tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: How to limit the number of renegotiations for a single TLS / SSL connection
Date Sat, 09 Feb 2013 18:04:32 GMT
On 08/02/2013 15:05, Mark Thomas wrote:
> On 08/02/2013 14:34, Caldarale, Charles R wrote:
>>> From: dkumar@ccilindia.co.in [mailto:dkumar@ccilindia.co.in] 
>>> Subject: How to limit the number of renegotiations for a single TLS
>>> / SSL connection
>>
>>> We are using - Tomcat Version - 6.0.18
>>
>>> Please suggest the recommended solution for tomcat
>>
>> Try using a version of Tomcat that's newer than 4.5 years old.  Many
>> security-related fixes have gone in since then, and it's
>> irresponsible to expose your site to situations that have been
>> addressed years previously.  If you check the changelog, I think
>> you'll find this TLS issue was addressed quite some time ago; it may
>> require a JVM upgrade as well.
> 
> No, this is a different issue.

Not to disagree with Mark T... but the point about using old software is
still a good one.

 Tomcat 6.0.18 vs Tomcat 6.0.36

 OpenSSL 0.9.8k (25-Mar-2009) vs OpenSSL 0.9.8y (05-Feb-2013)


Focusing on particular issues like this, rather than addressing the big
picture and using a more recent build of Open SSL and/or Tomcat (that
will carry many fixes) means the OP is probably Doing IT Wrong.


p

-- 

[key:62590808]

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message