JDK 1.6 SSL/TLS vulnerability

Similar Messages

• Is Firefox 7 affected by the current SSL/TLS vulnerability?

  This is one of many info updates with the issue:
  http://www.h-online.com/security/news/item/Microsoft-releases-fix-it-tools-for-SSL-TLS-vulnerability-1350457.html
  Thank you.
  Marc

  whidbeyben3 wrote:
  What is the actual word from Apple?  Are iOS6 users and MacOSX 10.8 and earlier users SAFE?
  iOS6 users -- Not safe.
  About the security content of iOS 6.1.6.
  About the security content of iOS 7.0.6.
  OS 10.8 users -- Safe.

• HT6147 is iOS 6 subject to the same SSL/TLS vulnerability?

  The news is blaring warnings about using iPhones, iPads, and Macs on shared networks because of a problem with SSL/TLS.  Apple's releases make it clear that iOS7 and Mac OSX 10.9 and specifically vulnerable to this.
  3rd party sites suggest the vulnerability was introduced recently in iOS7 and Mac OSX 10.9, but do not specifically exempt iOS 6 versions, or Mac OSX 10.8 and earlier.
  I went on the gotofail.com test page with my Mac on 10.8.5, and it said my client wasn't vulnerable, but a link on that website did suggest Safari on MacOSX 10.9 was vulnerable to a "BEAST" attack.  Firefox was not.
  My iPhone's are still on iOS6 because they are 4S's and I didn't want to suffer slowdowns from excessive iOS7 overhead for new special effects.  However, there doesn't appear to be any mechanism for updating iOS6 if these are also subject to the same vulnerability.  One third party web site did suggest that a fix for iOS6 was in the works, but my phones only show the iOS 7.0.6 update in the general settings. There is no option for an iOS6 update without switching entirely to iOS7.
  What is the actual word from Apple?  Are iOS6 users and MacOSX 10.8 and earlier users SAFE?

  whidbeyben3 wrote:
  What is the actual word from Apple?  Are iOS6 users and MacOSX 10.8 and earlier users SAFE?
  iOS6 users -- Not safe.
  About the security content of iOS 6.1.6.
  About the security content of iOS 7.0.6.
  OS 10.8 users -- Safe.

• I'm using my iPad with iOS v 6.1.3- is there a security patch for the SSL/TLS vulnerability for this, or do I have to go to 7.0.6?

  I'm using my iPad with iOS 6.1.3. Is there a security patch for this version, or do I have to update to iOS 7.0.6?

  There is an update for iOS 6... v6.1.6. But it is only available to iPhone 3GS and iPod touch 4th gen users. http://support.apple.com/kb/HT6146?viewlocale=en_US&locale=en_US
  For iPad, the highest supported os for iOS 6 is v6.1.3. If you want to get the security patch, you'll have to go to iOS 7.0.6.
  Hope this answers your question.
  ~Joe

• Web auth supporting fragmented SSL&TLS packets in 7.0.116?

  Dear collegues and Cisco experts.
  I hope anyone of you can reply if this is supported on thew current platform (WLC5508 sw rel 7.0.116)
  I have not been able to reproduce this myself, but some problems have been reported after mid january, when KB2585542 might be the culprit.
  Is the internal webauthentication portal in above platform able to handle this, or is s/w upgrade inevitable?
  Does WLC guest portal w high cipeher option handle the Fragmentation  of SSL/TLS application records, as described in the following RFCs:
  TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt paragraph 6.2.1
  SSL 3.0: http://www.ietf.org/rfc/rfc6101.txt paragraph 5.2.1
  Environment
  Windows XP Professional SP3 clients with Internet Explorer 8
  Wireless lan controller cluster with redundant(2) webauthentication anchors (all AIR-CT5508-XXX-K9 sw rel 7.0.116)
  Microsoft statement
  "After installing MS12-006, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers. To address an information disclosure vulnerability, SChannel now implements certain ciphers used in SSL 3.0 and TLS 1.0 in a more secure fashion. The updated behaviour is fully compliant with the RFCs, but it is something that has generally not been used on the internet before
  There are two fixes involved: the SChannel fix makes the new behaviour available, and a fix included in the December Cumulative Update makes Internet Explorer request that more secure option. The behaviour will change only if both are present"
  Sincere regards
  Mats Nilson
     AIR-CT5508-100-K9

  Debug says your client is being requested to anchor but not moving passed that....
  So from the looks of things, this has nothing to do with DHCP. Instead, you are either trying to Anchor your clients to a non-existant anchor, or something is royally hosed with mobility.
  I'd suggest debug client   and "debug mobility handoff enable"  from this same WLC as well what ever other WLC your client is being sent to....

• Pandora message "Pandora believes your browser does not support modern SSL/TLS" and everything seems disabled on the site-how fix?

  I have been using Firefox for a long time as my browser and typically play Pandora while at my office most days. For the first time today I received a pop up message "Pandora believes your browser does not support modern SSL/TLS. Consider upgrading your browswer" when I logged on to Pandora. I checked and I am on the latest version of Mozilla Firefox. I am unable to control volume or log out of Pandora now. I did some google searches and found Mozilla disabled ssl3.0 due to a "Poodle" attack. Does that mean that I can no longer use Firefox as my browser when I want to listen to music on Pandora or is there "a fix"? Thanks!

  Mozilla Firefox as of Firefox 34 has the vulnerable SSL 3.0 disabled and only allows for TLS 1.0 at minimum to 1.2 now.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  So Pandora is incorrect if they believe Firefox is not safe to use.
  Actually Pandora potentially needs to do a bit of upgrading themselves.
  https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&s=208.85.40.50

• When is Apple fixing the Heartbleed TLS vulnerability?

  Its concerning that I don't see evidence of Apple's action in response to being informed of the Heartbleed TLS vulnerability.
  It allows external access to SSL keys, passwords, accounts, and etc in memory.
  I'm hoping Apple has been secretly rushing a patch and that I will see it today or tomorrow.
  Does anyone have information on Apple progress?
  Thanks,
  Rich
  PS. There should be a security category.

  No worries. Its clear. All input was very helpful.
  Apple has no fix expected.
  Apple is secure as always.
  It is one of the many reasons I use Apple laptops for development.
  (Though I wish my MacBook Pro had way more RAM like 64GB or 128GB).
  Apple is missing an opportunity, though.
  This situation is actually a perfect time for Apple to brag about its security, by identifying that Heartbleed does not affect normal Apple users, unless the access a vulnerable site. And that developers are only at risk if the open source projects pull in OpenSSL 1.0.1 or 1.0.2beta. Easy to do and great for Apple's reputation.
  Consumers would hear "Apple good" and "World scary".
  Like any dangerous event, the Heartbleed alarm in the various communities is a little bit like yelling fire in the theater and management's response after.
  People have to be sure the alarm is false or does not affect them.
  If management speaks up, the problem is over.
  If management does not, then all the individuals run around avoiding the problem or assessing the problem for themselves. The latter is less efficient and more stressful.
  I spent serveral hours figuring out where I had to look to determine the scope and risk.
  All of the answers above, were very helpfull and reduced the scope of my effort.
  Thanks for all the input.
  There was no formal statement from Apple clarifying the issue. (At least none I could find)
  In fact some of today's security announcements (3pm 4/8/14) had complained that Apple
  had not responded to emails.
  Apple is not responsible for responding to all emails.
  And not all posts, even on stack overflow, are accurate.
  But in certain scenarios, a communication event is beneficial.
  It woud have saved me hours, this community thread, the time of all who contributed here, and the time of all who read here.
  BTW: Mcafee scans sites and can assess risk while you are browsing, but the local virus detection is not as good as others.
  BTW: Has anyone checked this site for the SSL version? (joke)
  Cheers!
  Rich

• Disable SSL/TLS renegotiation

  Is it possible to disable SSL/TLS renegotiation in SJSWS 7.0?
  I'm asking because of the recently published SSL/TLS protocol flaw (CVE-2009-3555) described here: [http://extendedsubset.com/?p=8|http://extendedsubset.com/?p=8]
  Thanks and regards,
  Jostein Tveit.

  The TLS Renegotiation vulnerability is now addressed in Sun Web Server 7.0u7.
  For more details, please refer to
  [http://blogs.sun.com/jyrivirkki/entry/more_thoughts_on_web_server|http://blogs.sun.com/jyrivirkki/entry/more_thoughts_on_web_server] , forum announcement
  [http://forums.sun.com/thread.jspa?threadID=5420698&tstart=0|http://forums.sun.com/thread.jspa?threadID=5420698&tstart=0] and
  the blog [http://blogs.sun.com/webtier/entry/sun_web_server_7_0u7|http://blogs.sun.com/webtier/entry/sun_web_server_7_0u7] .

• Configuração SLL/NFe - PI para recebimento de e-mails usando SSL/TLS

  Usamos o GRC/SLL 10 NFe  - SP16  para emissão / recebimento de NFes.
  Estamos migrando nosso exchange 2003 para exchange 2010 e existe a necessidade de aumentarmos a segurança.
  Alguem poderia nos ajudar ? temos que usar o SSL/TLS -
  Existe alguma opção al´me de Plain/MD5 ? Podemos usar outro tipo de encriptação ?
  Agradeço desde já a ajuda de todos

  Boa tarde Daniela,
  Ao meu ver, a configuração dos dois ambientes da SEFAZ (Hom/Prod) em um mesmo ambiente PI (Dev, por ex) é desnecessária e acaba dobrando o esforço de configuração e é passível de erro.
  Após a primeira implementação, onde usei essa prática descrita por você, vi que não fazia sentido, já que após o transporte dos objetos de DEV para QAS, tive que refazer toda a configuração de canal de comunicação duas vezes (Homologação e Produção). Quando transportei para Produção, o mesmo tormento. Os canais produtivos em DEV/QAS nunca foram utilizados -- ainda bem, pois isto é o correto. O mesmo em produção -- canais de homologação nunca foram utilizados e apenas serviam de peso morto no ambiente.
  Agora, se na sua empresa você possui alguma ferramenta de transporte dos objetos do Directory que leva todos os canais de comunicação com os seus devidos valores, sem ter a necessidade de preenchê-los logo após o transporte (tenho isso no cliente atual - viva a API do Directory), aí as coisas mudam de figura.
  A recomendação que eu dou é de sempre configurar os cenários da maneira mais simples e genérica possível (Srv_SEFAZ_SP ao invés de Srv_SEFAZ_SP_HOM), utilizando a última versão do PI e configurar os cenários utilizando ICO.
  []'s
  JN

• The difference between SSL & TLS

  dear experts,
  i need to know The difference between SSL & TLS and in which situations i should i have to use them.
  thanks
  Labib Makar

  Labib,
  At a 10,000 foot level v3.0 was superceded by . v1.0.
  TLSv1.0 (RFC 4346) was an upgrade to SSL v3.0 (but they don't interoperate)
  This "Cisco.com document" describes the workings of both in some detail:  SSL: Foundation for Web Security
  it states this as some basic differences:
  TLS uses slightly different cryptographic algorithms for such things as the MAC function generation of secret keys. TLS also includes more alert codes.
  Also See: Wikipedia TLS
  As far as which to use, it would depend on if both sides (server/client) support each?  TLS v1.0 or v1.1 is newer.
  Most modern Browsers tend to support both.
  i.e.
  Firefox 3.5.7 supported both SSL v3.0 and TLS v1.0
  Internet Explorer v6 supported both SSLv2, SSLv3, TLS v1.0
  etc.
  Hope that helps.
  Steve Ochmanski

• TF215097: An error occurred while initializing a build for build definition : Could not establish trust relationship for the SSL/TLS secure channel

  Hello,
  We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML.  It seems to me that some certificate
  might be invalidated. Can anyone please point me in the right direction? 
  Thanks, 
  Mitul
  TF215097: An error occurred while initializing a build for build definition :
  Exception Message: One or more errors occurred. (type AggregateException)
  Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
  at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
  at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
  at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
  at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
  at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
  Inner Exception Details:
  Exception Message: An error occurred while sending the request. (type HttpRequestException)
  Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
  at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
  Inner Exception Details:
  Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
  at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
  Inner Exception Details:
  Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
  Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
  at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

  Hi Mitul,
  Thanks for your reply.
  It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
  Please share your TFS Server detailed environment information here. And share your
  Build Service Properties dialog screenshot here.
  Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
  Clean the Cache folder on Server machine. The folder path is:
  C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.  
  After cleaned, on Server machine, click Start and select
  Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
  Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server

  hello all,
  this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
  using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
  has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.

  there was a problem with the certificate db which was causing this.

• SSL/TLS ciphers of an SMA (M-series) appliance

  So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
  If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
  MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
    <ssl>
      <ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
      <ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
      <ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
      <ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
      <ssl_gui_method>sslv3tlsv1</ssl_gui_method>
      <ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
    </ssl>
  After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
  Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
  https://www.ssllabs.com/ssltest/analyze.html

  I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
  []> FIPS:-aNULL
  DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
  DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
  AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
  DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
  DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
  AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
  EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
  EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
  DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
  -Robert

• SSL/TLS POP/SMTP setting 6270 ?

  Hi All,
  I recently purchased Nokia 6270 and I do have GPRS connection working well for WAP sites and for Internet access on my laptop.
  I have been trying to configure my GMAIL account on the email client provided with 6270. Gmail pop/smtp access required secure connection SSL/TLS and I could not find any place to set SSL or TLS YES. in personal configuration, there is everything to set except these.
  It was there in old Motorola E398..The settings are really confusing.
  If anybody has accessed/configured GMAIL on 6270, please help..
  Cheers
  Rajiv

  you are right that I should have checked it before buying, I think you can expect such a small feature from a highend mobile. Nokia do claim it as highend mobile. I randomly looked at some of the mobile from different makes today and all of the high end mobiles have this feature.
  And by the way all the email clients do contains feature for specifying SSL or TLS.
  Does that means that 40 series is missing this feature because that is only provided in 60 series. Or is there any logical reason behind it.
  Is there any software version update that can provide this feature. I have Version 03.65 19-12-05 RM-56

• SSL/TLS security certificate data match with XML Payload in SAP PI

  Hi,
  We are working on a solution where we would want to use SSL/TLS or WS Security with client server mutual authentication using client server certificates.
  But, once the sender is authenticated using the certificates, can the XML payload be matched for the correctness with the certificate information? Is this available to PI integration engine at any time? Like Sender A autheticated as A using certificates, must be stopped if his XML payload is saying that he is sender B (which is most unlikely if we trust the senders but did not want to leave a loophole).
  Any ideas here?
  Thanks and Regards,
  Vijay

  Hi Wolfgang,
  Cross-posting is discouraged and against the forum rules, because it is misused and makes a mess of the search due to distributed discussions and answers.
  I will move it to the PI forum and add a watch on it as it is security forum related.
  Unfortunately, the forum software does not have the option to "mirror" threads.
  Cheers,
  Julius
  Edited by: Julius Bussche on Sep 14, 2009 9:50 PM