tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to limit the number of renegotiations for a single TLS / SSL connection
Date Sat, 09 Feb 2013 13:33:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Deepak,

On 2/9/13 4:05 AM, dkumar@ccilindia.co.in wrote:
> we have not specified any specific connector protocol in the
> connector tag, is that mean we are using native APR connector, and
> if it is so, then as renegotiation is not permitted in APR why VA
> tool says renegotiation DoS vulnerability, and it would be of great
> help if you explain how to implement HTTP NIO or BIO connector to
> handle this renegotiation issue.

The default connector depends upon your system configuration. I
believe if you have APR/tcnative available, Tomcat will use that and
you'll get an APR/HTTP connector. Otherwise, you'll get the BIO
connector. You have to specifically request the NIO connector.

> <Connector port="8443" SSLEnabled="true" acceptCount="500"
> ciphers="Some cipher" allowUnsafeLegacyRenegotiation="false" 
> maxThreads="5" scheme="https" secure="false" clientAuth="false"
> sslProtocol="TLS" keystoreFile="cert.key" keystorePass="password"
> />

Using the APR connector for SSL will be much faster than either BIO or
NIO.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlEWUC8ACgkQ9CaO5/Lv0PB+FwCfQLqO5CsHc9cB4sq+mO5D8mq5
IDMAoLr6WXRqgu7JWiHewUD47Js36dXd
=XY13
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message