secure TLS renegotiation
Hello, Does Tomcat support the so called secure TLS renegotiation? If so, what should I configure to use it? Currently when connecting to my application using secure connection most browsers complain about my server software being very old and insecure because of the lack of this feature. I'm using Tomcat 6.0.29 on linux/freebsd. Thanks, Olaf
Re: secure TLS renegotiation
On 28/01/2011 19:00, Olaf Tomczak wrote: Hello, Does Tomcat support the so called secure TLS renegotiation? If so, what should I configure to use it? Currently when connecting to my application using secure connection most browsers complain about my server software being very old and insecure because of the lack of this feature. I'm using Tomcat 6.0.29 on linux/freebsd. Yes, if the JVM supports it. You'll probably need to enable Tomcat's allowLegacyRegenotiation feature else Tomcat will block all renegotiation. That needs a rename to allowRenegotiation in light of how Oracle decided to fix this. Unfortunately Oracle went for system wide system properties rather than providing an API to let folks control it per socket or connection. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure TLS renegotiation
Mark, 2011/1/28 Mark Thomas ma...@apache.org On 28/01/2011 19:00, Olaf Tomczak wrote: Hello, Does Tomcat support the so called secure TLS renegotiation? If so, what should I configure to use it? Currently when connecting to my application using secure connection most browsers complain about my server software being very old and insecure because of the lack of this feature. I'm using Tomcat 6.0.29 on linux/freebsd. Yes, if the JVM supports it. You'll probably need to enable Tomcat's allowLegacyRegenotiation feature else Tomcat will block all renegotiation. I googled allowLegacyRenegotiation and found this article: http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html It describes the following 2 system properties: sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1, this controls whether legacy (unsafe) renegotiations are permitted. sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2, this allows the peer to handshake without requiring the proper RFC 5746 messages. Are these what you meant? Thanks for your help, Olaf That needs a rename to allowRenegotiation in light of how Oracle decided to fix this. Unfortunately Oracle went for system wide system properties rather than providing an API to let folks control it per socket or connection. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secure TLS renegotiation
On 28/01/2011 19:29, Olaf Tomczak wrote: Mark, 2011/1/28 Mark Thomas ma...@apache.org On 28/01/2011 19:00, Olaf Tomczak wrote: Hello, Does Tomcat support the so called secure TLS renegotiation? If so, what should I configure to use it? Currently when connecting to my application using secure connection most browsers complain about my server software being very old and insecure because of the lack of this feature. I'm using Tomcat 6.0.29 on linux/freebsd. Yes, if the JVM supports it. You'll probably need to enable Tomcat's allowLegacyRegenotiation feature else Tomcat will block all renegotiation. I googled allowLegacyRenegotiation and found this article: http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html It describes the following 2 system properties: sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1, this controls whether legacy (unsafe) renegotiations are permitted. sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2, this allows the peer to handshake without requiring the proper RFC 5746 messages. Are these what you meant? That is what I meant for the Oracle part. You'll need to look at the Tomcat configuration docs for HTTP connector for allowLegacyRenegotiation Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org