You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by dk...@ccilindia.co.in on 2013/02/08 15:28:59 UTC
How to limit the number of renegotiations for a single TLS / SSL connection
Hello All,
We are using -
Tomcat Version - 6.0.18
Operating System Version : HP-UX 11.31
SSL Version - OpenSSL 0.9.8k 25 Mar 2009
Port - 8443
By running the venerability assessment test we are getting the following
observation
The remote service encrypts traffic using TLS / SSL and permits clients to
renegotiate connections. The computational requirements for renegotiating
a connection are asymmetrical between the client and the server, with the
server performing several times more work. Since the remote host does not
appear to limit the number of renegotiations for a single TLS / SSL
connection, this permits a client to open several simultaneous connections
and repeatedly renegotiate them, possibly leading to a denial of service
condition.
Please suggest the recommended solution for tomcat
Thanks & Regards
Deepak Kumar
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Mark Thomas <ma...@apache.org>.
On 11/02/2013 13:00, dkumar@ccilindia.co.in wrote:
> Hello,
>
> We tried to set APR connector protocol attribute in connector tag but we
> are not able to start the tomcat as the supporting library are not found
> in JDK 1.7 installed in my system
> Please suggest where we will get the APR connector file.
Have you looked in the documentation?
http://tomcat.apache.org/tomcat-7.0-doc/apr.html
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to limit the number of renegotiations for a single TLS / SSL
connection
Posted by dk...@ccilindia.co.in.
Hello,
We tried to set APR connector protocol attribute in connector tag but we
are not able to start the tomcat as the supporting library are not found
in JDK 1.7 installed in my system
Please suggest where we will get the APR connector file.
@Mark
Sorry for duplicate message. That has a correction ["http-bio-8443"]
instead of ["http-bio-443"]
Thanks and Regards
Deepak
From: Mark Thomas <ma...@apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
Date: 02/11/2013 05:23 PM
Subject: Re: How to limit the number of renegotiations for a single
TLS / SSL connection
On 11/02/2013 11:31, dkumar@ccilindia.co.in wrote:
> Hello Mark
>
> We have just updated the tomcat version to 7.0.35 and have not
explicitly
> gave any connector protocol in connector tag, when tomcat is starting
its
> giving Initializing ProtocolHandler ["http-bio-443"]
Which means you are using the BIO HTTP connector, not the APR/native
HTTP connector. The BIO connector supports renegotiation.
Mark
P.S. Please stop
a) sending duplicate messages to the users list
b) cc'ing list members on your replies.
>
> Regards
> Deepak
>
>
>
> From: Mark Thomas <ma...@apache.org>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Date: 02/11/2013 04:48 PM
> Subject: Re: How to limit the number of renegotiations for a
single
> TLS / SSL connection
>
>
>
> On 11/02/2013 11:10, dkumar@ccilindia.co.in wrote:
>> Hello All,
>>
>> We have upgraded the tomcat(7.0.35) and ssl(0.9.8x)
>> Still facing same issue
>> Please suggest
>
> Are you sure you are using the APR/native connector?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> "Disclaimer and confidentiality clause -
> This message and any attachments relating to official business of CCIL
OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the
original addressee only.
> The message may contain information that is confidential and subject to
legal privilege.
> Any views expressed in this message are those of the individual sender.
> If you have received this message in error, please notify the original
sender immediately and destroy the message and copies thereof and any
attachments contained in it .
> If you are not the intended recipient of this message, you are hereby
notified that you must not disseminate, copy, use, distribute, or take any
action in connection therewith.
> CCIL cannot ensure that the integrity of this communication has been
maintained nor that it is free of errors, viruses, interception and/or
interference.
> CCIL is not liable whatsoever for loss or damage resulting from the
opening of this message and/or attachments and/or the use of the
information contained in this message and/or attachments."
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Mark Thomas <ma...@apache.org>.
On 11/02/2013 11:31, dkumar@ccilindia.co.in wrote:
> Hello Mark
>
> We have just updated the tomcat version to 7.0.35 and have not explicitly
> gave any connector protocol in connector tag, when tomcat is starting its
> giving Initializing ProtocolHandler ["http-bio-443"]
Which means you are using the BIO HTTP connector, not the APR/native
HTTP connector. The BIO connector supports renegotiation.
Mark
P.S. Please stop
a) sending duplicate messages to the users list
b) cc'ing list members on your replies.
>
> Regards
> Deepak
>
>
>
> From: Mark Thomas <ma...@apache.org>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Date: 02/11/2013 04:48 PM
> Subject: Re: How to limit the number of renegotiations for a single
> TLS / SSL connection
>
>
>
> On 11/02/2013 11:10, dkumar@ccilindia.co.in wrote:
>> Hello All,
>>
>> We have upgraded the tomcat(7.0.35) and ssl(0.9.8x)
>> Still facing same issue
>> Please suggest
>
> Are you sure you are using the APR/native connector?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> "Disclaimer and confidentiality clause -
> This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
> The message may contain information that is confidential and subject to legal privilege.
> Any views expressed in this message are those of the individual sender.
> If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
> If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
> CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
> CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to limit the number of renegotiations for a single TLS / SSL
connection
Posted by dk...@ccilindia.co.in.
Hello Mark
We have just updated the tomcat version to 7.0.35 and have not explicitly
gave any connector protocol in connector tag, when tomcat is starting its
giving Initializing ProtocolHandler ["http-bio-443"]
Regards
Deepak
From: Mark Thomas <ma...@apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
Date: 02/11/2013 04:48 PM
Subject: Re: How to limit the number of renegotiations for a single
TLS / SSL connection
On 11/02/2013 11:10, dkumar@ccilindia.co.in wrote:
> Hello All,
>
> We have upgraded the tomcat(7.0.35) and ssl(0.9.8x)
> Still facing same issue
> Please suggest
Are you sure you are using the APR/native connector?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: How to limit the number of renegotiations for a single TLS / SSL
connection
Posted by dk...@ccilindia.co.in.
Hello Mark
We have just updated the tomcat version to 7.0.35 and have not explicitly
gave any connector protocol in connector tag, when tomcat is starting its
giving Initializing ProtocolHandler ["http-bio-8443"]
Regards
Deepak
From: Mark Thomas <ma...@apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
Date: 02/11/2013 04:48 PM
Subject: Re: How to limit the number of renegotiations for a single
TLS / SSL connection
On 11/02/2013 11:10, dkumar@ccilindia.co.in wrote:
> Hello All,
>
> We have upgraded the tomcat(7.0.35) and ssl(0.9.8x)
> Still facing same issue
> Please suggest
Are you sure you are using the APR/native connector?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Mark Thomas <ma...@apache.org>.
On 11/02/2013 11:10, dkumar@ccilindia.co.in wrote:
> Hello All,
>
> We have upgraded the tomcat(7.0.35) and ssl(0.9.8x)
> Still facing same issue
> Please suggest
Are you sure you are using the APR/native connector?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to limit the number of renegotiations for a single TLS / SSL
connection
Posted by dk...@ccilindia.co.in.
Hello All,
We have upgraded the tomcat(7.0.35) and ssl(0.9.8x)
Still facing same issue
Please suggest
Thanks and regards
Deepak Kumar
From: Pid <pi...@pidster.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Date: 02/09/2013 11:35 PM
Subject: Re: How to limit the number of renegotiations for a single
TLS / SSL connection
On 08/02/2013 15:05, Mark Thomas wrote:
> On 08/02/2013 14:34, Caldarale, Charles R wrote:
>>> From: dkumar@ccilindia.co.in [mailto:dkumar@ccilindia.co.in]
>>> Subject: How to limit the number of renegotiations for a single TLS
>>> / SSL connection
>>
>>> We are using - Tomcat Version - 6.0.18
>>
>>> Please suggest the recommended solution for tomcat
>>
>> Try using a version of Tomcat that's newer than 4.5 years old. Many
>> security-related fixes have gone in since then, and it's
>> irresponsible to expose your site to situations that have been
>> addressed years previously. If you check the changelog, I think
>> you'll find this TLS issue was addressed quite some time ago; it may
>> require a JVM upgrade as well.
>
> No, this is a different issue.
Not to disagree with Mark T... but the point about using old software is
still a good one.
Tomcat 6.0.18 vs Tomcat 6.0.36
OpenSSL 0.9.8k (25-Mar-2009) vs OpenSSL 0.9.8y (05-Feb-2013)
Focusing on particular issues like this, rather than addressing the big
picture and using a more recent build of Open SSL and/or Tomcat (that
will carry many fixes) means the OP is probably Doing IT Wrong.
p
--
[key:62590808]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Pid <pi...@pidster.com>.
On 08/02/2013 15:05, Mark Thomas wrote:
> On 08/02/2013 14:34, Caldarale, Charles R wrote:
>>> From: dkumar@ccilindia.co.in [mailto:dkumar@ccilindia.co.in]
>>> Subject: How to limit the number of renegotiations for a single TLS
>>> / SSL connection
>>
>>> We are using - Tomcat Version - 6.0.18
>>
>>> Please suggest the recommended solution for tomcat
>>
>> Try using a version of Tomcat that's newer than 4.5 years old. Many
>> security-related fixes have gone in since then, and it's
>> irresponsible to expose your site to situations that have been
>> addressed years previously. If you check the changelog, I think
>> you'll find this TLS issue was addressed quite some time ago; it may
>> require a JVM upgrade as well.
>
> No, this is a different issue.
Not to disagree with Mark T... but the point about using old software is
still a good one.
Tomcat 6.0.18 vs Tomcat 6.0.36
OpenSSL 0.9.8k (25-Mar-2009) vs OpenSSL 0.9.8y (05-Feb-2013)
Focusing on particular issues like this, rather than addressing the big
picture and using a more recent build of Open SSL and/or Tomcat (that
will carry many fixes) means the OP is probably Doing IT Wrong.
p
--
[key:62590808]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Mark Thomas <ma...@apache.org>.
On 08/02/2013 14:34, Caldarale, Charles R wrote:
>> From: dkumar@ccilindia.co.in [mailto:dkumar@ccilindia.co.in]
>> Subject: How to limit the number of renegotiations for a single TLS
>> / SSL connection
>
>> We are using - Tomcat Version - 6.0.18
>
>> Please suggest the recommended solution for tomcat
>
> Try using a version of Tomcat that's newer than 4.5 years old. Many
> security-related fixes have gone in since then, and it's
> irresponsible to expose your site to situations that have been
> addressed years previously. If you check the changelog, I think
> you'll find this TLS issue was addressed quite some time ago; it may
> require a JVM upgrade as well.
No, this is a different issue.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: dkumar@ccilindia.co.in [mailto:dkumar@ccilindia.co.in]
> Subject: How to limit the number of renegotiations for a single TLS / SSL connection
> We are using -
> Tomcat Version - 6.0.18
> Please suggest the recommended solution for tomcat
Try using a version of Tomcat that's newer than 4.5 years old. Many security-related fixes have gone in since then, and it's irresponsible to expose your site to situations that have been addressed years previously. If you check the changelog, I think you'll find this TLS issue was addressed quite some time ago; it may require a JVM upgrade as well.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Deepak,
On 2/9/13 4:05 AM, dkumar@ccilindia.co.in wrote:
> we have not specified any specific connector protocol in the
> connector tag, is that mean we are using native APR connector, and
> if it is so, then as renegotiation is not permitted in APR why VA
> tool says renegotiation DoS vulnerability, and it would be of great
> help if you explain how to implement HTTP NIO or BIO connector to
> handle this renegotiation issue.
The default connector depends upon your system configuration. I
believe if you have APR/tcnative available, Tomcat will use that and
you'll get an APR/HTTP connector. Otherwise, you'll get the BIO
connector. You have to specifically request the NIO connector.
> <Connector port="8443" SSLEnabled="true" acceptCount="500"
> ciphers="Some cipher" allowUnsafeLegacyRenegotiation="false"
> maxThreads="5" scheme="https" secure="false" clientAuth="false"
> sslProtocol="TLS" keystoreFile="cert.key" keystorePass="password"
> />
Using the APR connector for SSL will be much faster than either BIO or
NIO.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEWUC8ACgkQ9CaO5/Lv0PB+FwCfQLqO5CsHc9cB4sq+mO5D8mq5
IDMAoLr6WXRqgu7JWiHewUD47Js36dXd
=XY13
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to limit the number of renegotiations for a single TLS / SSL
connection
Posted by dk...@ccilindia.co.in.
Hello All,
@ Mark
we have not specified any specific connector protocol in the connector
tag, is that mean we are using native APR connector, and if it is so, then
as renegotiation is not permitted in APR why VA tool says renegotiation
DoS vulnerability, and it would be of great help if you explain how to
implement HTTP NIO or BIO connector to handle this renegotiation issue.
@Daniel
Please find the connector tag of sever.xml
<Connector port="8443" SSLEnabled="true" acceptCount="500" ciphers="Some
cipher" allowUnsafeLegacyRenegotiation="false"
maxThreads="5" scheme="https" secure="false"
clientAuth="false" sslProtocol="TLS"
keystoreFile="cert.key" keystorePass="password" />
Any help wold be appreciated.
Thanks and regards
Deepak.
From: Mark Thomas <ma...@apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
Date: 02/08/2013 08:44 PM
Subject: Re: How to limit the number of renegotiations for a single
TLS / SSL connection
On 08/02/2013 14:28, dkumar@ccilindia.co.in wrote:
> Hello All,
>
> We are using -
> Tomcat Version - 6.0.18
> Operating System Version : HP-UX 11.31
> SSL Version - OpenSSL 0.9.8k 25 Mar 2009
> Port - 8443
>
> By running the venerability assessment test we are getting the following
> observation
>
> The remote service encrypts traffic using TLS / SSL and permits clients
to
> renegotiate connections. The computational requirements for
renegotiating
> a connection are asymmetrical between the client and the server, with
the
> server performing several times more work. Since the remote host does
not
> appear to limit the number of renegotiations for a single TLS / SSL
> connection, this permits a client to open several simultaneous
connections
> and repeatedly renegotiate them, possibly leading to a denial of service
> condition.
>
> Please suggest the recommended solution for tomcat
To repeat what I have said privately on this topic:
<quote>
The Apache Tomcat security team has reviewed the available information
for CVE-2011-1473 and has performed some testing of Apache Tomcat
using one of the many tools that has be written to demonstrate this issue.
Our conclusions are:
- In terms of CPU usage there is not a large difference (same order of
magnitude) between a client creating multiple HTTPS connections and a
client creating a single HTTPS connection and repeatedly requesting
renegotiation. This is consistent with the findings / opinions of the
numerous SSL/TLS experts that have commented on this issue.
- Repeated renegotiation attempts from a single client can be detected
by a firewall.
- Multiple connection attempts from a client are easier for a firewall
to identify than multiple renegotiation requests.
- Client renegotiation is not permitted by the HTTP APR/native connector.
- It would be possible to add renegotiation rate limiting to the HTTP
BIO and NIO connectors but there is not a clear-cut case for doing this.
We would also draw your attention to the following text on the Apache
Tomcat website security pages [1]:
<quote>
Note that all networked servers are subject to denial of service
attacks, and we cannot promise magic workarounds to generic problems
(such as a client streaming lots of data to your server, or
re-requesting the same URL repeatedly). In general our philosophy is
to avoid any attacks which can cause the server to consume resources
in a non-linear relationship to the size of inputs.
</quote>
Further discussion of this issue, particularly the usefulness of
adding renegotiation rate-limiting to the the HTTP BIO and NIO
connectors, should take place on the public Tomcat users mailing list.
Mark
on behalf of the Apache Tomcat security team
</quote>
With all the above in mind is there an argument for introducing
renegotiation rate limiting for BIO and NIO? Or do we just say if you
are bothered about CVE-2011-1473, use APR.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
"Disclaimer and confidentiality clause -
This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only.
The message may contain information that is confidential and subject to legal privilege.
Any views expressed in this message are those of the individual sender.
If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it .
If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith.
CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference.
CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
Re: How to limit the number of renegotiations for a single TLS /
SSL connection
Posted by Mark Thomas <ma...@apache.org>.
On 08/02/2013 14:28, dkumar@ccilindia.co.in wrote:
> Hello All,
>
> We are using -
> Tomcat Version - 6.0.18
> Operating System Version : HP-UX 11.31
> SSL Version - OpenSSL 0.9.8k 25 Mar 2009
> Port - 8443
>
> By running the venerability assessment test we are getting the following
> observation
>
> The remote service encrypts traffic using TLS / SSL and permits clients to
> renegotiate connections. The computational requirements for renegotiating
> a connection are asymmetrical between the client and the server, with the
> server performing several times more work. Since the remote host does not
> appear to limit the number of renegotiations for a single TLS / SSL
> connection, this permits a client to open several simultaneous connections
> and repeatedly renegotiate them, possibly leading to a denial of service
> condition.
>
> Please suggest the recommended solution for tomcat
To repeat what I have said privately on this topic:
<quote>
The Apache Tomcat security team has reviewed the available information
for CVE-2011-1473 and has performed some testing of Apache Tomcat
using one of the many tools that has be written to demonstrate this issue.
Our conclusions are:
- In terms of CPU usage there is not a large difference (same order of
magnitude) between a client creating multiple HTTPS connections and a
client creating a single HTTPS connection and repeatedly requesting
renegotiation. This is consistent with the findings / opinions of the
numerous SSL/TLS experts that have commented on this issue.
- Repeated renegotiation attempts from a single client can be detected
by a firewall.
- Multiple connection attempts from a client are easier for a firewall
to identify than multiple renegotiation requests.
- Client renegotiation is not permitted by the HTTP APR/native connector.
- It would be possible to add renegotiation rate limiting to the HTTP
BIO and NIO connectors but there is not a clear-cut case for doing this.
We would also draw your attention to the following text on the Apache
Tomcat website security pages [1]:
<quote>
Note that all networked servers are subject to denial of service
attacks, and we cannot promise magic workarounds to generic problems
(such as a client streaming lots of data to your server, or
re-requesting the same URL repeatedly). In general our philosophy is
to avoid any attacks which can cause the server to consume resources
in a non-linear relationship to the size of inputs.
</quote>
Further discussion of this issue, particularly the usefulness of
adding renegotiation rate-limiting to the the HTTP BIO and NIO
connectors, should take place on the public Tomcat users mailing list.
Mark
on behalf of the Apache Tomcat security team
</quote>
With all the above in mind is there an argument for introducing
renegotiation rate limiting for BIO and NIO? Or do we just say if you
are bothered about CVE-2011-1473, use APR.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org