Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 72356 invoked from network); 11 Nov 2009 07:12:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Nov 2009 07:12:10 -0000 Received: (qmail 24440 invoked by uid 500); 11 Nov 2009 07:12:09 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 24360 invoked by uid 500); 11 Nov 2009 07:12:08 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 24349 invoked by uid 99); 11 Nov 2009 07:12:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2009 07:12:08 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of costin@gmail.com designates 209.85.216.178 as permitted sender) Received: from [209.85.216.178] (HELO mail-px0-f178.google.com) (209.85.216.178) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2009 07:12:00 +0000 Received: by pxi8 with SMTP id 8so605974pxi.27 for ; Tue, 10 Nov 2009 23:11:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=vcVSmVeL+yDgpRJ+39BkPyzNama+AxcqNynhGwRYVHw=; b=vStbeSi+vVhNtjpd1/CwQq1ELqdscvd24UwDyA9r0ArZ85GMTgwH4w9Xj7Ase7TsUr iIV5TVfm4iOfncNnH63TVTdiVU4/Ez2zVmKDOAwZqbxPUK/i+4s3m7pwx9sKYrkLjOXt Q7CYrg58SW8wlrGbi5XqZSiP4MmVYc8TNiaGU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=rV9o6evVOe589ONVVlhXy/UEbIJxaCqAODKkDUvTk3OjF55JakbyYbI86pYAHaxK/m W4XUYIZIVkd/S/X2GSdTxe4sNJo8mn8i6sHK3UDPonR31rZeAQBzvpQ2+jTTlErqCjMz 3YrJ7gaV9zAsbwcRZtV/6k/tLmxhclR2zc0tY= MIME-Version: 1.0 Received: by 10.143.27.31 with SMTP id e31mr133735wfj.173.1257923499237; Tue, 10 Nov 2009 23:11:39 -0800 (PST) In-Reply-To: <4AFA5F59.7060805@hanik.com> References: <4AF5A776.70104@apache.org> <4AFA5F59.7060805@hanik.com> Date: Tue, 10 Nov 2009 23:11:39 -0800 Message-ID: <96e4b5230911102311w69f495c9n2e7c52a9f4ade03c@mail.gmail.com> Subject: Re: SSL & Tomcat From: Costin Manolache To: Tomcat Developers List Content-Type: multipart/alternative; boundary=00504502cc1853a32704781323a6 X-Virus-Checked: Checked by ClamAV on apache.org --00504502cc1853a32704781323a6 Content-Type: text/plain; charset=UTF-8 openssl s_client ... Type "R" ( to renegotiate ). Unfortunately renegotiation is handled transparently and did work quite well... Costin On Tue, Nov 10, 2009 at 10:53 PM, Filip Hanik - Dev Lists < devlists@hanik.com> wrote: > I don't think NIO allows a renegotiation as it is today. I will have to > look deeper in the code. But I think the negotiation is a one time deal per > connection. I will look closer. > > Filip > > > On 11/07/2009 09:59 AM, Mark Thomas wrote: > >> All, >> >> I was thinking about this on my way back from ApacheCon and we probably >> need to get some advice out to users early next week. >> >> My current understanding is that the MITM attack is triggered by a >> renegotiation. >> >> On this basis I suggest something along the following lines: >> >> SSL using JSSE (BIO and NIO connectors) >> - Don't use SSL configs that require renegotiation. i.e. SSL config >> should be the same for the entire host. Sites that require SSL in some >> places and SSL + CLIENT-CERT in others will require reconfiguration. >> Sites that require SSL for some parts should be OK. >> - Keep watch for a Sun update to the JDK that may help address the issue >> >> SSL using tc Native >> - tcnative does not support renegotiation >> (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now >> users of tc native with SSL should be OK >> >> >> We also need to think about what to do with tc native. Maybe something >> like: >> - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is >> disabled) >> - keep an eye on httpd and if they find a work-around, copy it and >> release 1.1.18 with renegotiation enabled >> >> For now, I'm not proposing any changes to the docs although we may want >> to put a summary of the advice - once agreed - on the security pages. >> >> Thoughts? >> >> Mark >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: dev-help@tomcat.apache.org >> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > > --00504502cc1853a32704781323a6--