tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: SSL & Tomcat
Date Mon, 09 Nov 2009 15:24:26 GMT
On 09.11.2009 11:56, Mark Thomas wrote:
> Summarising the information gathered so far from various channels
> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> work to find the info below).
> 
> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server.
> We could prevent server initiated renegotiation (and probably break the
> majority of configurations using CLIENT-CERT).
> We can't do anything to prevent client initiated renegotiation.
> 
> APR/native connector using OpenSSL
> It is vulnerable when renegotiation is triggered by the client or by the
> server.
> Client triggered negotiation is supported.
> Server triggered negotiation will be supported from 1.1.17 onwards.
> 
> OpenSSL 0.9.8l disables negotiation by default
> 
> 
> In terms of what this means for users:
> 
> BIO/NIO
> - There isn't anything we can do in Tomcat to stop client
>   initiated renegotiation so it is a case of waiting for the JVM
>   vendors to respond.
> 
> APR/native
> - Re-building their current version with 0.9.8l will protect
>   users at the risk of breaking any configurations that
>   require renegotiation.
> - We can release 1.1.17 with the binaries built with 0.9.8l. This
>   will also protect users at the risk of breaking any
>   configurations that require renegotiation. Mladen is doing this
>   now.
> - Supporting renegotiation whilst avoiding the vulnerability will
>   require a protocol fix. In the meantime, we could port port
>   r833582 from httpd which would disable client triggered
>   renegotiation for OpenSSL < 0.9.8l (which may help some users
>   who can't easily change their OpenSSl version and release 1.1.18
>   with this fix
> - Once the protocol is fixed, release 1.1.next bundled with the
>   appropriate version of OpenSSL
> 
> 
> Have I got my facts right above? If so, any objections to posting the
> above to the users@ and announce@ lists along with adding something to
> the security pages?

+1, everything seems right to me and ready for notice to the users.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message