https://issues.apache.org/bugzilla/show_bug.cgi?id=55536
Ralf Hauser <hau...@acm.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|allow to disable Secure |allow to disable Secure |Client-Initiated |Client-Initiated |Renegotiation - DOS risk |Renegotiation in Java TLS - | |DOS risk --- Comment #2 from Ralf Hauser <hau...@acm.org> --- This RFE is not about APR, but the Java side of SSL/TLS. But even then, I am not going to argue with you about renegotiation rate limit meaningfulness - I leave the to qualsys and their ssllabs. At least in Tomcat v>=7, it appears this might be relatively easily doable with overwriting JSSEImplementation public SSLSupport getSSLSupport(Socket s) { } and doing the setEnabledCipherSuites(new String[0]) . Then put your new class into "sslImplementationName" as per http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support Does this sound right? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org