|Summary:||Support SSL_OP_CIPHER_SERVER_PREFERENCE / SSLHonorCipherOrder|
|Product:||Tomcat Native||Reporter:||Mike Noordermeer <mike>|
|Component:||Library||Assignee:||Tomcat Developers Mailing List <dev>|
|Bug Depends on:||53969|
|Attachments:||Patch that adds SSLHonorCipherOrder option|
Description Mike Noordermeer 2012-06-28 14:27:30 UTC
Currently, Tomcat Native does not have an equivalent of the mod_ssl SSLHonorCipherOrder directive and is thus vulnerable to the SSL BEAST attack. See http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslhonorcipherorder for the docs on this directive, and https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls on why and how it mitigates the BEAST attack. Please incorporate an option named SSLHonorCipherOrder that sets the OpenSSL option SSL_OP_CIPHER_SERVER_PREFERENCE P.S., not sure whether to qualify this as bug or enhancement, but since it concerns a security issue I filed it as a bug. P.S.2, I'm willing to create a patch myself, but since I don't have an Tomcat Native build env that will probably take some time... It's a really small change.
Comment 1 Marcel Šebek 2012-08-01 18:01:25 UTC
Created attachment 29148 [details] Patch that adds SSLHonorCipherOrder option Actually, this can be already supported by current tcnative, but it needs to be added to tomcat itself. I've created a patch (should fit both 7.x and 8.x sources). It is compile-tested only. Perhaps it would be a good idea to reassign this bug to a more appropriate project.
Comment 2 Christopher Schultz 2012-08-09 15:33:02 UTC
I'm looking at applying this, but I have to check on what SSLContext.setOptions does -- I think the patch will un-set previously-set options when setting SSL_HONOR_CIPHER_ORDER. Once I verify the behavior of SSLContext.setOptions, I'll make any necessary adjustments.
Comment 3 Christopher Schultz 2012-08-09 16:06:13 UTC
Nope, SSL_CTX_set_options (which is what SSLContext.setOptions calls) only flips the bit(s) passed-into it, so the patch is fine.
Comment 4 Christopher Schultz 2012-08-09 16:32:25 UTC
Fixed in trunk and 7.0.x. Will be included in Tomcat 7.0.30. Proposed for 6.0.x.
Comment 5 Konstantin Kolinko 2012-10-05 11:55:55 UTC
Note that this feature requires an updated version of Tomcat Native. See bug 53969 for details.
Comment 6 Christopher Schultz 2012-12-20 23:11:54 UTC
(In reply to comment #5) > Note that this feature requires an updated version of Tomcat Native. > See bug 53969 for details. Specifically, tcnative 1.1.25 or later.
Comment 7 Christopher Schultz 2013-01-17 20:48:07 UTC
Fixed in Tomcat 6.0.x. Will be in Tomcat 6.0.37.