tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: SSL & Tomcat
Date Sat, 07 Nov 2009 23:37:27 GMT

"Mark Thomas" <> wrote in message
> All,
> I was thinking about this on my way back from ApacheCon and we probably
> need to get some advice out to users early next week.
> My current understanding is that the MITM attack is triggered by a
> renegotiation.
> On this basis I suggest something along the following lines:
> SSL using JSSE (BIO and NIO connectors)
> - Don't use SSL configs that require renegotiation. i.e. SSL config
> should be the same for the entire host. Sites that require SSL in some
> places and SSL + CLIENT-CERT in others will require reconfiguration.
> Sites that require SSL for some parts should be OK.
> - Keep watch for a Sun update to the JDK that may help address the issue

IMHO, we will have to add an option to the <Connector/> that allows the user 
to have the current renegotiation behavior.  It can even print out an 
annoying warning in the log file if you set it.  But without this option, 
what will happen is that users that are using CLIENT-CERT simply won't 

And there a plenty of use cases where the user really isn't to worried about 
MITM.  For example, if I am running an intranet server that uses CLIENT-CERT 
to identify employees, then if a black-hat can get in a position to exploit 
this, MITM is the least of my worries.

> SSL using tc Native
> - tcnative does not support renegotiation
> ( so for now
> users of tc native with SSL should be OK
> We also need to think about what to do with tc native. Maybe something 
> like:
> - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is
> disabled)
> - keep an eye on httpd and if they find a work-around, copy it and
> release 1.1.18 with renegotiation enabled

At the moment, https seems to be going for rejecting attempts by the client 
to renegotiate, but server renegotiation is unchanged (i.e. there is no 
configuration change necessary to force CLIENT-CERT for a specific 
directory).  Perhaps tc-native could do something along the lines of r833582 
(the httpd patch).

> For now, I'm not proposing any changes to the docs although we may want
> to put a summary of the advice - once agreed - on the security pages.
> Thoughts?
> Mark 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message