On Feb 8, 2013, at 4:23 AM, dku...@ccilindia.co.in wrote: > Hello to All, > > We are using - > Tomcat Version - 6.0.18 > Operating System Version : HP-UX 11.31 > SSL Version - OpenSSL 0.9.8k 25 Mar 2009 > Port - 8443 > > By running the venerability assessment test we are getting the following > observation > > The remote service encrypts traffic using TLS / SSL and permits clients to > renegotiate connections. The computational requirements for renegotiating > a connection are asymmetrical between the client and the server, with the > server performing several times more work. Since the remote host does not > appear to limit the number of renegotiations for a single TLS / SSL > connection, this permits a client to open several simultaneous connections > and repeatedly renegotiate them, possibly leading to a denial of service > condition. > > Please suggest the recommended solution for tomcat
First thing, upgrade Tomcat. You're using a version that is really old and has known vulnerabilities. For a full list, see the link below. https://tomcat.apache.org/security.html Second, please post your connector configuration. Thanks Dan > > Thanks & Regards > Deepak Kumar > "Disclaimer and confidentiality clause - > This message and any attachments relating to official business of CCIL OR ANY > OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original > addressee only. > The message may contain information that is confidential and subject to legal > privilege. > Any views expressed in this message are those of the individual sender. > If you have received this message in error, please notify the original sender > immediately and destroy the message and copies thereof and any attachments > contained in it . > If you are not the intended recipient of this message, you are hereby > notified that you must not disseminate, copy, use, distribute, or take any > action in connection therewith. > CCIL cannot ensure that the integrity of this communication has been > maintained nor that it is free of errors, viruses, interception and/or > interference. > CCIL is not liable whatsoever for loss or damage resulting from the opening > of this message and/or attachments and/or the use of the information > contained in this message and/or attachments." --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
