Dear all,
I just installed the tomcat-native-1.1.19 APR connector alongside
tomcat-6.0.20 - since my understanding of its CHANGELOG.txt is, that the
renegotiation vulnerability should be gone when using this APR connector,
despite my openssl version beeing below 0.9.8l (since I'm on
CentOS/RHEL5).
It installed fine, tomcat runs fine to, APR connector is used (according
to catalina.out), everything seems shiny BUT:
<code>
7:j...@eluveitie:~> openssl s_client -connect 10.0.8.193:8443
CONNECTED(00000003)
[...]
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
3A9B50B20A6B3F62DE137E5642240DE0018863D3ED86B8EADAA5E46436D589E5
Session-ID-ctx:
Master-Key:
C579C042442C519FE02CF96A050EDAAD208C421E2FD1CA6E20DC818A13A7ABC5306AACFFDF36A440A3E1FED43CCDCB59
Key-Arg : None
Start Time: 1263572654
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
GET / HTTP/1.0
Host:evil.com
R
RENEGOTIATING
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/[email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
5253:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
</code>
the GET / HTTP/1.0 until the "R" is manually inserted, I expect something
like
<code>
2860:error:1409444C:SSL routines:SSL3_READ_BYTES:tlsv1 alert no
renegotiation:./ ssl/s3_pkt.c:1053:SSL alert number 100
</code>
but certainly no RENEGOTIATION. Any hints?
System is CentOS 5.4, packages:
openssl-0.9.8e-12.el5
apr-devel-1.2.7-11.el5_3.1
apr-1.2.7-11.el5_3.1
thanks in advance! (probably will be afk for the weekend)
regards
Jens Neu
Health Services Network Administration
Phone: +49 (0) 30 68905-2412
Mail: [email protected]
www.biotronik.com
BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr.
Lothar Krings
BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management
systems and Vascular Intervention devices. Quality, innovation, and
reliability define BIOTRONIK and our growing success. We are innovators of
technologies like the first wireless remote monitoring system - Home
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as
state-of-the-art stents, balloons and guide wires for coronary and
peripheral indications. We highly invest in the development of drug
eluting devices and are leading the industry with our bioabsorbable metal
stent program.
This e-mail and the information it contains including attachments are
confidential and meant only for use by the intended recipient(s);
disclosure or copying is strictly prohibited. If you are not addressed,
but in the possession of this e-mail, please notify the sender immediately
and delete the document.
