[Bug 55536] New: allow to disable Secure Client-Initiated Renegotiation - DOS risk

bugzilla Sun, 08 Sep 2013 13:31:03 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=55536


            Bug ID: 55536
           Summary: allow to disable Secure Client-Initiated Renegotiation
                    - DOS risk
           Product: Tomcat 7
           Version: unspecified
          Hardware: PC
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]

The Apache/2.2.24 (FreeBSD) mod_ssl/2.2.24 OpenSSL/1.0.1e of
https://www.ssllabs.com/ssltest/analyze.html?d=issues.apache.org doesn't allow
Secure Client-Initiated Renegotiation

It is considered dangerous for DoS attacks:
https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
 

How could this be done with tomcat7?

http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
 

maybe the approach of bug 48236 could be used for this purpose again?

 // after creation, immediately disable all ciphers, avoiding any subsequent
handshake 
            ((SSLSocket)sock).setEnabledCipherSuites(new String[0]);

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 55536] New: allow to disable Secure Client-Initiated Renegotiation - DOS risk

Reply via email to