The last piece of the puzzle is what connector is used by default. According to 6.0.x docs it's BIO: "The default value is HTTP/1.1 and configures the org.apache.coyote.http11.Http11Protocol. This is the blocking Java connector.".
That, together with your helpful & prompt responses allows me to devise a quick mitigation plan for the vulnerability - i.e. switch to NIO (with the extra bonus of better performance so what's not to like?) Thanks so much Pid, Yosi On Sun, Jan 24, 2010 at 5:58 PM, Pid <p...@pidster.com> wrote: > On 24/01/2010 14:26, yosi izaq wrote: > >> response Inline. >> >> 10x 4 the prompt answer! >> Yosi >> >> >> 6.0.24 has just been released, it is the best available version. >> >> Your Connector config will determine which fix you need to employ. >> >> [Yosi] I'm new to Tomcat. Do you refer to org.apache.coyote.http11 >> parameter of the connector's CTOR? >> > > Yes, there are 3 connector variants: > > AJP Connector - for use with Apache HTTPDs mod_jk or mod_proxy_ajp > BIO Connector > NIO Connector > > > If you are using APR then you need to upgrade your SSL library (e.g. >> openssl) to the appropriate version. >> >> If you are using the Java based connectors then search the archive >> for the recent and detailed discussions on this topic. >> >> [Yosi] According to archive NIO doesn't support renegotiation so the >> issue is not relevant to NIO. Is my understanding correct? >> > > Yes, this is correct. > > > p > > >