Re: SSL & Tomcat

Wed, 11 Nov 2009 08:25:33 -0800 

On 11/11/2009 12:11 AM, Costin Manolache wrote:

openssl s_client ...
Type "R" ( to renegotiate ).

Unfortunately renegotiation is handled transparently and did work quite
well...

bummer, I will see what needs to be done today.

Costin

On Tue, Nov 10, 2009 at 10:53 PM, Filip Hanik - Dev Lists<
devli...@hanik.com>  wrote:


I don't think NIO allows a renegotiation as it is today. I will have to
look deeper in the code. But I think the negotiation is a one time deal per
connection. I will look closer.

Filip


On 11/07/2009 09:59 AM, Mark Thomas wrote:


All,

I was thinking about this on my way back from ApacheCon and we probably
need to get some advice out to users early next week.

My current understanding is that the MITM attack is triggered by a
renegotiation.

On this basis I suggest something along the following lines:

SSL using JSSE (BIO and NIO connectors)
- Don't use SSL configs that require renegotiation. i.e. SSL config
should be the same for the entire host. Sites that require SSL in some
places and SSL + CLIENT-CERT in others will require reconfiguration.
Sites that require SSL for some parts should be OK.
- Keep watch for a Sun update to the JDK that may help address the issue

SSL using tc Native
- tcnative does not support renegotiation
(https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now
users of tc native with SSL should be OK


We also need to think about what to do with tc native. Maybe something
like:
- release 1.1.17 with binaries built with 0.9.8l (so renegotiation is
disabled)
- keep an eye on httpd and if they find a work-around, copy it and
release 1.1.18 with renegotiation enabled

For now, I'm not proposing any changes to the docs although we may want
to put a summary of the advice - once agreed - on the security pages.

Thoughts?

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to