https://issues.apache.org/bugzilla/show_bug.cgi?id=55536
Ralf Hauser <hau...@acm.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|allow to disable Secure |allow to disable Secure
|Client-Initiated |Client-Initiated
|Renegotiation - DOS risk |Renegotiation in Java TLS -
| |DOS risk
--- Comment #2 from Ralf Hauser <hau...@acm.org> ---
This RFE is not about APR, but the Java side of SSL/TLS.
But even then, I am not going to argue with you about renegotiation rate limit
meaningfulness - I leave the to qualsys and their ssllabs.
At least in Tomcat v>=7, it appears this might be relatively easily doable with
overwriting JSSEImplementation
public SSLSupport getSSLSupport(Socket s) {
}
and doing the setEnabledCipherSuites(new String[0]) .
Then put your new class into "sslImplementationName" as per
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support
Does this sound right?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
