Hi,
I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL client 
renegotiation DoS. 

You notein your docs that this is not a Tomcat issue per se, but JSSE issue.
Please note that allowUnsafeLegacyRenegotiation is set to false. Looking into 
the source code I see the following:

public void handshake(Socket sock) throws IOException {

    ((SSLSocket)sock).startHandshake(); 

    if(!allowUnsafeLegacyRenegotiation) {
       // disable all ciphers, avoiding any subsequent handshake
       ((SSLSocket)sock).setEnabledCipherSuites(new String[0]);
    }
}

Also looking into Tomcat6/7 source code I see that the only difference is to 
check for existence of TLS_EMPTY_RENEGOTIATION_INFO_SCSV in JSSE. 

But other than that the logic is the same. So I can only assume that upgrading 
to Tomcat 6 would not solve my problem.
Since I have verified via debugging also that allowUnsafeLegacyRenegotiation is 
indeed false, why do I get reports on SSL client renegotiation vulnerability? 


I see in your notes (http://tomcat.apache.org/security-5.html) that:
Requires JRE that supports RFC 5746. For Oracle JRE that is known to be 6u22 or 
later. 


But as I understand the code, even if JRE does not support the RFC you still 
disable the handshake with your "hack" to set no enable ciphers


Is this a Java/JSSE problem? What can I do? Can you please help me?


Thank you!

Reply via email to