Return-Path: 
 <users-return-239584-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 88222E49D
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri,  8 Feb 2013 15:14:04 +0000 (UTC)
Received: (qmail 68363 invoked by uid 500); 8 Feb 2013 15:14:01 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 68307 invoked by uid 500); 8 Feb 2013 15:14:00 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 68289 invoked by uid 99); 8 Feb 2013 15:14:00 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Feb 2013 15:14:00 +0000
Received: from localhost (HELO [192.168.23.9]) (127.0.0.1)
  (smtp-auth username markt, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Fri, 08 Feb 2013 15:14:00 +0000
Message-ID: <5115162F.7060106@apache.org>
Date: Fri, 08 Feb 2013 15:13:51 +0000
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: How to limit the number of renegotiations for a single TLS /
 SSL connection
References: 
 <OFA75BD6C8.A329734D-ON65257B0C.004F11F4-65257B0C.004F9085@ccilindia.co.in>
In-Reply-To: 
 <OFA75BD6C8.A329734D-ON65257B0C.004F11F4-65257B0C.004F9085@ccilindia.co.in>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On 08/02/2013 14:28, dkumar@ccilindia.co.in wrote:
> Hello All,
> 
> We are using -
> Tomcat Version - 6.0.18
> Operating System Version : HP-UX 11.31
> SSL Version -  OpenSSL 0.9.8k 25 Mar 2009
> Port - 8443
> 
> By running the venerability assessment test we are getting the following 
> observation 
> 
> The remote service encrypts traffic using TLS / SSL and permits clients to 
> renegotiate connections. The computational requirements for renegotiating 
> a connection are asymmetrical between the client and the server, with the 
> server performing several times more work. Since the remote host does not 
> appear to limit the number of renegotiations for a single TLS / SSL 
> connection, this permits a client to open several simultaneous connections 
> and repeatedly renegotiate them, possibly leading to a denial of service 
> condition.
> 
> Please suggest the recommended solution for tomcat

To repeat what I have said privately on this topic:

<quote>
The Apache Tomcat security team has reviewed the available information
for CVE-2011-1473 and has performed some testing of Apache Tomcat
using one of the many tools that has be written to demonstrate this issue.

Our conclusions are:

- In terms of CPU usage there is not a large difference (same order of
magnitude) between a client creating multiple HTTPS connections and a
client creating a single HTTPS connection and repeatedly requesting
renegotiation. This is consistent with the findings / opinions of the
numerous SSL/TLS experts that have commented on this issue.

- Repeated renegotiation attempts from a single client can be detected
by a firewall.

- Multiple connection attempts from a client are easier for a firewall
to identify than multiple renegotiation requests.

- Client renegotiation is not permitted by the HTTP APR/native connector.

- It would be possible to add renegotiation rate limiting to the HTTP
BIO and NIO connectors but there is not a clear-cut case for doing this.


We would also draw your attention to the following text on the Apache
Tomcat website security pages [1]:

<quote>
Note that all networked servers are subject to denial of service
attacks, and we cannot promise magic workarounds to generic problems
(such as a client streaming lots of data to your server, or
re-requesting the same URL repeatedly). In general our philosophy is
to avoid any attacks which can cause the server to consume resources
in a non-linear relationship to the size of inputs.
</quote>

Further discussion of this issue, particularly the usefulness of
adding renegotiation rate-limiting to the the HTTP BIO and NIO
connectors, should take place on the public Tomcat users mailing list.

Mark
on behalf of the Apache Tomcat security team
</quote>

With all the above in mind is there an argument for introducing
renegotiation rate limiting for BIO and NIO? Or do we just say if you
are bothered about CVE-2011-1473, use APR.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org