tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Problems w/ TLS (record-splitting)
Date Tue, 10 Apr 2012 22:37:06 GMT
2012/4/10 Gregor S. <rc46fi@googlemail.com>:
> Hi guys,
>
> I know, it's actually not a Tomcat-problem, but I was wondering if one
> of those guru hanging around in this mailing-list could give me a hint
> on how to handle this problem.
>
> As some of you might be aware, Firefox (from on version 9.x) cannot
> handle TLS-records which are served from a server if they are split
> into multiple parts.
>
> This behaviour is documented here:
> https://bugzilla.mozilla.org/show_bug.cgi?id=702111
>
> Since some of our clients are using Firefox, I just can't lean back
> and tell them "well, that's a Firefox-bug, get a decent browser" -
> unfortunately.
>
> We are using Apache Tomcat 6.0.24 on Scientific Linux release 6.2
> (Carbon), Tomcat is running as a demon via jsvc, and Tomcat is using
> the Apache Portable Runtime (APR).
>
> I went through all docs I could find on the net, hoping, there was
> some screw I could turn to switch off TLS record splitting on the
> server side, but I couldn't find anything.
>
> Our scenario is as follows:
>
> - SSL connection
> - user is prompted for ID / password via FormLogin (j_security_check)
>
> And then we get the message
>
> "The connection was reset"
> "The connection to the server was reset while the page was loading."
>
> Does any of you guys have an idea, if there is any Tomcat
> configuration-parameter I could try to overcome this behaviour?
>
> IE Chrome (both all versions) are working like charm.
>

1. Reading [1] especially Comment 7 it does not looks like browser problem.

It says it is because browser is not sending all data in one big
packet, but is sending some small portion first. Am I missing
something?


2. Comment 37 shows some web application coding patterns that lead to
observing this error.

Does this happen with some specific web application / some specific
pages? (So there is some specific error there), or "standard"
applications fail as well?


3. I think you should consider updating to a more recent version of
Tomcat 6, as well as of Tomcat-Native and OpenSSL (and maybe APR as
well).

See
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-native.html

BTW, that issue [1] and ms12-006 referenced in it [2] discuss TLS 1.1 and 1.2.


[2] http://technet.microsoft.com/en-us/security/bulletin/ms12-006

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message