On 24/01/2010 13:12, yosi izaq wrote:
On Sun, Jan 24, 2010 at 1:36 PM, yosi izaq<izaq...@gmail.com> wrote:
Hi,
I'm an eng. working on a security product that also uses Tomcat for
Web-server functionality.
I'm concerned with the known TLS renegotiation MitM vulnerability.
I would like to ask whether there's a Tomcat version that contains a fix to
the issue?- Say by disabling TLS renegotiation by default and adding a
configuration parameter for enabling it if needed.
I did some searching on mail traffic and saw some SVN mentions of such a
possible fix, so I hope that a fix is either planned or already released.
TIA,
Yosi Izaq
Cisco R&D
Hi,
I've found mention of this record - CVE-2009-3555.
According to that the BIO fix is made avialable in version 6.0.21. Is that
correct?- Is the fix also available on version 6.0.18?
TIA,
Yosi
6.0.24 has just been released, it is the best available version.
Your Connector config will determine which fix you need to employ.
If you are using APR then you need to upgrade your SSL library (e.g.
openssl) to the appropriate version.
If you are using the Java based connectors then search the archive for
the recent and detailed discussions on this topic.
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
