-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 8/9/16 12:36 PM, James H. H. Lampert wrote:
> On 8/9/16, 9:25 AM, Christopher Schultz wrote:
>> There /is/ a POODLE variation which is against TLS 1.0 - 1.2 [1].
>> If SSLv3 is completely disabled (TLS1.0 is okay), then you
>> aren't vulne
On 8/9/16, 9:25 AM, Christopher Schultz wrote:
There /is/ a POODLE variation which is against TLS 1.0 - 1.2 [1]. If
SSLv3 is completely disabled (TLS1.0 is okay), then you aren't
vulnerable to "classic" POODLE. If you aren't using CBC-based cipher
suites with TLS1.0 - TLS1.2, then you should be o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 8/8/16 2:31 PM, James H. H. Lampert wrote:
> Hmm. This is interesting.
>
> pentest-tools.com says that neither our server nor the customer
> server is vulnerable to POODLE.
>
> But Site24x7.com says ours IS vulnerable to POODLE. Then (wh
Vulnerability scanners are always iffy when it comes to finding actual
issues IMO. They're good for running a quick scan to get an overall
feel for weaknesses, but the effectiveness varies from tool to tool
(some only check versions, etc). I think that the best way to test if
you're vulnerable to P
Hmm. This is interesting.
pentest-tools.com says that neither our server nor the customer server
is vulnerable to POODLE.
But Site24x7.com says ours IS vulnerable to POODLE. Then (when I click
"View Result") it says it isn't. Then (when I actually run the test
again) it once again says it is
On 8/8/16, 10:32 AM, Coty Sutherland wrote:
So you've already mitigated POODLE and the scanner is just
complaining about your TLS version.
Or SSLLabs isn't actually checking to see if it can connect via SSLv3:
At present, SSL Labs has the following limitations:
In general, cipher suite suppor
So you've already mitigated POODLE and the scanner is just complaining
about your TLS version. Unfortunately, TLSv1.0 is the only TLS
protocol version available on java6, unless your on u111 (from
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https).
If you need TLSv1.2,
On 8/8/16, 9:59 AM, Coty Sutherland wrote:
To mitigate POODLE you must disable SSLv3 and only use TLS. Please
visit the wiki page for more info:
https://wiki.apache.org/tomcat/Security/POODLE
Actually, I found that on my own, only a few minutes after I posted my
question.
So would the existi
> Except for one. It seems that whoever is doing the customer's security audit
> is concerned with POODLE vulnerability.
To mitigate POODLE you must disable SSLv3 and only use TLS. Please
visit the wiki page for more info:
https://wiki.apache.org/tomcat/Security/POODLE
On Mon, Aug 8, 2016 at 12:
On 7/27/16, 11:59 AM, Mark Thomas wrote:
ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"
Ladies and Gentlemen:
Thanks, Mark; that raises the SSLLabs rating from "F" to "C," and seems
to have dealt with most of the concerns raised by the customer.
Except for one. It seem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James,
On 7/27/16 5:03 PM, James H. H. Lampert wrote:
> On 7/27/16, 11:59 AM, Mark Thomas wrote:
>> Note since you are on Java 6 you can't force the server
>> preference order on the client. You might want to drop the 128
>> bit version.
>
> Thanks.
On 7/27/16, 11:59 AM, Mark Thomas wrote:
Note since you are on Java 6 you can't force the server preference order
on the client. You might want to drop the 128 bit version.
Thanks. That brings our own server up from an "F" rating on SSLLABS.COM
to a "C."
--
JHHL
On 27/07/2016 19:05, James H. H. Lampert wrote:
> On 7/27/16, 9:20 AM, Mark Thomas wrote:
>> Note the results on the Wiki are the defaults with 7.0.69 which will be
>> better than the defaults for 7.0.67. You should be able to achieve the
>> same results with 7.0.67 by specifying specific ciphers.
On 7/27/16, 9:20 AM, Mark Thomas wrote:
Note the results on the Wiki are the defaults with 7.0.69 which will be
better than the defaults for 7.0.67. You should be able to achieve the
same results with 7.0.67 by specifying specific ciphers.
I just entered, compiled, and ran the Java test program
On 7/27/16, 9:20 AM, Mark Thomas wrote:
Take a look at this:
http://wiki.apache.org/tomcat/Security/Ciphers
I've done some further research, and according to cve.mitre.org,
CVE-2015-0204 appears to be very specific to OpenSSL. CVE-2015-4000, on
the other hand, appears to be a problem.
Tomc
On 27/07/2016 17:01, James H. H. Lampert wrote:
> I was just forwarded a vulnerability report from one of our customers,
> who is on 7.0.67 (as are we), with Java SSL, not OpenSSL (again, as are
> we). The gist of it is below.
>
>> SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (CVE-2015-400
16 matches
Mail list logo
