I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35. My understanding is that the attack applies only to CBC ciphers, and that RC4 ciphers are not vulnerable, so I am attempting to restrict the set of ciphers that Tomcat uses with the following config for a connector:
<Connector protocol="HTTP/1.1" SSLEnabled="true" address="0.0.0.0" port="8443" maxThreads="150" scheme="https" secure="true" keystoreFile="/path/to/keystore" keystoreType="pkcs12" ciphers="TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, SSL_CK_RC4_128_WITH_MD5" clientAuth="false" sslProtocol="TLS" /> However, when I test this by attempting connections with a script[*] that iterates through the set of ciphers available to openssl, it appears to successfully connect with the following set of ciphers: AES128-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC-SHA EDH-RSA-DES-CBC3-SHA EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC4-MD5 EXP-RC4-MD5 RC4-MD5 RC4-MD5 RC4-SHA [*] The script basically parses the output of the following command: openssl s_client -cipher "$cipher" -connect $SERVER Am I misunderstanding the use of the "ciphers" parameter? Or is there perhaps something in my testing methodology that accounts for these unexpected results? Any advice would be appreciated. Aloha, -baron -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org