanned today. Any hope on this? I just tested that Resin snapshot - the honor-cipher-order is not in that jar. I think there was a mistake in the SCM checkin or Scott may have built the archive to soon. We'll try to put up a new snapshot today/soon, but I'm not certain it's possible with various other bug fixes in progress. Thanks, Paul Thanks, Aaron From: mailto:resin-interest-boun...@caucho.com resin-interest-boun...@caucho.com [mailto:resin- mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Monday, January 14, 2013 2:01 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Still needing a little assistance on this one. Thanks, Aaron From: mailto:resin-interest-boun...@caucho.com resin-interest-boun...@caucho.com [mailto:resin- mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Thursday, January 10, 2013 2:12 PM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su ite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
Hmm, we were able to swap out jsse for openssl and get that working without any issues using the snapshot you recommend below. However when we add honor-cipher-order under the openssl node, we get this error: [root@alpha bin]# ./www.sh start /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an unexpected tag (parent openssl starts at 75). 78: passwordpassword/password 79: cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su ite 80: honor-cipher-ordertrue/honor-cipher-order 81: /openssl 82: /http openssl syntax: ( (@ca-certificate-file | ca-certificate-file)? (@ca-certificate-path | ca-certificate-path)? (@ca-revocation-file | ca-revocation-file)? (@ca-revocation-path | ca-revocation-path)? (@certificate-file | certificate-file) (@certificate-chain-file | certificate-chain-file)? (@certificate-key-file | certificate-key-file)? (@cipher-suite | cipher-suite)? (@crypto-device | crypto-device)? (@password | password) (@protocol | protocol)? (@session-cache | session-cache)? (@session-cache-timeout | session-cache-timeout)? (@unclean-shutdown | unclean-shutdown)? (@verify-client | verify-client)? (@verify-depth | verify-depth)?) From the configuration, this is the version of OpenSSL we are on: OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 include : /usr/include lib : libraries : -lssl -lcrypto Any ideas? Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson Sent: Tuesday, January 08, 2013 7:42 PM To: resin-interest@caucho.com Subject: Re: [Resin-interest] BEAST SSL Attack On 1/5/13 5:14 PM, Keith Fetterman wrote: Hi Scott, We need this too. Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz The configuration is honor-cipher-ordertrue/honor-cipher-order in openssl. -- Scott Thanks, Keith On 1/2/2013 1:36 PM, Scott Ferguson wrote: On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Wednesday, December 05, 2012 10:51 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Wednesday, December 05, 2012 9:02 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud Sent: Tuesday, December 04, 2012 9:31 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau
Re: [Resin-interest] BEAST SSL Attack
On 1/5/13 5:14 PM, Keith Fetterman wrote: Hi Scott, We need this too. Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz The configuration is honor-cipher-ordertrue/honor-cipher-order in openssl. -- Scott Thanks, Keith On 1/2/2013 1:36 PM, Scott Ferguson wrote: On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron *From:*resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman *Sent:* Wednesday, December 05, 2012 10:51 AM *To:* 'General Discussion for the Resin application server' *Subject:* Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron *From:*resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan *Sent:* Wednesday, December 05, 2012 9:02 AM *To:* General Discussion for the Resin application server *Subject:* Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron *From:*resin-interest-boun...@caucho.com mailto:resin-interest-boun...@caucho.com[mailto:resin-interest-boun...@caucho.com]*On Behalf Of*Knut Forkalsrud *Sent:*Tuesday, December 04, 2012 9:31 PM *To:*General Discussion for the Resin application server *Subject:*Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org mailto:knut-cau...@forkalsrud.org wrote: In the days of Resin2.1.4 and onwards http://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com mailto:aaron.free...@layerz.com wrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest === Paul Cowan, Software Engineer Caucho Technology co...@caucho.com mailto:co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest -- - Keith Fetterman 206-780-5670 Mariner Supply, inc.kfetter...@go2marine.com http://www.go2marine.com http://www.boatersline.com
Re: [Resin-interest] BEAST SSL Attack
Hi Scott, We need this too. Thanks, Keith On 1/2/2013 1:36 PM, Scott Ferguson wrote: On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron *From:*resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman *Sent:* Wednesday, December 05, 2012 10:51 AM *To:* 'General Discussion for the Resin application server' *Subject:* Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron *From:*resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan *Sent:* Wednesday, December 05, 2012 9:02 AM *To:* General Discussion for the Resin application server *Subject:* Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron *From:*resin-interest-boun...@caucho.com mailto:resin-interest-boun...@caucho.com[mailto:resin-interest-boun...@caucho.com]*On Behalf Of*Knut Forkalsrud *Sent:*Tuesday, December 04, 2012 9:31 PM *To:*General Discussion for the Resin application server *Subject:*Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org mailto:knut-cau...@forkalsrud.org wrote: In the days of Resin2.1.4 and onwards http://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com mailto:aaron.free...@layerz.com wrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest === Paul Cowan, Software Engineer Caucho Technology co...@caucho.com mailto:co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest -- - Keith Fetterman 206-780-5670 Mariner Supply, Inc. kfetter...@go2marine.com http://www.go2marine.com http://www.boatersline.com ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron *From:*resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman *Sent:* Wednesday, December 05, 2012 10:51 AM *To:* 'General Discussion for the Resin application server' *Subject:* Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron *From:*resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan *Sent:* Wednesday, December 05, 2012 9:02 AM *To:* General Discussion for the Resin application server *Subject:* Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron *From:*resin-interest-boun...@caucho.com mailto:resin-interest-boun...@caucho.com[mailto:resin-interest-boun...@caucho.com]*On Behalf Of*Knut Forkalsrud *Sent:*Tuesday, December 04, 2012 9:31 PM *To:*General Discussion for the Resin application server *Subject:*Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org mailto:knut-cau...@forkalsrud.org wrote: In the days of Resin2.1.4 and onwards http://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com mailto:aaron.free...@layerz.com wrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest === Paul Cowan, Software Engineer Caucho Technology co...@caucho.com mailto:co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
Awesome, looking forward to it! -a From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson Sent: Wednesday, January 02, 2013 3:37 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack On 1/2/13 11:58 AM, Aaron Freeman wrote: We have now been scanned and been found to be non-compliant due to lack of the ability to order ciphers. Is there any timeframe we might expect even a snapshot to have this capability? I'll see if I can get a snapshot this week. -- Scott Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman Sent: Wednesday, December 05, 2012 10:51 AM To: 'General Discussion for the Resin application server' Subject: Re: [Resin-interest] BEAST SSL Attack Very good, I appreciate the feedback. Thanks, Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan Sent: Wednesday, December 05, 2012 9:02 AM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that's not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud Sent: Tuesday, December 04, 2012 9:31 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org wrote: In the days of Resin 2.1.4 and onwards http://www.caucho.com/resin-3.1/changes/changes-2.xtp there was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45f c49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com wrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest === Paul Cowan, Software Engineer Caucho Technology co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that’s not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren’t wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud Sent: Tuesday, December 04, 2012 9:31 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org wrote: In the days of Resin 2.1.4 and onwards http://www.caucho.com/resin-3.1/changes/changes-2.xtp there was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com wrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
Hi Folks, Resin does not support SSLHonorCipherOrder yet. We already received a request from another customer and there is a feature request for this here: http://bugs.caucho.com/view.php?id=5282 This is an OpenSSL feature, not JSSE. We'll be implementing it in an upcoming release. Probably it will be in 4.0.44, as .43 is due for release soon. Thanks, Paul On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote: Knut, Thanks a bunch for your reply. I saw you referencing another email you sent, but this is the only one I saw come through the group. At any rate, we are already using the cipher-suites feature, but in this case that’s not enough. They are telling us that we actually have to be able to prioritize the order that the suites are negotiated on the server side. The only cipher suites guaranteed not to have the BEAST attack issue are ones that aren’t wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that will suffice for PCI compliance. This bug for Tomcat addresses the issue and gives good details about a directive, SSLHonorCipherOrder, that handles the problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Any other ideas for Resin? Aaron From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud Sent: Tuesday, December 04, 2012 9:31 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] BEAST SSL Attack Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org wrote: In the days of Resin 2.1.4 and onwards there was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com wrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest === Paul Cowan, Software Engineer Caucho Technology co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
In the days of Resin 2.1.4 and onwardshttp://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.comwrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] BEAST SSL Attack
Actually, I got it wrong in my previous mail. The feature should be working. There is a ticket describing the feature: http://bugs.caucho.com/view.php?id=3593 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.orgwrote: In the days of Resin 2.1.4 and onwardshttp://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such a feature, however it seems to have lapsed. I remember because there was a similar issue with MSIE http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217. I my good old copy of Resin 3.1.8 there are remains the feature. If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, port) you will find a block of code commented out. Then there was a second incarnation where you could specify cipher suites. That seems to have dies some time around Aug 2009 with the commit: https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java I suspect you could get it going again if you have the fortitude to play around with Resin's source code and build your own. Good luck, Knut Forkalsrud On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.comwrote: SSL BEAST ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest