tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: svn commit: r1175421 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml
Date Sun, 25 Sep 2011 16:39:02 GMT
2011/9/25 Mark Thomas <>:
> On 25/09/2011 17:11, wrote:
>> Author: kkolinko
>> Date: Sun Sep 25 16:10:59 2011
>> New Revision: 1175421
>> URL:
>> Log:
>> Mention when support for RFC 5746 was added.
>> As far as I am reading Tomcat-Navive changelog,
>> it does not have implementation for this new renegotiation protocol.
> It should have. It is entirely provided by OpenSSL.

It needs some time to sort this in my mind

Then I think the
has to be updated with more specific version numbers, like I did for
5.5, 6.0 and 7.0 pages.

> Also, search
> for
> renegotiation. The APR/native HTTP connector fully supports control of
> whether or not legacy negotiation is supported via the
> allowUnsafeLegacyRenegotiation attribute of the connector.

I did so, but the changelog mentions only
"Add support for unsafe legacy renegotiation." (1.1.21)
which is unrelated to RFC 5746.

The native security page says "From 1.1.18 onwards, client initiated
renegotiations are rejected". So it sounds that they are rejected,
regardless of RFC 5746.

Both of the above resulted in my confusion.

The native code does not check for "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
cipher, unlike JSSESocketFactory used by not-native connectors,
nor AprLifecycleListener prints status of this feature support at
Tomcat startup.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message