You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Olaf Tomczak <ol...@gmail.com> on 2011/01/28 20:00:32 UTC
secure TLS renegotiation
Hello,
Does Tomcat support the so called "secure TLS renegotiation"? If so, what
should I configure to use it?
Currently when connecting to my application using secure connection most
browsers complain about my server software being "very old" and insecure
because of the lack of this feature.
I'm using Tomcat 6.0.29 on linux/freebsd.
Thanks,
Olaf
Re: secure TLS renegotiation
Posted by Mark Thomas <ma...@apache.org>.
On 28/01/2011 19:29, Olaf Tomczak wrote:
> Mark,
>
> 2011/1/28 Mark Thomas <ma...@apache.org>
>>
>> On 28/01/2011 19:00, Olaf Tomczak wrote:
>>> Hello,
>>>
>>> Does Tomcat support the so called "secure TLS renegotiation"? If so, what
>>> should I configure to use it?
>>> Currently when connecting to my application using secure connection most
>>> browsers complain about my server software being "very old" and insecure
>>> because of the lack of this feature.
>>>
>>> I'm using Tomcat 6.0.29 on linux/freebsd.
>>
>> Yes, if the JVM supports it.
>>
>> You'll probably need to enable Tomcat's allowLegacyRegenotiation feature
>> else Tomcat will block all renegotiation.
>
> I googled "allowLegacyRenegotiation" and found this article:
> http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
>
> It describes the following 2 system properties:
> sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1,
> this controls whether legacy (unsafe) renegotiations are permitted.
> sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2,
> this allows the peer to handshake without requiring the proper RFC
> 5746 messages.
>
> Are these what you meant?
That is what I meant for the Oracle part. You'll need to look at the
Tomcat configuration docs for HTTP connector for allowLegacyRenegotiation
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secure TLS renegotiation
Posted by Olaf Tomczak <ol...@gmail.com>.
Mark,
2011/1/28 Mark Thomas <ma...@apache.org>
>
> On 28/01/2011 19:00, Olaf Tomczak wrote:
> > Hello,
> >
> > Does Tomcat support the so called "secure TLS renegotiation"? If so, what
> > should I configure to use it?
> > Currently when connecting to my application using secure connection most
> > browsers complain about my server software being "very old" and insecure
> > because of the lack of this feature.
> >
> > I'm using Tomcat 6.0.29 on linux/freebsd.
>
> Yes, if the JVM supports it.
>
> You'll probably need to enable Tomcat's allowLegacyRegenotiation feature
> else Tomcat will block all renegotiation.
I googled "allowLegacyRenegotiation" and found this article:
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
It describes the following 2 system properties:
sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1,
this controls whether legacy (unsafe) renegotiations are permitted.
sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2,
this allows the peer to handshake without requiring the proper RFC
5746 messages.
Are these what you meant?
Thanks for your help,
Olaf
>
> That needs a rename to
> allowRenegotiation in light of how Oracle decided to fix this.
> Unfortunately Oracle went for system wide system properties rather than
> providing an API to let folks control it per socket or connection.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: secure TLS renegotiation
Posted by Mark Thomas <ma...@apache.org>.
On 28/01/2011 19:00, Olaf Tomczak wrote:
> Hello,
>
> Does Tomcat support the so called "secure TLS renegotiation"? If so, what
> should I configure to use it?
> Currently when connecting to my application using secure connection most
> browsers complain about my server software being "very old" and insecure
> because of the lack of this feature.
>
> I'm using Tomcat 6.0.29 on linux/freebsd.
Yes, if the JVM supports it.
You'll probably need to enable Tomcat's allowLegacyRegenotiation feature
else Tomcat will block all renegotiation. That needs a rename to
allowRenegotiation in light of how Oracle decided to fix this.
Unfortunately Oracle went for system wide system properties rather than
providing an API to let folks control it per socket or connection.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org