tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <>
Subject Re: 6.0.18, UNIX,
Date Fri, 08 Feb 2013 14:54:36 GMT
On Feb 8, 2013, at 4:23 AM, wrote:

> Hello to All,
> We are using -
> Tomcat Version - 6.0.18
> Operating System Version : HP-UX 11.31
> SSL Version -  OpenSSL 0.9.8k 25 Mar 2009
> Port - 8443
> By running the venerability assessment test we are getting the following 
> observation 
> The remote service encrypts traffic using TLS / SSL and permits clients to 
> renegotiate connections. The computational requirements for renegotiating 
> a connection are asymmetrical between the client and the server, with the 
> server performing several times more work. Since the remote host does not 
> appear to limit the number of renegotiations for a single TLS / SSL 
> connection, this permits a client to open several simultaneous connections 
> and repeatedly renegotiate them, possibly leading to a denial of service 
> condition.
> Please suggest the recommended solution for tomcat

First thing, upgrade Tomcat.  You're using a version that is really old and has known vulnerabilities.
 For a full list, see the link below.

Second, please post your connector configuration. 



> Thanks & Regards
> Deepak Kumar
> "Disclaimer and confidentiality clause -
> This message and any attachments relating to official business of CCIL OR ANY OF IT'S
SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
> The message may contain information that is confidential and subject to legal privilege.

> Any views expressed in this message are those of the individual sender. 
> If you have received this message in error, please notify the original sender immediately
and destroy the message and copies thereof and any attachments contained in it .
> If you are not the intended recipient of this message, you are hereby notified that you
must not disseminate, copy, use, distribute, or take any action in connection therewith. 
> CCIL cannot ensure that the integrity of this communication has been maintained nor that
it is free of errors, viruses, interception and/or interference. 
> CCIL is not liable whatsoever for loss or damage resulting from the opening of this message
and/or attachments and/or the use of the information contained in this message and/or attachments."

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message