Thanks a lot for the tip Edward. I will research it. However, I would have to stop using JSSE in Tomcat and start using APR. Maybe I should, I really don't know if it is supposed to be better than JSSE but I will investigate.
On Sat, Sep 15, 2012 at 10:10 AM, Edward Bicker <g...@travelin.com> wrote: > Yeah, but I thought OpenSSL had a patch for this that worked. > Read...#2635: 1/n-1 record splitting technique for CVE-2011-3389 > > > -----Original Message----- > >From: Brian Braun <brianbr...@gmail.com> > >Sent: Sep 14, 2012 11:12 PM > >To: Tomcat Users List <users@tomcat.apache.org> > >Subject: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) > for Tomcat 7.x > > > >Hi, > > > >Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat > >7.x? > >For more info about this attack: > >http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 > > > >My toughts and questions, as far as I have investigated this issue: > > > >- Disabling the TLS1.0 protocol would be too restrictive, because there > are > >still browser versions in use that don't support TLS1.1 or TLS1.2. > >- Should we restrict the ciphers in use? If so, which ones should we offer > >for Tomcat 7.X over JVM1.6 and using a GeoCerts certificate (which means > >JSSE instead of OpenSSL)? > >- Will upgrading to the latest JVM (as of today, Sept 14th 2012) solve > this > >issue? > > > >Thanks in advace. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
