https://issues.apache.org/bugzilla/show_bug.cgi?id=55536
Bug ID: 55536
Summary: allow to disable Secure Client-Initiated Renegotiation
- DOS risk
Product: Tomcat 7
Version: unspecified
Hardware: PC
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: hau...@acm.org
The Apache/2.2.24 (FreeBSD) mod_ssl/2.2.24 OpenSSL/1.0.1e of
https://www.ssllabs.com/ssltest/analyze.html?d=issues.apache.org doesn't allow
Secure Client-Initiated Renegotiation
It is considered dangerous for DoS attacks:
https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
How could this be done with tomcat7?
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
maybe the approach of bug 48236 could be used for this purpose again?
// after creation, immediately disable all ciphers, avoiding any subsequent
handshake
((SSLSocket)sock).setEnabledCipherSuites(new String[0]);
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
