On 16/05/2013 15:56, Michael Martin wrote: > Ah ok, that's a little clearer then. Here's the full stack trace: > > 2013-05-16 12:31:18,334 [main] ERROR org.apache.catalina.connector.Connector > - Protocol handler instantiation failed > java.lang.ClassNotFoundException: Http11NioProtocol
OK. There is nothing unusual going on in that code. The problem looks to be with your server.xml > Our auditors actually raised the issue with us, claiming it is a > vulnerability of ours. With what justification? It is beginning to look like a false positive and I'd expect anyone doing auditing to know better. > We then used the method here to check the port, which shows Renegotiation is > supplied. > > http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html That looks to be correct for the time it was written but that was more than three years ago. > SSL handshake has read 5985 bytes and written 511 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : DHE-RSA-AES256-GCM-SHA384 There is no vulnerability there. "Secure renegotiation" != "Insecure renegotiation" That certainly looks to be an RFC5746 compliant renegotiation. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org