You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/09/23 15:38:01 UTC
[Bug 57006] New: openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
Bug ID: 57006
Summary: openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Product: Tomcat 6
Version: 6.0.41
Hardware: Other
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: 1599409001@qq.com
I set as the below in server.xml,but tooling openssl s_client still may
connected sucessfully.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
allowUnsafeLegacyRenegotiation="false" keystorePass="123456" />
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
xinshouke <15...@qq.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
CC| |1599409001@qq.com
Resolution|INVALID |---
--- Comment #6 from xinshouke <15...@qq.com> ---
According to the reading source code and doc in the Tomcat web site,I found the
attribute 'allowUnsafeLegacyRenegotiation' with set false as default, I suspect
when I needn't set anythings for the attribute in the tomcat server.xml to
avoid The SSL Renegotation Attack thr SSL,should I?
(In reply to Mark Thomas from comment #5)
> I still don't see anything in this report that describes unexpected,
> undesirable or insecure behavior. Again, please user the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I don't see anything in this bug report (the little of it that there is) that
describes a bug.
I suggest you try the users list for further assistance.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
--- Comment #4 from xinshouke <15...@qq.com> ---
I re-describe my issue, pls check the below comments.
(In reply to Mark Thomas from comment #1)
> I don't see anything in this bug report (the little of it that there is)
> that describes a bug.
>
> I suggest you try the users list for further assistance.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
xinshouke <15...@qq.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #3 from xinshouke <15...@qq.com> ---
Somebody checked my tomcat server, he reported a high sercurity risk with set
SSLEnabled as true but no disabled renegotiations. It's a way to verify the
issue thr command 'openssl s_client -connect ip:port'.
So I set allowUnsafeLegacyRenegotiation="false" in the server.xml,the expected
result that it get error after run the command 'openssl s_client -connect
ip:port'. But, after executed the command,it still connected the
SSL.sucessfully.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #7 from Mark Thomas <ma...@apache.org> ---
Third (and last) time. Use the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
--- Comment #2 from xinshouke <15...@qq.com> ---
Created attachment 32047
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32047&action=edit
my server.xml config
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57006] openssl s_client may connected with property
allowUnsafeLegacyRenegotiation set false
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57006
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
I still don't see anything in this report that describes unexpected,
undesirable or insecure behavior. Again, please user the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org