Re: Nessus scan claims vulnerability in Tomcat 6

Tue, 26 Feb 2013 07:04:13 -0800 

On 26/02/2013 03:09, Robert Klemme wrote:

On Tue, Feb 26, 2013 at 2:27 AM, Mark Thomas <ma...@apache.org> wrote:

On 25/02/2013 08:42, Robert Klemme wrote:



I have been confronted with a Nessus scan result which claims
vulnerability to exploit "TLS CRIME". Plugin 62565 allegedly has found
this and the report states:



We have in server.xml:

<Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
protocol="HTTP/1.1" connectionTimeout="20000"
SSLCertificateKeyFile="/path" secure="true" scheme="https"
maxThreads="500" port="4712" maxSavePostSize="0" server="***"
SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
SSLEnabled="true" />



That is the APR/native HTTPS connector.


So one solution would be to remove APR lib from the system.


Yes, although you will see performance for SSL drop.


Another one would be to change above to

<Connector SSLCertificateFile="/path" SSLCipherSuite="*******"
protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000"
SSLCertificateKeyFile="/path" secure="true" scheme="https"
maxThreads="500" port="4712" maxSavePostSize="0" server="***"
SSLProtocol="TLSv1" maxPostSize="2048" URIEncoding="UTF-8"
SSLEnabled="true" />

and add all necessary configurations to make that work.  And I guess a
third option is to use


Yes, with the same performance issue.


export OPENSSL_NO_DEFAULT_ZLIB=1

before starting the JVM.


I don't know if OpenSSL will honour that.


APR/native does. An option was recently added. See:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324


I found that but wasn't aware that this is actually used in Tomcat.


SSLDisableCompression on the APR connector as of 7.0.37


There is no 6.0.x release with the necessary options yet.


Do you know whether there will be?



There will be but I'm not aware of any planned timing at this point. The 
changelog isn't that long but it has been a while since the last release 
so I guess we should start thinking about it.


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to