Re: [tomcat-native] branch main updated: Add renegotiation info

[Mark Thomas]

On 30/06/2022 17:47, Christopher Schultz wrote:

On 6/30/22 03:35, ma...@apache.org wrote:





+
+  
+  Support for unsafe legacy negotiation depends on OpenSSL. Only if 
Tomcat
+  Native is compiled with a build of OpenSSL that supports legacy 
renegotiation

+  will Tomcat Native support it.
+  


Does this mean it's /possible/ (and configurable) to use Unsafe Legacy 
Negotiation, or does it mean that it's always-on for openssl builds 
where it's there, and always-off when it's not there?


It means that it is possible, configurable and disabled by default to 
use unsafe legacy negotiation unless OpenSSL has been compiled with that 
functionality explicitly removed. In which case it is completely disabled.


My memory is that I found a page that indicated it was possible to 
compile OpenSSL with that functionality removed. When I went to re-check 
my facts before writing this email, I couldn't find anything to confirm 
that.


I'll re-write that page to make clear that the behaviour is determined 
by OpenSSL configuration and that with 3.0.x, support is disabled by 
default.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat-native] branch main updated: Add renegotiation info

[Christopher Schultz]

Mark,

On 6/30/22 03:35, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/main by this push:
  new 28aa8ef2c Add renegotiation info
28aa8ef2c is described below

commit 28aa8ef2c9360dcdcb9f2386224146ebce0c36f2
Author: Mark Thomas 
AuthorDate: Thu Jun 30 08:35:50 2022 +0100
 >  Add renegotiation info

>
> [snip]


+
+  
+  Support for unsafe legacy negotiation depends on OpenSSL. Only if Tomcat
+  Native is compiled with a build of OpenSSL that supports legacy renegotiation
+  will Tomcat Native support it.
+  


Does this mean it's /possible/ (and configurable) to use Unsafe Legacy 
Negotiation, or does it mean that it's always-on for openssl builds 
where it's there, and always-off when it's not there?


-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat-native] branch main updated: Add renegotiation info

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/main by this push:
 new 28aa8ef2c Add renegotiation info
28aa8ef2c is described below

commit 28aa8ef2c9360dcdcb9f2386224146ebce0c36f2
Author: Mark Thomas 
AuthorDate: Thu Jun 30 08:35:50 2022 +0100

Add renegotiation info
---
 TODO.txt  | 14 -
 xdocs/miscellaneous/changelog.xml |  7 ++---
 xdocs/miscellaneous/project.xml   |  1 +
 xdocs/miscellaneous/tls-renegotiation.xml | 49 +++
 xdocs/news/project.xml|  3 +-
 xdocs/project.xml |  3 +-
 6 files changed, 57 insertions(+), 20 deletions(-)

diff --git a/TODO.txt b/TODO.txt
index 6570c9535..ed95823ce 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -21,20 +21,6 @@
 TODO
 
 
-SSL Renegotiation
--
-
-It is unclear to me, what the current state is. It looks like we support
-the unsafe legacy reneg whenever the OpenSSL used during build time
-supports it. There is no configuration option to switch it off during
-runtime. Right?
-
-Is it correct, that client initiated reneg is not supported and thus the
-known attacks will not work even with old OpenSSL?
-
-Should we add a remark about this topic to the docs?
-
-
 Releasing
 -
 
diff --git a/xdocs/miscellaneous/changelog.xml 
b/xdocs/miscellaneous/changelog.xml
index 50e78669d..cef5f2864 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -23,10 +23,6 @@
 
   
 
-  
-Jean-Frederic Clere
-  
-
 
 
 
@@ -57,6 +53,9 @@
   10.1.x to support the use of OpenSSL as a replacement for JSSE to provide
   TLS functionality. (markt)
 
+
+  Document the TLS rengotiation behaviour. (markt)
+
   
 
 
diff --git a/xdocs/miscellaneous/project.xml b/xdocs/miscellaneous/project.xml
index 2b97d89cb..1153ee1ea 100644
--- a/xdocs/miscellaneous/project.xml
+++ b/xdocs/miscellaneous/project.xml
@@ -31,6 +31,7 @@
 
 
 
+
 
 
 
diff --git a/xdocs/miscellaneous/tls-renegotiation.xml 
b/xdocs/miscellaneous/tls-renegotiation.xml
new file mode 100644
index 0..1d411cc20
--- /dev/null
+++ b/xdocs/miscellaneous/tls-renegotiation.xml
@@ -0,0 +1,49 @@
+
+
+
+]>
+
+
+
+  
+
+
+
+
+  
+  Historically there have been security issues associated with TLS
+  renegotiation. This page describes the renegotiation behaviour of the Tomcat
+  Native library.
+  
+
+
+  
+  Client initiated renegotiation is disabled. This behaviour is hard-coded and
+  cannot be changed.
+  
+
+
+  
+  Support for unsafe legacy negotiation depends on OpenSSL. Only if Tomcat
+  Native is compiled with a build of OpenSSL that supports legacy renegotiation
+  will Tomcat Native support it.
+  
+
+
+
diff --git a/xdocs/news/project.xml b/xdocs/news/project.xml
index ecb969701..20c66baa0 100644
--- a/xdocs/news/project.xml
+++ b/xdocs/news/project.xml
@@ -30,7 +30,8 @@
 
 
 
-  
+  
+
 
 
 
diff --git a/xdocs/project.xml b/xdocs/project.xml
index c121f0c84..9184f9688 100644
--- a/xdocs/project.xml
+++ b/xdocs/project.xml
@@ -30,7 +30,8 @@
 
 
 
-  
+  
+  
 
 
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org