Hi Mark, I was really interested in your advice. I'm glad you answered, thanks! I'm trying not the disable TLS1.0 because I did a site that is being uses by unknown people over the internet, and I don't one how many of them are using a browser that only works with TLS1.0. Where can I get the list of all available ciphers for Sun JVM 6 update 35? I would like to get the complete list, and then remove the CBC ones. Right now I'm using just 3, from which one uses CBC: ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" Besides removing the last one, which ones should I add?
On Sat, Sep 15, 2012 at 2:57 AM, Mark Thomas <ma...@apache.org> wrote: > Brian Braun <brianbr...@gmail.com> wrote: > > >Hi, > > > >Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for > >Tomcat > >7.x? > >For more info about this attack: > >http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 > > > >My toughts and questions, as far as I have investigated this issue: > > > >- Disabling the TLS1.0 protocol would be too restrictive, because there > >are > >still browser versions in use that don't support TLS1.1 or TLS1.2. > >- Should we restrict the ciphers in use? If so, which ones should we > >offer > >for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which > >means > >JSSE instead of OpenSSL)? > > Any strong ciphers available with your JVM that don't use CBC. > > >- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve > >this > >issue? > > Unlikely. What it may do is give you more cipher options. Java 7 also - I > think but haven't check my recollection - supports the later TLS versions. > > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
