tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Tomcat ssl vulnerability CVE-2009-3555
Date Mon, 26 Nov 2012 21:41:22 GMT
Hermes Flying wrote:
> Just to be clear. When I say report,  I mean a report from a security penetration test
suite which reports that the server allows renegotiation
> ________________________________
>  From: Hermes Flying <>
> To: "" <> 
> Sent: Monday, November 26, 2012 10:36 PM
> Subject: Tomcat ssl vulnerability CVE-2009-3555
> Hi,
> I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL client renegotiation


I believe that Tomcat 5.35 does not exist. You probably mean 5.5.35.

You may first want to have a look at this page :

To comment on your request for help, and without getting into the technical details :

You do not specify which "security penetration test suite" was used to get this result. 
Such tools are known to generate false positives from time to time, and naming the tool 
may trigger someone's memory.

Tomcat is free software, developed, maintained and supported by volunteers.  As is human 
and logical, they like to dedicate more of their time to recent and current versions of 
Tomcat, rather than old ones, particularly after their end of life has been reached.
That may be considered as a reasonable trade-off for being able to use software that is 
free of charge.

To your own benefit thus : you would probably have a much better chance of getting 
attention and help for such an issue, if you installed a recent version of Tomcat, and 
confirmed with the same tool that you are getting the same result (or not)
(rather than "supposing" that you would.)
(have you tried to upgrade at least to v 5.5.36 (which is the "most current" release of 
that same branch), and checked if the same issue exists ?)

If you then do *not* see the same issue, there is a reasonable chance that the 
recommendation that will be made, is to upgrade Tomcat to this more recent version.
Or else, you will have to provide reasonable motives for which you cannot do that.

But if you *do* see the same issue with a very recent version, then it is almost 
guaranteed that you will get immediate attention.

All that does not mean that there will not be someone on this list that is willing to 
dedicate time to your issue, but you may be willing to increase your chances anyway.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message