Mark, 2011/1/28 Mark Thomas <ma...@apache.org> > > On 28/01/2011 19:00, Olaf Tomczak wrote: > > Hello, > > > > Does Tomcat support the so called "secure TLS renegotiation"? If so, what > > should I configure to use it? > > Currently when connecting to my application using secure connection most > > browsers complain about my server software being "very old" and insecure > > because of the lack of this feature. > > > > I'm using Tomcat 6.0.29 on linux/freebsd. > > Yes, if the JVM supports it. > > You'll probably need to enable Tomcat's allowLegacyRegenotiation feature > else Tomcat will block all renegotiation.
I googled "allowLegacyRenegotiation" and found this article: http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html It describes the following 2 system properties: sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1, this controls whether legacy (unsafe) renegotiations are permitted. sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2, this allows the peer to handshake without requiring the proper RFC 5746 messages. Are these what you meant? Thanks for your help, Olaf > > That needs a rename to > allowRenegotiation in light of how Oracle decided to fix this. > Unfortunately Oracle went for system wide system properties rather than > providing an API to let folks control it per socket or connection. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
