2009/11/10 <ma...@apache.org>: > Author: markt > Date: Tue Nov 10 16:57:29 2009 > New Revision: 834544 > > URL: http://svn.apache.org/viewvc?rev=834544&view=rev > Log: > Proposal for cve-2009-3555 work-around > > Modified: > tomcat/tc6.0.x/trunk/STATUS.txt > > + > +* Disable TLS renegotiation be default with an option to re-enable it > + Based on Costin's patch for trunk with Mark's modifications > + http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc6.patch > + +1: markt > + -1:
My understanding of the patch is that it disables any renegotiation, either client-initiated or server-initiated, for connectors based on JSSE. Shouldn't there be an option to selectively enable server-initiated renegotiation? E.g., to reset the listener if we are really expecting a re-handshake, like JSSESupport class does with its handshake listener in JSSESupport#handShake(). Also, just a note, my understanding is that it won't help for Nio connectors (those using the second constructor of JSSESupport class, where there is session, but no socket). Those are ultimately based on SecureNioChannel class and javax.net.ssl.SSLEngine. Something else should be needed there. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org