https://issues.apache.org/bugzilla/show_bug.cgi?id=48158
--- Comment #5 from Ralf Hauser <hau...@acm.org> 2009-11-12 09:52:53 UTC --- (In reply to comment #3) > > Couldn't you make this an optional server.xml attribute > See the "clientAuth" connector attribute for options already available for > limiting server side re-negotiation. Hmm, the word "re-negotiation" doesn't really appear in http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File for the attribute nor does one know whether it is a mandatory or optional attribute (same for "truststoreFile" - is there a "*" wildcard option to accept any issuer?). > > > We can't do anything to prevent client initiated renegotiation. > > Sure, but closing 2 out of 3 attack vectors is at least something, isn't it? > In this case, I don't think it is. However, the options are already in place > if you wish to use them. looking at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(boolean force), I see if(jsseCerts.length <= 0 && force) { session.invalidate(); handShake(); session = ssl.getSession(); } isn't that the renegotiation we want to avoid? Shouldn't this now be commented out for the time being? (One scenario being that an MITM attacker in the handshake eliminates the optional "CertificateRequest*" as per section "7.3. Handshake Protocol overview " http://www.ietf.org/rfc/rfc2246.txt With that the client might first do a non-client-cert SSL session and the server might soon notice and trigger a TLS-re-handshake [just speculating...]) At least the javax.net.ssl.SSLSocket.startHandshake() executed inside the above "handShake()" doesn't dissipate my suspicions that there may be a problem: /** * Starts an SSL handshake on this connection. */ public void startHandshake() throws IOException { checkWrite(); try { if (getConnectionState() == cs_HANDSHAKE) { // do initial handshake performInitialHandshake(); } else { // start renegotiation kickstartHandshake(); } } catch (Exception e) { // shutdown and rethrow (wrapped) exception as appropriate handleException(e); } } but maybe http://marc.info/?l=tomcat-dev&m=125796482429041&w=2 got there too... -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
