You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/06/30 07:35:56 UTC
[tomcat-native] branch main updated: Add renegotiation info
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 28aa8ef2c Add renegotiation info
28aa8ef2c is described below
commit 28aa8ef2c9360dcdcb9f2386224146ebce0c36f2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 30 08:35:50 2022 +0100
Add renegotiation info
---
TODO.txt | 14 ---------
xdocs/miscellaneous/changelog.xml | 7 ++---
xdocs/miscellaneous/project.xml | 1 +
xdocs/miscellaneous/tls-renegotiation.xml | 49 +++++++++++++++++++++++++++++++
xdocs/news/project.xml | 3 +-
xdocs/project.xml | 3 +-
6 files changed, 57 insertions(+), 20 deletions(-)
diff --git a/TODO.txt b/TODO.txt
index 6570c9535..ed95823ce 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -21,20 +21,6 @@
TODO
-SSL Renegotiation
------------------
-
-It is unclear to me, what the current state is. It looks like we support
-the unsafe legacy reneg whenever the OpenSSL used during build time
-supports it. There is no configuration option to switch it off during
-runtime. Right?
-
-Is it correct, that client initiated reneg is not supported and thus the
-known attacks will not work even with old OpenSSL?
-
-Should we add a remark about this topic to the docs?
-
-
Releasing
---------
diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
index 50e78669d..cef5f2864 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -23,10 +23,6 @@
&project;
- <properties>
- <author email="jfclere@apache.org">Jean-Frederic Clere</author>
- </properties>
-
<body>
<section name="Preface">
@@ -57,6 +53,9 @@
10.1.x to support the use of OpenSSL as a replacement for JSSE to provide
TLS functionality. (markt)
</design>
+ <docs>
+ Document the TLS rengotiation behaviour. (markt)
+ </docs>
</changelog>
</section>
<section name="Changes in 1.2.x">
diff --git a/xdocs/miscellaneous/project.xml b/xdocs/miscellaneous/project.xml
index 2b97d89cb..1153ee1ea 100644
--- a/xdocs/miscellaneous/project.xml
+++ b/xdocs/miscellaneous/project.xml
@@ -31,6 +31,7 @@
<menu name="Miscellaneous Documentation">
<item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation" href="../miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
diff --git a/xdocs/miscellaneous/tls-renegotiation.xml b/xdocs/miscellaneous/tls-renegotiation.xml
new file mode 100644
index 000000000..1d411cc20
--- /dev/null
+++ b/xdocs/miscellaneous/tls-renegotiation.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE document [
+ <!ENTITY project SYSTEM "project.xml">
+]>
+<?xml-stylesheet type="application/xslt+xml" href="../style.xsl"?>
+<document url="tls-renegotiation.html">
+
+ &project;
+
+<body>
+
+<section name="Introduction">
+ <p>
+ Historically there have been security issues associated with TLS
+ renegotiation. This page describes the renegotiation behaviour of the Tomcat
+ Native library.
+ </p>
+</section>
+<section name="Client initiated renegotiation">
+ <p>
+ Client initiated renegotiation is disabled. This behaviour is hard-coded and
+ cannot be changed.
+ </p>
+</section>
+<section name="Unsafe legacy negotiation">
+ <p>
+ Support for unsafe legacy negotiation depends on OpenSSL. Only if Tomcat
+ Native is compiled with a build of OpenSSL that supports legacy renegotiation
+ will Tomcat Native support it.
+ </p>
+</section>
+</body>
+</document>
diff --git a/xdocs/news/project.xml b/xdocs/news/project.xml
index ecb969701..20c66baa0 100644
--- a/xdocs/news/project.xml
+++ b/xdocs/news/project.xml
@@ -30,7 +30,8 @@
</menu>
<menu name="Miscellaneous Documentation">
- <item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation" href="../miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
diff --git a/xdocs/project.xml b/xdocs/project.xml
index c121f0c84..9184f9688 100644
--- a/xdocs/project.xml
+++ b/xdocs/project.xml
@@ -30,7 +30,8 @@
</menu>
<menu name="Miscellaneous Documentation">
- <item name="Changelog" href="miscellaneous/changelog.html"/>
+ <item name="Changelog" href="miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation" href="miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] branch main updated: Add renegotiation info
Posted by Mark Thomas <ma...@apache.org>.
On 30/06/2022 17:47, Christopher Schultz wrote:
> On 6/30/22 03:35, markt@apache.org wrote:
<snip/>
>> +<section name="Unsafe legacy negotiation">
>> + <p>
>> + Support for unsafe legacy negotiation depends on OpenSSL. Only if
>> Tomcat
>> + Native is compiled with a build of OpenSSL that supports legacy
>> renegotiation
>> + will Tomcat Native support it.
>> + </p>
>
> Does this mean it's /possible/ (and configurable) to use Unsafe Legacy
> Negotiation, or does it mean that it's always-on for openssl builds
> where it's there, and always-off when it's not there?
It means that it is possible, configurable and disabled by default to
use unsafe legacy negotiation unless OpenSSL has been compiled with that
functionality explicitly removed. In which case it is completely disabled.
My memory is that I found a page that indicated it was possible to
compile OpenSSL with that functionality removed. When I went to re-check
my facts before writing this email, I couldn't find anything to confirm
that.
I'll re-write that page to make clear that the behaviour is determined
by OpenSSL configuration and that with 3.0.x, support is disabled by
default.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] branch main updated: Add renegotiation info
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 6/30/22 03:35, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 28aa8ef2c Add renegotiation info
> 28aa8ef2c is described below
>
> commit 28aa8ef2c9360dcdcb9f2386224146ebce0c36f2
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Thu Jun 30 08:35:50 2022 +0100
> > Add renegotiation info
>
> [snip]
>
> +<section name="Unsafe legacy negotiation">
> + <p>
> + Support for unsafe legacy negotiation depends on OpenSSL. Only if Tomcat
> + Native is compiled with a build of OpenSSL that supports legacy renegotiation
> + will Tomcat Native support it.
> + </p>
Does this mean it's /possible/ (and configurable) to use Unsafe Legacy
Negotiation, or does it mean that it's always-on for openssl builds
where it's there, and always-off when it's not there?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org