You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/07/04 11:07:32 UTC
Re: [tomcat-native] branch main updated: Add renegotiation info
On 30/06/2022 17:47, Christopher Schultz wrote:
> On 6/30/22 03:35, markt@apache.org wrote:
<snip/>
>> +<section name="Unsafe legacy negotiation">
>> + <p>
>> + Support for unsafe legacy negotiation depends on OpenSSL. Only if
>> Tomcat
>> + Native is compiled with a build of OpenSSL that supports legacy
>> renegotiation
>> + will Tomcat Native support it.
>> + </p>
>
> Does this mean it's /possible/ (and configurable) to use Unsafe Legacy
> Negotiation, or does it mean that it's always-on for openssl builds
> where it's there, and always-off when it's not there?
It means that it is possible, configurable and disabled by default to
use unsafe legacy negotiation unless OpenSSL has been compiled with that
functionality explicitly removed. In which case it is completely disabled.
My memory is that I found a page that indicated it was possible to
compile OpenSSL with that functionality removed. When I went to re-check
my facts before writing this email, I couldn't find anything to confirm
that.
I'll re-write that page to make clear that the behaviour is determined
by OpenSSL configuration and that with 3.0.x, support is disabled by
default.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org