On Sat, Nov 7, 2009 at 8:59 AM, Mark Thomas <ma...@apache.org> wrote: > All, > > I was thinking about this on my way back from ApacheCon and we probably > need to get some advice out to users early next week. > > My current understanding is that the MITM attack is triggered by a > renegotiation. > > On this basis I suggest something along the following lines: > > SSL using JSSE (BIO and NIO connectors) > - Don't use SSL configs that require renegotiation. i.e. SSL config > should be the same for the entire host. Sites that require SSL in some > places and SSL + CLIENT-CERT in others will require reconfiguration. > Sites that require SSL for some parts should be OK. > - Keep watch for a Sun update to the JDK that may help address the issue
Also IBM, BEA, Apple etc. I'm not sure if JSSE is something Sun license to everyone, or if other JVMs have their own implementation (maybe OpenSSL based?). Harmony presumably does, though no idea if it's OpenSSL or clean room (couldn't see anything on a vague browse through their svn). > SSL using tc Native > - tcnative does not support renegotiation > (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now > users of tc native with SSL should be OK +1 > We also need to think about what to do with tc native. Maybe something like: > - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is > disabled) > - keep an eye on httpd and if they find a work-around, copy it and > release 1.1.18 with renegotiation enabled Plus keeping an eye on the next openssl version for https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt ? Hen --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
