tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cos...@gmail.com>
Subject Re: SSL & Tomcat
Date Wed, 11 Nov 2009 07:11:39 GMT
openssl s_client ...
Type "R" ( to renegotiate ).

Unfortunately renegotiation is handled transparently and did work quite
well...

Costin

On Tue, Nov 10, 2009 at 10:53 PM, Filip Hanik - Dev Lists <
devlists@hanik.com> wrote:

> I don't think NIO allows a renegotiation as it is today. I will have to
> look deeper in the code. But I think the negotiation is a one time deal per
> connection. I will look closer.
>
> Filip
>
>
> On 11/07/2009 09:59 AM, Mark Thomas wrote:
>
>> All,
>>
>> I was thinking about this on my way back from ApacheCon and we probably
>> need to get some advice out to users early next week.
>>
>> My current understanding is that the MITM attack is triggered by a
>> renegotiation.
>>
>> On this basis I suggest something along the following lines:
>>
>> SSL using JSSE (BIO and NIO connectors)
>> - Don't use SSL configs that require renegotiation. i.e. SSL config
>> should be the same for the entire host. Sites that require SSL in some
>> places and SSL + CLIENT-CERT in others will require reconfiguration.
>> Sites that require SSL for some parts should be OK.
>> - Keep watch for a Sun update to the JDK that may help address the issue
>>
>> SSL using tc Native
>> - tcnative does not support renegotiation
>> (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now
>> users of tc native with SSL should be OK
>>
>>
>> We also need to think about what to do with tc native. Maybe something
>> like:
>> - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is
>> disabled)
>> - keep an eye on httpd and if they find a work-around, copy it and
>> release 1.1.18 with renegotiation enabled
>>
>> For now, I'm not proposing any changes to the docs although we may want
>> to put a summary of the advice - once agreed - on the security pages.
>>
>> Thoughts?
>>
>> Mark
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message