Dear all, I just installed the tomcat-native-1.1.19 APR connector alongside tomcat-6.0.20 - since my understanding of its CHANGELOG.txt is, that the renegotiation vulnerability should be gone when using this APR connector, despite my openssl version beeing below 0.9.8l (since I'm on CentOS/RHEL5).
It installed fine, tomcat runs fine to, APR connector is used (according to catalina.out), everything seems shiny BUT: <code> 7:j...@eluveitie:~> openssl s_client -connect 10.0.8.193:8443 CONNECTED(00000003) [...] SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 3A9B50B20A6B3F62DE137E5642240DE0018863D3ED86B8EADAA5E46436D589E5 Session-ID-ctx: Master-Key: C579C042442C519FE02CF96A050EDAAD208C421E2FD1CA6E20DC818A13A7ABC5306AACFFDF36A440A3E1FED43CCDCB59 Key-Arg : None Start Time: 1263572654 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- GET / HTTP/1.0 Host:evil.com R RENEGOTIATING depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com verify error:num=19:self signed certificate in certificate chain verify return:0 5253:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: </code> the GET / HTTP/1.0 until the "R" is manually inserted, I expect something like <code> 2860:error:1409444C:SSL routines:SSL3_READ_BYTES:tlsv1 alert no renegotiation:./ ssl/s3_pkt.c:1053:SSL alert number 100 </code> but certainly no RENEGOTIATION. Any hints? System is CentOS 5.4, packages: openssl-0.9.8e-12.el5 apr-devel-1.2.7-11.el5_3.1 apr-1.2.7-11.el5_3.1 thanks in advance! (probably will be afk for the weekend) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens....@biotronik.de www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.