On 08/02/2013 15:05, Mark Thomas wrote: > On 08/02/2013 14:34, Caldarale, Charles R wrote: >>> From: dku...@ccilindia.co.in [mailto:dku...@ccilindia.co.in] >>> Subject: How to limit the number of renegotiations for a single TLS >>> / SSL connection >> >>> We are using - Tomcat Version - 6.0.18 >> >>> Please suggest the recommended solution for tomcat >> >> Try using a version of Tomcat that's newer than 4.5 years old. Many >> security-related fixes have gone in since then, and it's >> irresponsible to expose your site to situations that have been >> addressed years previously. If you check the changelog, I think >> you'll find this TLS issue was addressed quite some time ago; it may >> require a JVM upgrade as well. > > No, this is a different issue.
Not to disagree with Mark T... but the point about using old software is still a good one. Tomcat 6.0.18 vs Tomcat 6.0.36 OpenSSL 0.9.8k (25-Mar-2009) vs OpenSSL 0.9.8y (05-Feb-2013) Focusing on particular issues like this, rather than addressing the big picture and using a more recent build of Open SSL and/or Tomcat (that will carry many fixes) means the OP is probably Doing IT Wrong. p -- [key:62590808] --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
