This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 28aa8ef2c Add renegotiation info
28aa8ef2c is described below
commit 28aa8ef2c9360dcdcb9f2386224146ebce0c36f2
Author: Mark Thomas
AuthorDate: Thu Jun 30 08:35:50 2022 +0100
Add renegotiation info
---
TODO.txt | 14 -
xdocs/miscellaneous/changelog.xml | 7 ++---
xdocs/miscellaneous/project.xml | 1 +
xdocs/miscellaneous/tls-renegotiation.xml | 49 +++
xdocs/news/project.xml| 3 +-
xdocs/project.xml | 3 +-
6 files changed, 57 insertions(+), 20 deletions(-)
diff --git a/TODO.txt b/TODO.txt
index 6570c9535..ed95823ce 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -21,20 +21,6 @@
TODO
-SSL Renegotiation
--
-
-It is unclear to me, what the current state is. It looks like we support
-the unsafe legacy reneg whenever the OpenSSL used during build time
-supports it. There is no configuration option to switch it off during
-runtime. Right?
-
-Is it correct, that client initiated reneg is not supported and thus the
-known attacks will not work even with old OpenSSL?
-
-Should we add a remark about this topic to the docs?
-
-
Releasing
-
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 50e78669d..cef5f2864 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -23,10 +23,6 @@
-
-Jean-Frederic Clere
-
-
@@ -57,6 +53,9 @@
10.1.x to support the use of OpenSSL as a replacement for JSSE to provide
TLS functionality. (markt)
+
+ Document the TLS rengotiation behaviour. (markt)
+
diff --git a/xdocs/miscellaneous/project.xml b/xdocs/miscellaneous/project.xml
index 2b97d89cb..1153ee1ea 100644
--- a/xdocs/miscellaneous/project.xml
+++ b/xdocs/miscellaneous/project.xml
@@ -31,6 +31,7 @@
+
diff --git a/xdocs/miscellaneous/tls-renegotiation.xml
b/xdocs/miscellaneous/tls-renegotiation.xml
new file mode 100644
index 0..1d411cc20
--- /dev/null
+++ b/xdocs/miscellaneous/tls-renegotiation.xml
@@ -0,0 +1,49 @@
+
+
+
+]>
+
+
+
+
+
+
+
+
+
+ Historically there have been security issues associated with TLS
+ renegotiation. This page describes the renegotiation behaviour of the Tomcat
+ Native library.
+
+
+
+
+ Client initiated renegotiation is disabled. This behaviour is hard-coded and
+ cannot be changed.
+
+
+
+
+ Support for unsafe legacy negotiation depends on OpenSSL. Only if Tomcat
+ Native is compiled with a build of OpenSSL that supports legacy renegotiation
+ will Tomcat Native support it.
+
+
+
+
diff --git a/xdocs/news/project.xml b/xdocs/news/project.xml
index ecb969701..20c66baa0 100644
--- a/xdocs/news/project.xml
+++ b/xdocs/news/project.xml
@@ -30,7 +30,8 @@
-
+
+
diff --git a/xdocs/project.xml b/xdocs/project.xml
index c121f0c84..9184f9688 100644
--- a/xdocs/project.xml
+++ b/xdocs/project.xml
@@ -30,7 +30,8 @@
-
+
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org