tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r1175421 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml
Date Sun, 25 Sep 2011 16:39:02 GMT
2011/9/25 Mark Thomas <markt@apache.org>:
> On 25/09/2011 17:11, kkolinko@apache.org wrote:
>> Author: kkolinko
>> Date: Sun Sep 25 16:10:59 2011
>> New Revision: 1175421
>>
>> URL: http://svn.apache.org/viewvc?rev=1175421&view=rev
>> Log:
>> Mention when support for RFC 5746 was added.
>>
>> As far as I am reading Tomcat-Navive changelog,
>> it does not have implementation for this new renegotiation protocol.
>
> It should have. It is entirely provided by OpenSSL.
>

Oops.
It needs some time to sort this in my mind


Then I think the
http://tomcat.apache.org/security-native.html
has to be updated with more specific version numbers, like I did for
5.5, 6.0 and 7.0 pages.

> Also, search
> http://tomcat.apache.org/native-doc/miscellaneous/changelog.html for
> renegotiation. The APR/native HTTP connector fully supports control of
> whether or not legacy negotiation is supported via the
> allowUnsafeLegacyRenegotiation attribute of the connector.

I did so, but the changelog mentions only
"Add support for unsafe legacy renegotiation." (1.1.21)
which is unrelated to RFC 5746.

The native security page says "From 1.1.18 onwards, client initiated
renegotiations are rejected". So it sounds that they are rejected,
regardless of RFC 5746.

Both of the above resulted in my confusion.

The native code does not check for "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
cipher, unlike JSSESocketFactory used by not-native connectors,
nor AprLifecycleListener prints status of this feature support at
Tomcat startup.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message