On Nov 26, 2012, at 3:36 PM, Hermes Flying wrote:
> Hi,
> I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL
> client renegotiation DoS.
>
> You notein your docs that this is not a Tomcat issue per se, but JSSE issue.
> Please note that allowUnsafeLegacyRenegotiation is set to false.
Are you using the BIO connector? This option is specific to that connector.
It would be helpful if you could share your connector configuration.
What version of the JVM are you using? Can you upgrade to a version that
resolves this issue?
Dan
> Looking into the source code I see the following:
>
> public void handshake(Socket sock) throws IOException {
>
> ((SSLSocket)sock).startHandshake();
>
> if(!allowUnsafeLegacyRenegotiation) {
> // disable all ciphers, avoiding any subsequent handshake
> ((SSLSocket)sock).setEnabledCipherSuites(new String[0]);
> }
> }
>
> Also looking into Tomcat6/7 source code I see that the only difference is to
> check for existence of TLS_EMPTY_RENEGOTIATION_INFO_SCSV in JSSE.
>
> But other than that the logic is the same. So I can only assume that
> upgrading to Tomcat 6 would not solve my problem.
> Since I have verified via debugging also that allowUnsafeLegacyRenegotiation
> is indeed false, why do I get reports on SSL client renegotiation
> vulnerability?
>
>
> I see in your notes (http://tomcat.apache.org/security-5.html) that:
> Requires JRE that supports RFC 5746. For Oracle JRE that is known to be 6u22
> or later.
>
>
> But as I understand the code, even if JRE does not support the RFC you still
> disable the handshake with your "hack" to set no enable ciphers
>
>
> Is this a Java/JSSE problem? What can I do? Can you please help me?
>
>
> Thank you!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
