This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 28aa8ef2c Add renegotiation info
28aa8ef2c is described below
commit 28aa8ef2c9360dcdcb9f2386224146ebce0c36f2
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Jun 30 08:35:50 2022 +0100
Add renegotiation info
---
TODO.txt | 14 ---------
xdocs/miscellaneous/changelog.xml | 7 ++---
xdocs/miscellaneous/project.xml | 1 +
xdocs/miscellaneous/tls-renegotiation.xml | 49 +++++++++++++++++++++++++++++++
xdocs/news/project.xml | 3 +-
xdocs/project.xml | 3 +-
6 files changed, 57 insertions(+), 20 deletions(-)
diff --git a/TODO.txt b/TODO.txt
index 6570c9535..ed95823ce 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -21,20 +21,6 @@
TODO
-SSL Renegotiation
------------------
-
-It is unclear to me, what the current state is. It looks like we support
-the unsafe legacy reneg whenever the OpenSSL used during build time
-supports it. There is no configuration option to switch it off during
-runtime. Right?
-
-Is it correct, that client initiated reneg is not supported and thus the
-known attacks will not work even with old OpenSSL?
-
-Should we add a remark about this topic to the docs?
-
-
Releasing
---------
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 50e78669d..cef5f2864 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -23,10 +23,6 @@
&project;
- <properties>
- <author email="[email protected]">Jean-Frederic Clere</author>
- </properties>
-
<body>
<section name="Preface">
@@ -57,6 +53,9 @@
10.1.x to support the use of OpenSSL as a replacement for JSSE to provide
TLS functionality. (markt)
</design>
+ <docs>
+ Document the TLS rengotiation behaviour. (markt)
+ </docs>
</changelog>
</section>
<section name="Changes in 1.2.x">
diff --git a/xdocs/miscellaneous/project.xml b/xdocs/miscellaneous/project.xml
index 2b97d89cb..1153ee1ea 100644
--- a/xdocs/miscellaneous/project.xml
+++ b/xdocs/miscellaneous/project.xml
@@ -31,6 +31,7 @@
<menu name="Miscellaneous Documentation">
<item name="Changelog"
href="../miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation"
href="../miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
diff --git a/xdocs/miscellaneous/tls-renegotiation.xml
b/xdocs/miscellaneous/tls-renegotiation.xml
new file mode 100644
index 000000000..1d411cc20
--- /dev/null
+++ b/xdocs/miscellaneous/tls-renegotiation.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE document [
+ <!ENTITY project SYSTEM "project.xml">
+]>
+<?xml-stylesheet type="application/xslt+xml" href="../style.xsl"?>
+<document url="tls-renegotiation.html">
+
+ &project;
+
+<body>
+
+<section name="Introduction">
+ <p>
+ Historically there have been security issues associated with TLS
+ renegotiation. This page describes the renegotiation behaviour of the Tomcat
+ Native library.
+ </p>
+</section>
+<section name="Client initiated renegotiation">
+ <p>
+ Client initiated renegotiation is disabled. This behaviour is hard-coded and
+ cannot be changed.
+ </p>
+</section>
+<section name="Unsafe legacy negotiation">
+ <p>
+ Support for unsafe legacy negotiation depends on OpenSSL. Only if Tomcat
+ Native is compiled with a build of OpenSSL that supports legacy renegotiation
+ will Tomcat Native support it.
+ </p>
+</section>
+</body>
+</document>
diff --git a/xdocs/news/project.xml b/xdocs/news/project.xml
index ecb969701..20c66baa0 100644
--- a/xdocs/news/project.xml
+++ b/xdocs/news/project.xml
@@ -30,7 +30,8 @@
</menu>
<menu name="Miscellaneous Documentation">
- <item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation"
href="../miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
diff --git a/xdocs/project.xml b/xdocs/project.xml
index c121f0c84..9184f9688 100644
--- a/xdocs/project.xml
+++ b/xdocs/project.xml
@@ -30,7 +30,8 @@
</menu>
<menu name="Miscellaneous Documentation">
- <item name="Changelog" href="miscellaneous/changelog.html"/>
+ <item name="Changelog" href="miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation"
href="miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
