tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: TLS renegotiation MitM vulnerability. Is it fixed in Tomcat?
Date Sun, 24 Jan 2010 14:10:59 GMT
On 24/01/2010 13:12, yosi izaq wrote:
> On Sun, Jan 24, 2010 at 1:36 PM, yosi izaq<izaqyos@gmail.com>  wrote:
>
>> Hi,
>>
>> I'm an eng. working on a security product that also uses Tomcat for
>> Web-server functionality.
>> I'm concerned with the known TLS renegotiation MitM vulnerability.
>> I would like to ask whether there's a Tomcat version that contains a fix to
>> the issue?- Say by disabling TLS renegotiation by default and adding a
>> configuration parameter for enabling it if needed.
>> I did some searching on mail traffic and saw some SVN mentions of such a
>> possible fix, so I hope that a fix is either planned or already released.
>>
>> TIA,
>> Yosi Izaq
>> Cisco R&D
>>
>
> Hi,
>
> I've found mention of this record - CVE-2009-3555.
>   According to that the BIO fix is made avialable in version 6.0.21. Is that
> correct?- Is the fix also available on version 6.0.18?
>
> TIA,
> Yosi

6.0.24 has just been released, it is the best available version.

Your Connector config will determine which fix you need to employ.

If you are using APR then you need to upgrade your SSL library (e.g. 
openssl) to the appropriate version.

If you are using the Java based connectors then search the archive for 
the recent and detailed discussions on this topic.


p

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message