Hi,
I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL client
renegotiation DoS.
You notein your docs that this is not a Tomcat issue per se, but JSSE issue.
Please note that allowUnsafeLegacyRenegotiation is set to false. Looking into
the source code I see the following:
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
if(!allowUnsafeLegacyRenegotiation) {
// disable all ciphers, avoiding any subsequent handshake
((SSLSocket)sock).setEnabledCipherSuites(new String[0]);
}
}
Also looking into Tomcat6/7 source code I see that the only difference is to
check for existence of TLS_EMPTY_RENEGOTIATION_INFO_SCSV in JSSE.
But other than that the logic is the same. So I can only assume that upgrading
to Tomcat 6 would not solve my problem.
Since I have verified via debugging also that allowUnsafeLegacyRenegotiation is
indeed false, why do I get reports on SSL client renegotiation vulnerability?
I see in your notes (http://tomcat.apache.org/security-5.html) that:
Requires JRE that supports RFC 5746. For Oracle JRE that is known to be 6u22 or
later.
But as I understand the code, even if JRE does not support the RFC you still
disable the handshake with your "hack" to set no enable ciphers
Is this a Java/JSSE problem? What can I do? Can you please help me?
Thank you!
