https://issues.apache.org/bugzilla/show_bug.cgi?id=48158
--- Comment #2 from Ralf Hauser <hau...@acm.org> 2009-11-09 04:07:54 UTC --- tomcat-dev-list:> BIO/NIO connectors using JSSE. > Vulnerable when renegotiation is triggered by the client or server. > We could prevent server initiated renegotiation (and probably break > the majority of configurations using CLIENT-CERT). Couldn't you make this an optional server.xml attribute where each site can decide whether to use it or not (i.e. test themselves whether it affects them or not). We are quite advanced on migrating our site away from sub-directory/url-pattern based renegotiation. So, having Coyote not allowing for re-negotiation would be a great benefit for us and we obviously would report on difficulties we and our users encounter to optimize this approach! > We can't do anything to prevent client initiated renegotiation. Sure, but closing 2 out of 3 attack vectors is at least something, isn't it? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
