openssl s_client ... Type "R" ( to renegotiate ). Unfortunately renegotiation is handled transparently and did work quite well...
Costin On Tue, Nov 10, 2009 at 10:53 PM, Filip Hanik - Dev Lists < devli...@hanik.com> wrote: > I don't think NIO allows a renegotiation as it is today. I will have to > look deeper in the code. But I think the negotiation is a one time deal per > connection. I will look closer. > > Filip > > > On 11/07/2009 09:59 AM, Mark Thomas wrote: > >> All, >> >> I was thinking about this on my way back from ApacheCon and we probably >> need to get some advice out to users early next week. >> >> My current understanding is that the MITM attack is triggered by a >> renegotiation. >> >> On this basis I suggest something along the following lines: >> >> SSL using JSSE (BIO and NIO connectors) >> - Don't use SSL configs that require renegotiation. i.e. SSL config >> should be the same for the entire host. Sites that require SSL in some >> places and SSL + CLIENT-CERT in others will require reconfiguration. >> Sites that require SSL for some parts should be OK. >> - Keep watch for a Sun update to the JDK that may help address the issue >> >> SSL using tc Native >> - tcnative does not support renegotiation >> (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) so for now >> users of tc native with SSL should be OK >> >> >> We also need to think about what to do with tc native. Maybe something >> like: >> - release 1.1.17 with binaries built with 0.9.8l (so renegotiation is >> disabled) >> - keep an eye on httpd and if they find a work-around, copy it and >> release 1.1.18 with renegotiation enabled >> >> For now, I'm not proposing any changes to the docs although we may want >> to put a summary of the advice - once agreed - on the security pages. >> >> Thoughts? >> >> Mark >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
