On 10.11.2009 15:26, ma...@apache.org wrote:
> @@ -105,6 +102,7 @@
> protected String clientAuth = "false";
> protected SSLServerSocketFactory sslProxy = null;
> protected String[] enabledCiphers;
> + protected boolean enableMitmVulnerability = false;
>
> /**
> * Flag to state that we require client authentication.
> @@ -492,6 +490,9 @@
> getEnabledCiphers(requestedCiphers,
> sslProxy.getSupportedCipherSuites());
>
> + enableMitmVulnerability =
> + "true".equals(attributes.get("enableMitmVulnerability"));
> +
> // Check the SSL config is OK
> checkConfig();
>
>
Isn't the naming a bit harsh? OpenSSl names it legacy renegotiation (to
make it differ from the future renegotiation with TLS extension). So
maybe enableLegacyRenegotiation would be better? Of course it wouldn't
keep people from activating as much as the proposed name does, but on
the other hand (unfortunately) there are valid use cases to activate it.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
