https://issues.apache.org/bugzilla/show_bug.cgi?id=55536
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
(In reply to Ralf Hauser from comment #2)
> This RFE is not about APR, but the Java side of SSL/TLS.
I'm aware of that. APR is an optional solution.
> But even then, I am not going to argue with you about renegotiation rate
> limit meaningfulness - I leave the to qualsys and their ssllabs.
It is a view, just not one I agree with. There does not appear to be a
consensus on this. My testing with Tomcat is consistent with others that have
tested OpenSSL that the difference between one connection and lots of
renegotiations and lots of connections each with an initial handshake is
minimal.
> At least in Tomcat v>=7, it appears this might be relatively easily doable
> with
> overwriting JSSEImplementation
> public SSLSupport getSSLSupport(Socket s) {
> }
> and doing the setEnabledCipherSuites(new String[0]) .
> Then put your new class into "sslImplementationName" as per
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support
>
> Does this sound right?
I haven't tested it but that is the right sort of thing to be doing.
Mark
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
