On Feb 12, 2013, at 8:05 PM, Aaron Freeman <aaron.free...@layerz.com> wrote:
> On a whim we looked to see if there was a new snapshot, and there was, so we > tried it. Looks like the honor-cipher-code addition is working great. We > were able to get it to show that we are compliant – so we will be doing more > internal testing to make sure the snapshot is stable enough and then we will > roll it out. That fix is actually in 4.0.34, although 4.0.35 will be on the website today. I see we're a little behind on the release notes on caucho.com. This link is handy to refer to as it's always updated based on fixed bugs: http://bugs.caucho.com/changelog_page.php Thanks, Paul > > Thanks a bunch! > > Aaron > > > From: resin-interest-boun...@caucho.com > [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman > Sent: Friday, January 18, 2013 10:09 AM > To: 'General Discussion for the Resin application server' > Subject: Re: [Resin-interest] BEAST SSL Attack > > OK, just keep us posted. > > Thanks, > > Aaron > > > From: resin-interest-boun...@caucho.com > [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan > Sent: Friday, January 18, 2013 10:01 AM > To: General Discussion for the Resin application server > Subject: Re: [Resin-interest] BEAST SSL Attack > > > On Jan 18, 2013, at 10:18 AM, Aaron Freeman <aaron.free...@layerz.com> wrote: > > > We’re getting scanned today. Any hope on this? > > I just tested that Resin snapshot - the <honor-cipher-order> is not in that > jar. I think there was a mistake in the SCM checkin or Scott may have built > the archive to soon. We'll try to put up a new snapshot today/soon, but I'm > not certain it's possible with various other bug fixes in progress. > > Thanks, > Paul > > > Thanks, > > Aaron > > > From: resin-interest-boun...@caucho.com > [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman > Sent: Monday, January 14, 2013 2:01 PM > To: 'General Discussion for the Resin application server' > Subject: Re: [Resin-interest] BEAST SSL Attack > > Still needing a little assistance on this one. > Thanks, > > Aaron > > > From: resin-interest-boun...@caucho.com > [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman > Sent: Thursday, January 10, 2013 2:12 PM > To: 'General Discussion for the Resin application server' > Subject: Re: [Resin-interest] BEAST SSL Attack > > Hmm, we were able to swap out jsse for openssl and get that working without > any issues using the snapshot you recommend below. However when we add > <honor-cipher-order> under the <openssl> node, we get this error: > > [root@alpha bin]# ./www.sh start > /opt/sendthisfile/server/conf/www.xml:80: <honor-cipher-order> is an > unexpected tag (parent <openssl> starts at 75). > > 78: <password>password</password> > 79: > <cipher-suite>!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL</cipher-suite> > 80: <honor-cipher-order>true</honor-cipher-order> > 81: </openssl> > 82: </http> > > <openssl> syntax: ( (@ca-certificate-file | <ca-certificate-file>)? > & (@ca-certificate-path | <ca-certificate-path>)? > & (@ca-revocation-file | <ca-revocation-file>)? > & (@ca-revocation-path | <ca-revocation-path>)? > & (@certificate-file | <certificate-file>) > & (@certificate-chain-file | <certificate-chain-file>)? > & (@certificate-key-file | <certificate-key-file>)? > & (@cipher-suite | <cipher-suite>)? > & (@crypto-device | <crypto-device>)? > & (@password | <password>) > & (@protocol | <protocol>)? > & (@session-cache | <session-cache>)? > & (@session-cache-timeout | <session-cache-timeout>)? > & (@unclean-shutdown | <unclean-shutdown>)? > & (@verify-client | <verify-client>)? > & (@verify-depth | <verify-depth>)?) > > > From the configuration, this is the version of OpenSSL we are on: > > OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > include : /usr/include > lib : > libraries : -lssl -lcrypto > > Any ideas? > > Thanks, > > Aaron > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest ======================= Paul Cowan, Software Engineer Caucho Technology co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest