Re: [Resin-interest] BEAST SSL Attack

2013-02-14 Thread Paul Cowan

On Feb 12, 2013, at 8:05 PM, Aaron Freeman aaron.free...@layerz.com wrote:

 On a whim we looked to see if there was a new snapshot, and there was, so we 
 tried it.  Looks like the honor-cipher-code addition is working great.   We 
 were able to get it to show that we are compliant – so we will be doing more 
 internal testing to make sure the snapshot is stable enough and then we will 
 roll it out.

That fix is actually in 4.0.34, although 4.0.35 will be on the website today.

I see we're a little behind on the release notes on caucho.com.  

This link is handy to refer to as it's always updated based on fixed bugs:

http://bugs.caucho.com/changelog_page.php

Thanks,
Paul



  
 Thanks a bunch!
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
 Sent: Friday, January 18, 2013 10:09 AM
 To: 'General Discussion for the Resin application server'
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 OK, just keep us posted.
  
 Thanks,
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
 Sent: Friday, January 18, 2013 10:01 AM
 To: General Discussion for the Resin application server
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
  
 On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote:
  
 
 We’re getting scanned today.   Any hope on this?
  
 I just tested that Resin snapshot - the honor-cipher-order is not in that 
 jar.  I think there was a mistake in the SCM checkin or Scott may have built 
 the archive to soon.  We'll try to put up a new snapshot today/soon, but I'm 
 not certain it's possible with various other bug fixes in progress.
  
 Thanks,
 Paul
  
  
 Thanks,
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
 Sent: Monday, January 14, 2013 2:01 PM
 To: 'General Discussion for the Resin application server'
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 Still needing a little assistance on this one.
 Thanks,
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
 Sent: Thursday, January 10, 2013 2:12 PM
 To: 'General Discussion for the Resin application server'
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 Hmm, we were able to swap out jsse for openssl and get that working without 
 any issues using the snapshot you recommend below.  However when we add 
 honor-cipher-order under the openssl node, we get this error:
  
 [root@alpha bin]# ./www.sh start
 /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an 
 unexpected tag (parent openssl starts at 75).
  
 78: passwordpassword/password
 79: 
 cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-suite
 80: honor-cipher-ordertrue/honor-cipher-order
 81: /openssl
 82: /http
  
 openssl syntax: ( (@ca-certificate-file | ca-certificate-file)?
(@ca-certificate-path | ca-certificate-path)?
(@ca-revocation-file | ca-revocation-file)?
(@ca-revocation-path | ca-revocation-path)?
(@certificate-file | certificate-file)
(@certificate-chain-file | certificate-chain-file)?
(@certificate-key-file | certificate-key-file)?
(@cipher-suite | cipher-suite)?
(@crypto-device | crypto-device)?
(@password | password)
(@protocol | protocol)?
(@session-cache | session-cache)?
(@session-cache-timeout | session-cache-timeout)?
(@unclean-shutdown | unclean-shutdown)?
(@verify-client | verify-client)?
(@verify-depth | verify-depth)?)
  
  
 From the configuration, this is the version of OpenSSL we are on:
  
   OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 include   : /usr/include
 lib   :
 libraries :  -lssl -lcrypto
  
 Any ideas?
  
 Thanks,
  
 Aaron
  
  
  
 ___
 resin-interest mailing list
 resin-interest@caucho.com
 http://maillist.caucho.com/mailman/listinfo/resin-interest

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-02-12 Thread Aaron Freeman
On a whim we looked to see if there was a new snapshot, and there was, so we
tried it.  Looks like the honor-cipher-code addition is working great.   We
were able to get it to show that we are compliant - so we will be doing more
internal testing to make sure the snapshot is stable enough and then we will
roll it out.

 

Thanks a bunch!

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Friday, January 18, 2013 10:09 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

OK, just keep us posted.

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Friday, January 18, 2013 10:01 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

 

On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com
wrote:

 

We're getting scanned today.   Any hope on this?

 

I just tested that Resin snapshot - the honor-cipher-order is not in that
jar.  I think there was a mistake in the SCM checkin or Scott may have built
the archive to soon.  We'll try to put up a new snapshot today/soon, but I'm
not certain it's possible with various other bug fixes in progress.

 

Thanks,

Paul

 

 

Thanks,

 

Aaron

 

 

From:  mailto:resin-interest-boun...@caucho.com
resin-interest-boun...@caucho.com [mailto:resin-
mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf
Of Aaron Freeman
Sent: Monday, January 14, 2013 2:01 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Still needing a little assistance on this one.

Thanks,

 

Aaron

 

 

From:  mailto:resin-interest-boun...@caucho.com
resin-interest-boun...@caucho.com [mailto:resin-
mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf
Of Aaron Freeman
Sent: Thursday, January 10, 2013 2:12 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
honor-cipher-order under the openssl node, we get this error:

 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an
unexpected tag (parent openssl starts at 75).

 

78: passwordpassword/password

79:
cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su
ite

80: honor-cipher-ordertrue/honor-cipher-order

81: /openssl

82: /http

 

openssl syntax: ( (@ca-certificate-file | ca-certificate-file)?

   (@ca-certificate-path | ca-certificate-path)?

   (@ca-revocation-file | ca-revocation-file)?

   (@ca-revocation-path | ca-revocation-path)?

   (@certificate-file | certificate-file)

   (@certificate-chain-file | certificate-chain-file)?

   (@certificate-key-file | certificate-key-file)?

   (@cipher-suite | cipher-suite)?

   (@crypto-device | crypto-device)?

   (@password | password)

   (@protocol | protocol)?

   (@session-cache | session-cache)?

   (@session-cache-timeout | session-cache-timeout)?

   (@unclean-shutdown | unclean-shutdown)?

   (@verify-client | verify-client)?

   (@verify-depth | verify-depth)?)

 

 

From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

include   : /usr/include

lib   :

libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-01-18 Thread Aaron Freeman
We're getting scanned today.   Any hope on this?

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Monday, January 14, 2013 2:01 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Still needing a little assistance on this one. 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Thursday, January 10, 2013 2:12 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
honor-cipher-order under the openssl node, we get this error:

 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an
unexpected tag (parent openssl starts at 75).

 

78: passwordpassword/password

79:
cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su
ite

80: honor-cipher-ordertrue/honor-cipher-order

81: /openssl

82: /http

 

openssl syntax: ( (@ca-certificate-file | ca-certificate-file)?

   (@ca-certificate-path | ca-certificate-path)?

   (@ca-revocation-file | ca-revocation-file)?

   (@ca-revocation-path | ca-revocation-path)?

   (@certificate-file | certificate-file)

   (@certificate-chain-file | certificate-chain-file)?

   (@certificate-key-file | certificate-key-file)?

   (@cipher-suite | cipher-suite)?

   (@crypto-device | crypto-device)?

   (@password | password)

   (@protocol | protocol)?

   (@session-cache | session-cache)?

   (@session-cache-timeout | session-cache-timeout)?

   (@unclean-shutdown | unclean-shutdown)?

   (@verify-client | verify-client)?

   (@verify-depth | verify-depth)?)

 

 

From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

include   : /usr/include

lib   :

libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson
Sent: Tuesday, January 08, 2013 7:42 PM
To: resin-interest@caucho.com
Subject: Re: [Resin-interest] BEAST SSL Attack

 

On 1/5/13 5:14 PM, Keith Fetterman wrote:

Hi Scott,

We need this too.

Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz

The configuration is honor-cipher-ordertrue/honor-cipher-order in
openssl.

-- Scott


Thanks,
Keith

On 1/2/2013 1:36 PM, Scott Ferguson wrote:

On 1/2/13 11:58 AM, Aaron Freeman wrote:

We have now been scanned and been found to be non-compliant due to lack of
the ability to order ciphers.   Is there any timeframe we might expect even
a snapshot to have this capability?


I'll see if I can get a snapshot this week.

-- Scott

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Wednesday, December 05, 2012 10:51 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support SSLHonorCipherOrder yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives

Re: [Resin-interest] BEAST SSL Attack

2013-01-18 Thread Paul Cowan

On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com wrote:

 We’re getting scanned today.   Any hope on this?

I just tested that Resin snapshot - the honor-cipher-order is not in that 
jar.  I think there was a mistake in the SCM checkin or Scott may have built 
the archive to soon.  We'll try to put up a new snapshot today/soon, but I'm 
not certain it's possible with various other bug fixes in progress.

Thanks,
Paul

  
 Thanks,
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
 Sent: Monday, January 14, 2013 2:01 PM
 To: 'General Discussion for the Resin application server'
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 Still needing a little assistance on this one.
 Thanks,
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
 Sent: Thursday, January 10, 2013 2:12 PM
 To: 'General Discussion for the Resin application server'
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 Hmm, we were able to swap out jsse for openssl and get that working without 
 any issues using the snapshot you recommend below.  However when we add 
 honor-cipher-order under the openssl node, we get this error:
  
 [root@alpha bin]# ./www.sh start
 /opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an 
 unexpected tag (parent openssl starts at 75).
  
 78: passwordpassword/password
 79: 
 cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-suite
 80: honor-cipher-ordertrue/honor-cipher-order
 81: /openssl
 82: /http
  
 openssl syntax: ( (@ca-certificate-file | ca-certificate-file)?
(@ca-certificate-path | ca-certificate-path)?
(@ca-revocation-file | ca-revocation-file)?
(@ca-revocation-path | ca-revocation-path)?
(@certificate-file | certificate-file)
(@certificate-chain-file | certificate-chain-file)?
(@certificate-key-file | certificate-key-file)?
(@cipher-suite | cipher-suite)?
(@crypto-device | crypto-device)?
(@password | password)
(@protocol | protocol)?
(@session-cache | session-cache)?
(@session-cache-timeout | session-cache-timeout)?
(@unclean-shutdown | unclean-shutdown)?
(@verify-client | verify-client)?
(@verify-depth | verify-depth)?)
  
  
 From the configuration, this is the version of OpenSSL we are on:
  
   OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 include   : /usr/include
 lib   :
 libraries :  -lssl -lcrypto
  
 Any ideas?
  
 Thanks,
  
 Aaron
  
  
  
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-01-18 Thread Aaron Freeman
OK, just keep us posted.

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Friday, January 18, 2013 10:01 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

 

On Jan 18, 2013, at 10:18 AM, Aaron Freeman aaron.free...@layerz.com
wrote:





We're getting scanned today.   Any hope on this?

 

I just tested that Resin snapshot - the honor-cipher-order is not in that
jar.  I think there was a mistake in the SCM checkin or Scott may have built
the archive to soon.  We'll try to put up a new snapshot today/soon, but I'm
not certain it's possible with various other bug fixes in progress.

 

Thanks,

Paul

 

 

Thanks,

 

Aaron

 

 

From:  mailto:resin-interest-boun...@caucho.com
resin-interest-boun...@caucho.com [mailto:resin-
mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf
Of Aaron Freeman
Sent: Monday, January 14, 2013 2:01 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Still needing a little assistance on this one.

Thanks,

 

Aaron

 

 

From:  mailto:resin-interest-boun...@caucho.com
resin-interest-boun...@caucho.com [mailto:resin-
mailto:interest-boun...@caucho.com interest-boun...@caucho.com] On Behalf
Of Aaron Freeman
Sent: Thursday, January 10, 2013 2:12 PM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
honor-cipher-order under the openssl node, we get this error:

 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an
unexpected tag (parent openssl starts at 75).

 

78: passwordpassword/password

79:
cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su
ite

80: honor-cipher-ordertrue/honor-cipher-order

81: /openssl

82: /http

 

openssl syntax: ( (@ca-certificate-file | ca-certificate-file)?

   (@ca-certificate-path | ca-certificate-path)?

   (@ca-revocation-file | ca-revocation-file)?

   (@ca-revocation-path | ca-revocation-path)?

   (@certificate-file | certificate-file)

   (@certificate-chain-file | certificate-chain-file)?

   (@certificate-key-file | certificate-key-file)?

   (@cipher-suite | cipher-suite)?

   (@crypto-device | crypto-device)?

   (@password | password)

   (@protocol | protocol)?

   (@session-cache | session-cache)?

   (@session-cache-timeout | session-cache-timeout)?

   (@unclean-shutdown | unclean-shutdown)?

   (@verify-client | verify-client)?

   (@verify-depth | verify-depth)?)

 

 

From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

include   : /usr/include

lib   :

libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-01-10 Thread Aaron Freeman
Hmm, we were able to swap out jsse for openssl and get that working without
any issues using the snapshot you recommend below.  However when we add
honor-cipher-order under the openssl node, we get this error:

 

[root@alpha bin]# ./www.sh start

/opt/sendthisfile/server/conf/www.xml:80: honor-cipher-order is an
unexpected tag (parent openssl starts at 75).

 

78: passwordpassword/password

79:
cipher-suite!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL/cipher-su
ite

80: honor-cipher-ordertrue/honor-cipher-order

81: /openssl

82: /http

 

openssl syntax: ( (@ca-certificate-file | ca-certificate-file)?

   (@ca-certificate-path | ca-certificate-path)?

   (@ca-revocation-file | ca-revocation-file)?

   (@ca-revocation-path | ca-revocation-path)?

   (@certificate-file | certificate-file)

   (@certificate-chain-file | certificate-chain-file)?

   (@certificate-key-file | certificate-key-file)?

   (@cipher-suite | cipher-suite)?

   (@crypto-device | crypto-device)?

   (@password | password)

   (@protocol | protocol)?

   (@session-cache | session-cache)?

   (@session-cache-timeout | session-cache-timeout)?

   (@unclean-shutdown | unclean-shutdown)?

   (@verify-client | verify-client)?

   (@verify-depth | verify-depth)?)

 

 

From the configuration, this is the version of OpenSSL we are on:

 

  OPENSSL : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

include   : /usr/include

lib   :

libraries :  -lssl -lcrypto

 

Any ideas?

 

Thanks,

 

Aaron

 

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson
Sent: Tuesday, January 08, 2013 7:42 PM
To: resin-interest@caucho.com
Subject: Re: [Resin-interest] BEAST SSL Attack

 

On 1/5/13 5:14 PM, Keith Fetterman wrote:

Hi Scott,

We need this too.

Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz

The configuration is honor-cipher-ordertrue/honor-cipher-order in
openssl.

-- Scott





Thanks,
Keith

On 1/2/2013 1:36 PM, Scott Ferguson wrote:

On 1/2/13 11:58 AM, Aaron Freeman wrote:

We have now been scanned and been found to be non-compliant due to lack of
the ability to order ciphers.   Is there any timeframe we might expect even
a snapshot to have this capability?


I'll see if I can get a snapshot this week.

-- Scott




 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Wednesday, December 05, 2012 10:51 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support SSLHonorCipherOrder yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a
directive, SSLHonorCipherOrder, that handles the problem:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be
working.

There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau

Re: [Resin-interest] BEAST SSL Attack

2013-01-08 Thread Scott Ferguson

On 1/5/13 5:14 PM, Keith Fetterman wrote:

Hi Scott,

We need this too.

Can you try http://caucho.com/download/resin-pro-4_0-snap.tar.gz

The configuration is honor-cipher-ordertrue/honor-cipher-order in 
openssl.


-- Scott



Thanks,
Keith

On 1/2/2013 1:36 PM, Scott Ferguson wrote:

On 1/2/13 11:58 AM, Aaron Freeman wrote:


We have now been scanned and been found to be non-compliant due to 
lack of the ability to order ciphers.   Is there any timeframe we 
might expect even a snapshot to have this capability?




I'll see if I can get a snapshot this week.

-- Scott


Thanks,

Aaron

*From:*resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman

*Sent:* Wednesday, December 05, 2012 10:51 AM
*To:* 'General Discussion for the Resin application server'
*Subject:* Re: [Resin-interest] BEAST SSL Attack

Very good, I appreciate the feedback.

Thanks,

Aaron

*From:*resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan

*Sent:* Wednesday, December 05, 2012 9:02 AM
*To:* General Discussion for the Resin application server
*Subject:* Re: [Resin-interest] BEAST SSL Attack

Hi Folks,

Resin does not support SSLHonorCipherOrder yet.  We already 
received a request from another customer and there is a feature 
request for this here:


http://bugs.caucho.com/view.php?id=5282

This is an OpenSSL feature, not JSSE.  We'll be implementing it in 
an upcoming release.  Probably it will be in 4.0.44, as .43 is due 
for release soon.


Thanks,

Paul

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

Knut,

Thanks a bunch for your reply.   I saw you referencing another email 
you sent, but this is the only one I saw come through the group.


At any rate, we are already using the cipher-suites feature, but in 
this case that's not enough.   They are telling us that we actually 
have to be able to prioritize the order that the suites are 
negotiated on the server side.  The only cipher suites guaranteed 
not to have the BEAST attack issue are ones that aren't wide-spread 
yet (TLSv1.1) however if we can put TLSv1.0 in a specific order that 
will suffice for PCI compliance.


This bug for Tomcat addresses the issue and gives good details about 
a directive, SSLHonorCipherOrder, that handles the 
problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481


Any other ideas for Resin?

Aaron

*From:*resin-interest-boun...@caucho.com 
mailto:resin-interest-boun...@caucho.com[mailto:resin-interest-boun...@caucho.com]*On 
Behalf Of*Knut Forkalsrud

*Sent:*Tuesday, December 04, 2012 9:31 PM
*To:*General Discussion for the Resin application server
*Subject:*Re: [Resin-interest] BEAST SSL Attack

Actually, I got it wrong in my previous mail.  The feature should be 
working.


There is a ticket describing the feature: 
http://bugs.caucho.com/view.php?id=3593


On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud 
knut-cau...@forkalsrud.org mailto:knut-cau...@forkalsrud.org wrote:


In the days of Resin2.1.4 and onwards 
http://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was 
such a feature, however it seems to have lapsed.  I remember because 
there was a similar issue with MSIE 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.


I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for 
com.caucho.vfs.JsseSSLFactory.create(host, port)


you will find a block of code commented out.

Then there was a second incarnation where you could specify cipher 
suites.  That seems to have dies some time around Aug 2009 with the 
commit: 
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java


I suspect you could get it going again if you have the fortitude to 
play around with Resin's source code and build your own.


Good luck,

Knut Forkalsrud

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman 
aaron.free...@layerz.com mailto:aaron.free...@layerz.com wrote:


SSL BEAST

___
resin-interest mailing list
resin-interest@caucho.com mailto:resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com mailto:co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest




___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


--
-
Keith Fetterman  206-780-5670
Mariner Supply, inc.kfetter...@go2marine.com
http://www.go2marine.com

http://www.boatersline.com

Re: [Resin-interest] BEAST SSL Attack

2013-01-05 Thread Keith Fetterman

Hi Scott,

We need this too.

Thanks,
Keith

On 1/2/2013 1:36 PM, Scott Ferguson wrote:

On 1/2/13 11:58 AM, Aaron Freeman wrote:


We have now been scanned and been found to be non-compliant due to 
lack of the ability to order ciphers.   Is there any timeframe we 
might expect even a snapshot to have this capability?




I'll see if I can get a snapshot this week.

-- Scott


Thanks,

Aaron

*From:*resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman

*Sent:* Wednesday, December 05, 2012 10:51 AM
*To:* 'General Discussion for the Resin application server'
*Subject:* Re: [Resin-interest] BEAST SSL Attack

Very good, I appreciate the feedback.

Thanks,

Aaron

*From:*resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan

*Sent:* Wednesday, December 05, 2012 9:02 AM
*To:* General Discussion for the Resin application server
*Subject:* Re: [Resin-interest] BEAST SSL Attack

Hi Folks,

Resin does not support SSLHonorCipherOrder yet.  We already 
received a request from another customer and there is a feature 
request for this here:


http://bugs.caucho.com/view.php?id=5282

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an 
upcoming release.  Probably it will be in 4.0.44, as .43 is due for 
release soon.


Thanks,

Paul

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

Knut,

Thanks a bunch for your reply.   I saw you referencing another email 
you sent, but this is the only one I saw come through the group.


At any rate, we are already using the cipher-suites feature, but in 
this case that's not enough.   They are telling us that we actually 
have to be able to prioritize the order that the suites are 
negotiated on the server side.  The only cipher suites guaranteed not 
to have the BEAST attack issue are ones that aren't wide-spread yet 
(TLSv1.1) however if we can put TLSv1.0 in a specific order that will 
suffice for PCI compliance.


This bug for Tomcat addresses the issue and gives good details about 
a directive, SSLHonorCipherOrder, that handles the 
problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481


Any other ideas for Resin?

Aaron

*From:*resin-interest-boun...@caucho.com 
mailto:resin-interest-boun...@caucho.com[mailto:resin-interest-boun...@caucho.com]*On 
Behalf Of*Knut Forkalsrud

*Sent:*Tuesday, December 04, 2012 9:31 PM
*To:*General Discussion for the Resin application server
*Subject:*Re: [Resin-interest] BEAST SSL Attack

Actually, I got it wrong in my previous mail.  The feature should be 
working.


There is a ticket describing the feature: 
http://bugs.caucho.com/view.php?id=3593


On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud 
knut-cau...@forkalsrud.org mailto:knut-cau...@forkalsrud.org wrote:


In the days of Resin2.1.4 and onwards 
http://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such 
a feature, however it seems to have lapsed.  I remember because there 
was a similar issue with MSIE 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.


I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for 
com.caucho.vfs.JsseSSLFactory.create(host, port)


you will find a block of code commented out.

Then there was a second incarnation where you could specify cipher 
suites.  That seems to have dies some time around Aug 2009 with the 
commit: 
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java


I suspect you could get it going again if you have the fortitude to 
play around with Resin's source code and build your own.


Good luck,

Knut Forkalsrud

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman 
aaron.free...@layerz.com mailto:aaron.free...@layerz.com wrote:


SSL BEAST

___
resin-interest mailing list
resin-interest@caucho.com mailto:resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com mailto:co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest




___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


--
-
Keith Fetterman  206-780-5670
Mariner Supply, Inc. kfetter...@go2marine.com
http://www.go2marine.com

http://www.boatersline.com

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-01-02 Thread Aaron Freeman
We have now been scanned and been found to be non-compliant due to lack of
the ability to order ciphers.   Is there any timeframe we might expect even
a snapshot to have this capability?

 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Wednesday, December 05, 2012 10:51 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support SSLHonorCipherOrder yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a
directive, SSLHonorCipherOrder, that handles the problem:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be
working.

There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org
wrote:

In the days of Resin 2.1.4 and onwards
http://www.caucho.com/resin-3.1/changes/changes-2.xtp  there was such a
feature, however it seems to have lapsed.  I remember because there was a
similar issue with MSIE
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 

I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for
com.caucho.vfs.JsseSSLFactory.create(host, port)

you will find a block of code commented out.

 

Then there was a second incarnation where you could specify cipher suites.
That seems to have dies some time around Aug 2009 with the commit:
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45f
c49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 

I suspect you could get it going again if you have the fortitude to play
around with Resin's source code and build your own.

 

Good luck,

 

Knut Forkalsrud

 

 

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com
wrote:

SSL BEAST

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

 

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-01-02 Thread Scott Ferguson

On 1/2/13 11:58 AM, Aaron Freeman wrote:


We have now been scanned and been found to be non-compliant due to 
lack of the ability to order ciphers.   Is there any timeframe we 
might expect even a snapshot to have this capability?




I'll see if I can get a snapshot this week.

-- Scott


Thanks,

Aaron

*From:*resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Aaron Freeman

*Sent:* Wednesday, December 05, 2012 10:51 AM
*To:* 'General Discussion for the Resin application server'
*Subject:* Re: [Resin-interest] BEAST SSL Attack

Very good, I appreciate the feedback.

Thanks,

Aaron

*From:*resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] *On Behalf Of *Paul Cowan

*Sent:* Wednesday, December 05, 2012 9:02 AM
*To:* General Discussion for the Resin application server
*Subject:* Re: [Resin-interest] BEAST SSL Attack

Hi Folks,

Resin does not support SSLHonorCipherOrder yet.  We already received 
a request from another customer and there is a feature request for 
this here:


http://bugs.caucho.com/view.php?id=5282

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an 
upcoming release.  Probably it will be in 4.0.44, as .43 is due for 
release soon.


Thanks,

Paul

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

Knut,

Thanks a bunch for your reply.   I saw you referencing another email 
you sent, but this is the only one I saw come through the group.


At any rate, we are already using the cipher-suites feature, but in 
this case that's not enough. They are telling us that we actually have 
to be able to prioritize the order that the suites are negotiated on 
the server side.  The only cipher suites guaranteed not to have the 
BEAST attack issue are ones that aren't wide-spread yet (TLSv1.1) 
however if we can put TLSv1.0 in a specific order that will suffice 
for PCI compliance.


This bug for Tomcat addresses the issue and gives good details about a 
directive, SSLHonorCipherOrder, that handles the 
problem:https://issues.apache.org/bugzilla/show_bug.cgi?id=53481


Any other ideas for Resin?

Aaron

*From:*resin-interest-boun...@caucho.com 
mailto:resin-interest-boun...@caucho.com[mailto:resin-interest-boun...@caucho.com]*On 
Behalf Of*Knut Forkalsrud

*Sent:*Tuesday, December 04, 2012 9:31 PM
*To:*General Discussion for the Resin application server
*Subject:*Re: [Resin-interest] BEAST SSL Attack

Actually, I got it wrong in my previous mail.  The feature should be 
working.


There is a ticket describing the feature: 
http://bugs.caucho.com/view.php?id=3593


On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud 
knut-cau...@forkalsrud.org mailto:knut-cau...@forkalsrud.org wrote:


In the days of Resin2.1.4 and onwards 
http://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such 
a feature, however it seems to have lapsed.  I remember because there 
was a similar issue with MSIE 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.


I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for 
com.caucho.vfs.JsseSSLFactory.create(host, port)


you will find a block of code commented out.

Then there was a second incarnation where you could specify cipher 
suites.  That seems to have dies some time around Aug 2009 with the 
commit: 
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java


I suspect you could get it going again if you have the fortitude to 
play around with Resin's source code and build your own.


Good luck,

Knut Forkalsrud

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman 
aaron.free...@layerz.com mailto:aaron.free...@layerz.com wrote:


SSL BEAST

___
resin-interest mailing list
resin-interest@caucho.com mailto:resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com mailto:co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2013-01-02 Thread Aaron Freeman
Awesome, looking forward to it!

 

-a

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Scott Ferguson
Sent: Wednesday, January 02, 2013 3:37 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

On 1/2/13 11:58 AM, Aaron Freeman wrote:

We have now been scanned and been found to be non-compliant due to lack of
the ability to order ciphers.   Is there any timeframe we might expect even
a snapshot to have this capability?


I'll see if I can get a snapshot this week.

-- Scott




 

Thanks,

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: Wednesday, December 05, 2012 10:51 AM
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support SSLHonorCipherOrder yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 

Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a
directive, SSLHonorCipherOrder, that handles the problem:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be
working.

There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org
wrote:

In the days of Resin 2.1.4 and onwards
http://www.caucho.com/resin-3.1/changes/changes-2.xtp  there was such a
feature, however it seems to have lapsed.  I remember because there was a
similar issue with MSIE
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 

I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for
com.caucho.vfs.JsseSSLFactory.create(host, port)

you will find a block of code commented out.

 

Then there was a second incarnation where you could specify cipher suites.
That seems to have dies some time around Aug 2009 with the commit:
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45f
c49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 

I suspect you could get it going again if you have the fortitude to play
around with Resin's source code and build your own.

 

Good luck,

 

Knut Forkalsrud

 

 

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com
wrote:

SSL BEAST

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

 

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin 

 






___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2012-12-05 Thread Aaron Freeman
Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you sent, 
but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this case 
that’s not enough.   They are telling us that we actually have to be able to 
prioritize the order that the suites are negotiated on the server side.  The 
only cipher suites guaranteed not to have the BEAST attack issue are ones that 
aren’t wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a specific 
order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a 
directive, SSLHonorCipherOrder, that handles the problem: 
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com 
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be working.

There is a ticket describing the feature: 
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org 
wrote:

In the days of Resin 2.1.4 and onwards 
http://www.caucho.com/resin-3.1/changes/changes-2.xtp  there was such a 
feature, however it seems to have lapsed.  I remember because there was a 
similar issue with MSIE 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 

I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for com.caucho.vfs.JsseSSLFactory.create(host, 
port)

you will find a block of code commented out.

 

Then there was a second incarnation where you could specify cipher suites.  
That seems to have dies some time around Aug 2009 with the commit: 
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 

I suspect you could get it going again if you have the fortitude to play around 
with Resin's source code and build your own.

 

Good luck,

 

Knut Forkalsrud

 

 

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com wrote:

SSL BEAST

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2012-12-05 Thread Paul Cowan
Hi Folks,

Resin does not support SSLHonorCipherOrder yet.  We already received a 
request from another customer and there is a feature request for this here:

http://bugs.caucho.com/view.php?id=5282

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an upcoming 
release.  Probably it will be in 4.0.44, as .43 is due for release soon.

Thanks,
Paul


On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:

 Knut,
  
 Thanks a bunch for your reply.   I saw you referencing another email you 
 sent, but this is the only one I saw come through the group.
  
 At any rate, we are already using the cipher-suites feature, but in this case 
 that’s not enough.   They are telling us that we actually have to be able to 
 prioritize the order that the suites are negotiated on the server side.  The 
 only cipher suites guaranteed not to have the BEAST attack issue are ones 
 that aren’t wide-spread yet (TLSv1.1) however if we can put TLSv1.0 in a 
 specific order that will suffice for PCI compliance.
  
 This bug for Tomcat addresses the issue and gives good details about a 
 directive, SSLHonorCipherOrder, that handles the problem: 
 https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
  
 Any other ideas for Resin?
  
 Aaron
  
  
 From: resin-interest-boun...@caucho.com 
 [mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
 Sent: Tuesday, December 04, 2012 9:31 PM
 To: General Discussion for the Resin application server
 Subject: Re: [Resin-interest] BEAST SSL Attack
  
 Actually, I got it wrong in my previous mail.  The feature should be working.
 There is a ticket describing the feature: 
 http://bugs.caucho.com/view.php?id=3593
  
 
 On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org 
 wrote:
 In the days of Resin 2.1.4 and onwards there was such a feature, however it 
 seems to have lapsed.  I remember because there was a similar issue with MSIE 
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.
  
 I my good old copy of Resin 3.1.8 there are remains the feature.
 If you bring up the source code for 
 com.caucho.vfs.JsseSSLFactory.create(host, port)
 you will find a block of code commented out.
  
 Then there was a second incarnation where you could specify cipher suites.  
 That seems to have dies some time around Aug 2009 with the commit: 
 https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java
  
 I suspect you could get it going again if you have the fortitude to play 
 around with Resin's source code and build your own.
  
 Good luck,
  
 Knut Forkalsrud
  
  
 
 On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com 
 wrote:
 SSL BEAST
  
  
 ___
 resin-interest mailing list
 resin-interest@caucho.com
 http://maillist.caucho.com/mailman/listinfo/resin-interest

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2012-12-05 Thread Aaron Freeman
Very good, I appreciate the feedback. 

 

Thanks,

 

Aaron

 

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Paul Cowan
Sent: Wednesday, December 05, 2012 9:02 AM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Hi Folks,

 

Resin does not support SSLHonorCipherOrder yet.  We already received a
request from another customer and there is a feature request for this here:

 

http://bugs.caucho.com/view.php?id=5282

 

This is an OpenSSL feature, not JSSE.  We'll be implementing it in an
upcoming release.  Probably it will be in 4.0.44, as .43 is due for release
soon.

 

Thanks,

Paul

 

 

On Dec 5, 2012, at 8:13 AM, Aaron Freeman wrote:





Knut,

 

Thanks a bunch for your reply.   I saw you referencing another email you
sent, but this is the only one I saw come through the group.

 

At any rate, we are already using the cipher-suites feature, but in this
case that's not enough.   They are telling us that we actually have to be
able to prioritize the order that the suites are negotiated on the server
side.  The only cipher suites guaranteed not to have the BEAST attack issue
are ones that aren't wide-spread yet (TLSv1.1) however if we can put TLSv1.0
in a specific order that will suffice for PCI compliance.

 

This bug for Tomcat addresses the issue and gives good details about a
directive, SSLHonorCipherOrder, that handles the problem:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53481

 

Any other ideas for Resin?

 

Aaron

 

 

From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Knut Forkalsrud
Sent: Tuesday, December 04, 2012 9:31 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] BEAST SSL Attack

 

Actually, I got it wrong in my previous mail.  The feature should be
working.

There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593

 

On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud knut-cau...@forkalsrud.org
wrote:

In the days of Resin 2.1.4 and onwards
http://www.caucho.com/resin-3.1/changes/changes-2.xtp  there was such a
feature, however it seems to have lapsed.  I remember because there was a
similar issue with MSIE
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 

I my good old copy of Resin 3.1.8 there are remains the feature.

If you bring up the source code for
com.caucho.vfs.JsseSSLFactory.create(host, port)

you will find a block of code commented out.

 

Then there was a second incarnation where you could specify cipher suites.
That seems to have dies some time around Aug 2009 with the commit:
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45f
c49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 

I suspect you could get it going again if you have the fortitude to play
around with Resin's source code and build your own.

 

Good luck,

 

Knut Forkalsrud

 

 

On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.com
wrote:

SSL BEAST

 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

 

===
Paul Cowan, Software Engineer
Caucho Technology
co...@caucho.com
http://blog.caucho.com
http://twitter.com/cauchoresin 

 

___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2012-12-04 Thread Knut Forkalsrud
In the days of Resin 2.1.4 and
onwardshttp://www.caucho.com/resin-3.1/changes/changes-2.xtpthere
was such a feature, however it seems to have lapsed.  I remember
because there was a similar issue with MSIE
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

I my good old copy of Resin 3.1.8 there are remains the feature.
If you bring up the source code for
com.caucho.vfs.JsseSSLFactory.create(host, port)
you will find a block of code commented out.

Then there was a second incarnation where you could specify cipher suites.
 That seems to have dies some time around Aug 2009 with the commit:
https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

I suspect you could get it going again if you have the fortitude to play
around with Resin's source code and build your own.

Good luck,

Knut Forkalsrud



On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.comwrote:

 SSL BEAST
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


Re: [Resin-interest] BEAST SSL Attack

2012-12-04 Thread Knut Forkalsrud
Actually, I got it wrong in my previous mail.  The feature should be
working.
There is a ticket describing the feature:
http://bugs.caucho.com/view.php?id=3593


On Tue, Dec 4, 2012 at 7:00 PM, Knut Forkalsrud
knut-cau...@forkalsrud.orgwrote:

 In the days of Resin 2.1.4 and 
 onwardshttp://www.caucho.com/resin-3.1/changes/changes-2.xtpthere was such 
 a feature, however it seems to have lapsed.  I remember
 because there was a similar issue with MSIE
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305217.

 I my good old copy of Resin 3.1.8 there are remains the feature.
 If you bring up the source code for
 com.caucho.vfs.JsseSSLFactory.create(host, port)
 you will find a block of code commented out.

 Then there was a second incarnation where you could specify cipher suites.
  That seems to have dies some time around Aug 2009 with the commit:
 https://github.com/mdaniel/svn-caucho-com-resin/commit/96de31370ffd0153eb45fc49725a9b796bc11224#modules/resin/src/com/caucho/vfs/JsseSSLFactory.java

 I suspect you could get it going again if you have the fortitude to play
 around with Resin's source code and build your own.

 Good luck,

 Knut Forkalsrud



 On Mon, Dec 3, 2012 at 7:53 AM, Aaron Freeman aaron.free...@layerz.comwrote:

 SSL BEAST



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest