tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yosi izaq <izaq...@gmail.com>
Subject Re: TLS renegotiation MitM vulnerability. Is it fixed in Tomcat?
Date Sun, 24 Jan 2010 16:17:48 GMT
The last piece of the puzzle is what connector is used by default. According
to 6.0.x docs it's BIO: "The default value is HTTP/1.1 and configures the
org.apache.coyote.http11.Http11Protocol. This is the blocking Java
connector.".

That, together with your helpful & prompt responses allows me to devise a
quick mitigation plan for the vulnerability - i.e. switch to NIO (with the
extra bonus of better performance so what's not to like?)

Thanks so much Pid,
Yosi

On Sun, Jan 24, 2010 at 5:58 PM, Pid <pid@pidster.com> wrote:

> On 24/01/2010 14:26, yosi izaq wrote:
>
>> response Inline.
>>
>> 10x 4 the prompt answer!
>> Yosi
>>
>>
>>    6.0.24 has just been released, it is the best available version.
>>
>>    Your Connector config will determine which fix you need to employ.
>>
>> [Yosi] I'm new to Tomcat. Do you refer to org.apache.coyote.http11
>> parameter of the connector's CTOR?
>>
>
> Yes, there are 3 connector variants:
>
>  AJP Connector - for use with Apache HTTPDs mod_jk or mod_proxy_ajp
>  BIO Connector
>  NIO Connector
>
>
>     If you are using APR then you need to upgrade your SSL library (e.g.
>>    openssl) to the appropriate version.
>>
>>    If you are using the Java based connectors then search the archive
>>    for the recent and detailed discussions on this topic.
>>
>> [Yosi] According to archive NIO doesn't support renegotiation so the
>> issue is not relevant to NIO. Is my understanding correct?
>>
>
> Yes, this is correct.
>
>
> p
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message