On 18/02/2010 16:30, Kevin Mills wrote: > On 2/17/10, Mark Thomas <ma...@apache.org> wrote: >> CVE-2009-3555? > > Now that this is working, I'd like to ask what other options exist for > using client certificate authentication on a per-webapp basis. > Requiring my customers to enable a feature > (allowUnsafeLegacyRenegotiation) that exposes them to a potential > man-in-the-middle attack doesn't seem like a good idea! (Heck, it even > says "Unsafe" in the property name!) > > I saw mention of overriding the SSL implementation with > sslImplementation="classname"... does that still work in 6.x? Is that > a good option? And what about an Authentication Valve, is that the > right direction?
No. The TLS protocol is broken. You need to avoid renegotiation or wait for the updated protocol and Sun to implement the fix in JSSE or an OpenSSL release with the fix. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
