Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 19574 invoked from network); 7 Nov 2009 20:45:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Nov 2009 20:45:56 -0000 Received: (qmail 69778 invoked by uid 500); 7 Nov 2009 20:45:55 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 69692 invoked by uid 500); 7 Nov 2009 20:45:54 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 69681 invoked by uid 99); 7 Nov 2009 20:45:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 07 Nov 2009 20:45:54 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=BAYES_00,HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of costin@gmail.com designates 209.85.160.45 as permitted sender) Received: from [209.85.160.45] (HELO mail-pw0-f45.google.com) (209.85.160.45) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 07 Nov 2009 20:45:52 +0000 Received: by pwi15 with SMTP id 15so1283742pwi.24 for ; Sat, 07 Nov 2009 12:45:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=2jk4OPrzfVUfsmYf+/hkUnHMxS7BfSouFfrsr6rcLqA=; b=F2XXvj3CjDNCdIEgZaezS/RrFz3stRXb+Li4jcM3IV7a1ykq3pnVPPegGUPHoc9rCv fVBfQq24eNP1f5EaihZIdv+snDH9KTSnA2D0Mg/WQC5Z53TgNo9d4xEWGC0u1LqRvn2U 83OaNaLJx3svxACxlIuUWVECiEfEL32QtrH98= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=ct5pT+znnfuKiRr/WjjrLIwhUKaE0sjNMjqsidRpQf+iJ9dHQ2Z2B+VG3QvD0yPY/C jQcA/eZ94vd395vK9HQriQNH3/qZTCP8zerikUyspye4J4kAVsnzulYSClKL/Jfn9rfs Krkcsp0UvXY3ZiSjdYMpGibV53nEsB4EvompA= MIME-Version: 1.0 Received: by 10.142.196.1 with SMTP id t1mr594405wff.71.1257626732293; Sat, 07 Nov 2009 12:45:32 -0800 (PST) In-Reply-To: <4AF5A776.70104@apache.org> References: <4AF5A776.70104@apache.org> Date: Sat, 7 Nov 2009 12:45:32 -0800 Message-ID: <96e4b5230911071245s21dbd4f5ud1ad59cf66271d9c@mail.gmail.com> Subject: Re: SSL & Tomcat From: Costin Manolache To: Tomcat Developers List Content-Type: multipart/alternative; boundary=000e0cd32eb8a36eb40477ce0aec --000e0cd32eb8a36eb40477ce0aec Content-Type: text/plain; charset=UTF-8 On Sat, Nov 7, 2009 at 8:59 AM, Mark Thomas wrote: > All, > > I was thinking about this on my way back from ApacheCon and we probably > need to get some advice out to users early next week. > > My current understanding is that the MITM attack is triggered by a > renegotiation. > > On this basis I suggest something along the following lines: > > SSL using JSSE (BIO and NIO connectors) > - Don't use SSL configs that require renegotiation. i.e. SSL config > should be the same for the entire host. Sites that require SSL in some > places and SSL + CLIENT-CERT in others will require reconfiguration. > Sites that require SSL for some parts should be OK. > IMO we could disable ACTION_REQ_SSL_CERTIFICATE ( with a flag "allowManInMiddle" or completely ). - Keep watch for a Sun update to the JDK that may help address the issue > > Or ask people to switch to tcNative ( i.e. openSSL ) or stop using client cert auth. > SSL using tc Native > - tcnative does not support renegotiation > (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now > users of tc native with SSL should be OK > > > We also need to think about what to do with tc native. Maybe something > like: > - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is > disabled) > - keep an eye on httpd and if they find a work-around, copy it and > release 1.1.18 with renegotiation enabled > > > For now, I'm not proposing any changes to the docs although we may want > to put a summary of the advice - once agreed - on the security pages. > > Thoughts? > > How about the cypher suites - I don't think we allow per-context config of allowed cyphers. Also not sure about client-initiated re-negotiation - I guess using a fixed openssl ( do they have a fix ? ) and native would avoid this, otherwise we need to wait for a jsse fix ? Costin --000e0cd32eb8a36eb40477ce0aec--