tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: secure TLS renegotiation
Date Fri, 28 Jan 2011 19:54:13 GMT
On 28/01/2011 19:29, Olaf Tomczak wrote:
> Mark,
> 
> 2011/1/28 Mark Thomas <markt@apache.org>
>>
>> On 28/01/2011 19:00, Olaf Tomczak wrote:
>>> Hello,
>>>
>>> Does Tomcat support the so called "secure TLS renegotiation"? If so, what
>>> should I configure to use it?
>>> Currently when connecting to my application using secure connection most
>>> browsers complain about my server software being "very old" and insecure
>>> because of the lack of this feature.
>>>
>>> I'm using Tomcat 6.0.29 on linux/freebsd.
>>
>> Yes, if the JVM supports it.
>>
>> You'll probably need to enable Tomcat's allowLegacyRegenotiation feature
>> else Tomcat will block all renegotiation.
> 
> I googled "allowLegacyRenegotiation" and found this article:
> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
> 
> It describes the following 2 system properties:
> sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1,
> this controls whether legacy (unsafe) renegotiations are permitted.
> sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2,
> this allows the peer to handshake without requiring the proper RFC
> 5746 messages.
> 
> Are these what you meant?

That is what I meant for the Oracle part. You'll need to look at the
Tomcat configuration docs for HTTP connector for allowLegacyRenegotiation

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message