Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 869C7EDEA for ; Sat, 9 Feb 2013 13:34:10 +0000 (UTC) Received: (qmail 97098 invoked by uid 500); 9 Feb 2013 13:34:07 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 96832 invoked by uid 500); 9 Feb 2013 13:34:06 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 96800 invoked by uid 99); 9 Feb 2013 13:34:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Feb 2013 13:34:05 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [76.96.62.32] (HELO qmta03.westchester.pa.mail.comcast.net) (76.96.62.32) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Feb 2013 13:33:58 +0000 Received: from omta03.westchester.pa.mail.comcast.net ([76.96.62.27]) by qmta03.westchester.pa.mail.comcast.net with comcast id yCBT1k0060bG4ec53DZdfm; Sat, 09 Feb 2013 13:33:37 +0000 Received: from Christophers-MacBook-Pro.local ([69.143.109.145]) by omta03.westchester.pa.mail.comcast.net with comcast id yDZc1k00B38FjT13PDZd51; Sat, 09 Feb 2013 13:33:37 +0000 Message-ID: <5116502F.3080705@christopherschultz.net> Date: Sat, 09 Feb 2013 08:33:35 -0500 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: How to limit the number of renegotiations for a single TLS / SSL connection References: <5115162F.7060106@apache.org> In-Reply-To: X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1360416817; bh=zhlqoibmNtc7VN+BALDo9U2/M6Q+ck/OJzb8bwBZSSM=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=R5WvYIN8TUuGTzOBV/4h6zpXTSGNo+1XQlduHTPDYnj4/aoYVZ83+1awHIKd8PFfI PpW7TYwCpGjzeqCwFmrX8EkJkjVvef9Is7+PqxYQADoeZCUXwYkGAEGqJ8JMC95nKI co5uvoISISCrwWyiORrQNeU0PSMNznfsJzODX1zffzEoaalRA07YiJwj284hb4uHm0 e3SwAcEb9HyfrJ6cXfrno//RLJ/ny/QctTmFTl4Fj94xw8/EEckAcPELi21hZy+p2E 9l6gzrkKyRX55zpNQtvBcXtmRwpCDS9nHnNHJ/IWBWIT8QydhQIf6AdLnXf3dVl4tG ACw1ndFnSBi9g== X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Deepak, On 2/9/13 4:05 AM, dkumar@ccilindia.co.in wrote: > we have not specified any specific connector protocol in the > connector tag, is that mean we are using native APR connector, and > if it is so, then as renegotiation is not permitted in APR why VA > tool says renegotiation DoS vulnerability, and it would be of great > help if you explain how to implement HTTP NIO or BIO connector to > handle this renegotiation issue. The default connector depends upon your system configuration. I believe if you have APR/tcnative available, Tomcat will use that and you'll get an APR/HTTP connector. Otherwise, you'll get the BIO connector. You have to specifically request the NIO connector. > ciphers="Some cipher" allowUnsafeLegacyRenegotiation="false" > maxThreads="5" scheme="https" secure="false" clientAuth="false" > sslProtocol="TLS" keystoreFile="cert.key" keystorePass="password" > /> Using the APR connector for SSL will be much faster than either BIO or NIO. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEWUC8ACgkQ9CaO5/Lv0PB+FwCfQLqO5CsHc9cB4sq+mO5D8mq5 IDMAoLr6WXRqgu7JWiHewUD47Js36dXd =XY13 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org