Hi, I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL client renegotiation DoS.
You notein your docs that this is not a Tomcat issue per se, but JSSE issue. Please note that allowUnsafeLegacyRenegotiation is set to false. Looking into the source code I see the following: public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).startHandshake(); if(!allowUnsafeLegacyRenegotiation) { // disable all ciphers, avoiding any subsequent handshake ((SSLSocket)sock).setEnabledCipherSuites(new String[0]); } } Also looking into Tomcat6/7 source code I see that the only difference is to check for existence of TLS_EMPTY_RENEGOTIATION_INFO_SCSV in JSSE. But other than that the logic is the same. So I can only assume that upgrading to Tomcat 6 would not solve my problem. Since I have verified via debugging also that allowUnsafeLegacyRenegotiation is indeed false, why do I get reports on SSL client renegotiation vulnerability? I see in your notes (http://tomcat.apache.org/security-5.html) that: Requires JRE that supports RFC 5746. For Oracle JRE that is known to be 6u22 or later. But as I understand the code, even if JRE does not support the RFC you still disable the handshake with your "hack" to set no enable ciphers Is this a Java/JSSE problem? What can I do? Can you please help me? Thank you!