Hi, Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x? For more info about this attack: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
My toughts and questions, as far as I have investigated this issue: - Disabling the TLS1.0 protocol would be too restrictive, because there are still browser versions in use that don't support TLS1.1 or TLS1.2. - Should we restrict the ciphers in use? If so, which ones should we offer for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means JSSE instead of OpenSSL)? - Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve this issue? Thanks in advace.
