tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r834544 - /tomcat/tc6.0.x/trunk/STATUS.txt
Date Wed, 11 Nov 2009 09:36:24 GMT
2009/11/10  <markt@apache.org>:
> Author: markt
> Date: Tue Nov 10 16:57:29 2009
> New Revision: 834544
>
> URL: http://svn.apache.org/viewvc?rev=834544&view=rev
> Log:
> Proposal for cve-2009-3555 work-around
>
> Modified:
>    tomcat/tc6.0.x/trunk/STATUS.txt
>
> +
> +* Disable TLS renegotiation be default with an option to re-enable it
> +  Based on Costin's patch for trunk with Mark's modifications
> +  http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc6.patch
> +  +1: markt
> +  -1:

My understanding of the patch is that it disables any renegotiation,
either client-initiated or server-initiated, for connectors based on
JSSE.

Shouldn't there be an option to selectively enable server-initiated
renegotiation? E.g., to reset the listener if we are really expecting
a re-handshake, like JSSESupport class does with its handshake
listener in JSSESupport#handShake().


Also, just a note, my understanding is that it won't help for Nio
connectors (those using the second constructor of JSSESupport class,
where there is session, but no socket).  Those are ultimately based on
SecureNioChannel class and javax.net.ssl.SSLEngine.
Something else should be needed there.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message