This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 1ef358dc498a85ffe767259a0ec2fee289c53951
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 30 08:35:50 2022 +0100
Add renegotiation info
---
TODO.txt | 14 ---------
xdocs/miscellaneous/changelog.xml | 7 ++---
xdocs/miscellaneous/project.xml | 1 +
xdocs/miscellaneous/tls-renegotiation.xml | 50 +++++++++++++++++++++++++++++++
xdocs/news/project.xml | 3 +-
xdocs/project.xml | 3 +-
6 files changed, 58 insertions(+), 20 deletions(-)
diff --git a/TODO.txt b/TODO.txt
index 2ca4e0ce9..a16c0521e 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -21,20 +21,6 @@
TODO
-SSL Renegotiation
------------------
-
-It is unclear to me, what the current state is. It looks like we support
-the unsafe legacy reneg whenever the OpenSSL used during build time
-supports it. There is no configuration option to switch it off during
-runtime. Right?
-
-Is it correct, that client initiated reneg is not supported and thus the
-known attacks will not work even with old OpenSSL?
-
-Should we add a remark about this topic to the docs?
-
-
Java Tests and Examples
-----------------------
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index f9e32c0f0..7a46cc2da 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -23,10 +23,6 @@
&project;
- <properties>
- <author email="jfcl...@apache.org">Jean-Frederic Clere</author>
- </properties>
-
<body>
<section name="Preface">
@@ -36,6 +32,9 @@
</section>
<section name="Changes in 1.2.35">
<changelog>
+ <docs>
+ Document the TLS rengotiation behaviour. (markt)
+ </docs>
</changelog>
</section>
<section name="Changes in 1.2.34">
diff --git a/xdocs/miscellaneous/project.xml b/xdocs/miscellaneous/project.xml
index 2b97d89cb..1153ee1ea 100644
--- a/xdocs/miscellaneous/project.xml
+++ b/xdocs/miscellaneous/project.xml
@@ -31,6 +31,7 @@
<menu name="Miscellaneous Documentation">
<item name="Changelog"
href="../miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation"
href="../miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
diff --git a/xdocs/miscellaneous/tls-renegotiation.xml
b/xdocs/miscellaneous/tls-renegotiation.xml
new file mode 100644
index 000000000..42904ec6d
--- /dev/null
+++ b/xdocs/miscellaneous/tls-renegotiation.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE document [
+ <!ENTITY project SYSTEM "project.xml">
+]>
+<?xml-stylesheet type="application/xslt+xml" href="../style.xsl"?>
+<document url="tls-renegotiation.html">
+
+ &project;
+
+<body>
+
+<section name="Introduction">
+ <p>
+ Historically there have been security issues associated with TLS
+ renegotiation. This page describes the renegotiation behaviour of the Tomcat
+ Native library.
+ </p>
+</section>
+<section name="Client initiated renegotiation">
+ <p>
+ Client initiated renegotiation is disabled. This behaviour is hard-coded and
+ cannot be changed.
+ </p>
+</section>
+<section name="Unsafe legacy negotiation">
+ <p>
+ Support for unsafe legacy negotiation depends on OpenSSL. Unsafe legacy
+ renegotiation is disabled by default and will not be allowed unless the
+ OpenSSL configuration option
+ <code>SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION</code> is set.
+ </p>
+</section>
+</body>
+</document>
diff --git a/xdocs/news/project.xml b/xdocs/news/project.xml
index ecb969701..20c66baa0 100644
--- a/xdocs/news/project.xml
+++ b/xdocs/news/project.xml
@@ -30,7 +30,8 @@
</menu>
<menu name="Miscellaneous Documentation">
- <item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="Changelog" href="../miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation"
href="../miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
diff --git a/xdocs/project.xml b/xdocs/project.xml
index c121f0c84..9184f9688 100644
--- a/xdocs/project.xml
+++ b/xdocs/project.xml
@@ -30,7 +30,8 @@
</menu>
<menu name="Miscellaneous Documentation">
- <item name="Changelog" href="miscellaneous/changelog.html"/>
+ <item name="Changelog" href="miscellaneous/changelog.html"/>
+ <item name="TLS renegotiation"
href="miscellaneous/tls-renegotiation.html"/>
</menu>
<menu name="News">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
