tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luciana Moreira Sa de Souza Signed by - PrivaSphere AG <s...@privasphere.com>
Subject Re: SSL & Tomcat
Date Wed, 11 Nov 2009 08:09:03 GMT
Hello,

I am currently working on my company's platform to get around this 
security problem during re-negotiation. After discussing with my group 
about the progress being made towards a fix for tomcat, some questions 
were raised and I was hoping you could help me answer them.

We use Tomcat 5.5 with JSSE installed via apt-get in the debian lenny 
distribution. Are there any plans of putting this fix as an update in 
the debian package?

The other question is in relation to the configuration of this fix. I 
saw proposals of putting a property in the server.xml to prevent 
renegotiation from happening. Will this be done on a per Connector basis 
or will this be Server setting? I ask this since we have parts of the 
server were we would like to keep the old behavior and other parts that 
we have to completely stop re-negotiations.

Thank you and best regards,
Luciana Moreira

Costin Manolache wrote:
> openssl s_client ...
> Type "R" ( to renegotiate ).
>
> Unfortunately renegotiation is handled transparently and did work quite
> well...
>
> Costin
>
> On Tue, Nov 10, 2009 at 10:53 PM, Filip Hanik - Dev Lists <
> devlists@hanik.com> wrote:
>
>   
>> I don't think NIO allows a renegotiation as it is today. I will have to
>> look deeper in the code. But I think the negotiation is a one time deal per
>> connection. I will look closer.
>>
>> Filip
>>
>>
>> On 11/07/2009 09:59 AM, Mark Thomas wrote:
>>
>>     
>>> All,
>>>
>>> I was thinking about this on my way back from ApacheCon and we probably
>>> need to get some advice out to users early next week.
>>>
>>> My current understanding is that the MITM attack is triggered by a
>>> renegotiation.
>>>
>>> On this basis I suggest something along the following lines:
>>>
>>> SSL using JSSE (BIO and NIO connectors)
>>> - Don't use SSL configs that require renegotiation. i.e. SSL config
>>> should be the same for the entire host. Sites that require SSL in some
>>> places and SSL + CLIENT-CERT in others will require reconfiguration.
>>> Sites that require SSL for some parts should be OK.
>>> - Keep watch for a Sun update to the JDK that may help address the issue
>>>
>>> SSL using tc Native
>>> - tcnative does not support renegotiation
>>> (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now
>>> users of tc native with SSL should be OK
>>>
>>>
>>> We also need to think about what to do with tc native. Maybe something
>>> like:
>>> - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is
>>> disabled)
>>> - keep an eye on httpd and if they find a work-around, copy it and
>>> release 1.1.18 with renegotiation enabled
>>>
>>> For now, I'm not proposing any changes to the docs although we may want
>>> to put a summary of the advice - once agreed - on the security pages.
>>>
>>> Thoughts?
>>>
>>> Mark
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>     
>
>   



----------
This message has been signed by the PrivaSphere Mail Signature Service.

Mime
View raw message