zoukankan      html  css  js  c++  java
  • CVE-2011-1473 tomcat

    Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat  tweak your server.xml to use Java's own NIO conector (SSL implementation):

    "The NIO connector is not vulnerable as it does not support renegotiation."

    e.g.

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"


    Note: May impact performance / expose new issues.
              PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
              If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.

    https://www.experts-exchange.com/questions/27859898/Disabling-SSL-TLS-Renegotiation-in-Tomcat.html

    Testing for SSL renegotiation

    December 15, 2009

    Edit: Please note that the test described here works only with OpenSSL version that was not patched to deal with insecure renegotiation. I recommend that you download version 0.9.8k directly from the OpenSSL web site and compile a special binary to use for testing.


    Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

    $ openssl s_client -connect www.ssllabs.com:443
    [snip... a lot of openssl output]
    ---
    HEAD / HTTP/1.0
    R
    RENEGOTIATING
    28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

    • Your HTTP request completes, which means that renegotiation is enabled
    • You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
    • The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.

    Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.

  • 相关阅读:
    点对点风格软件架构模式
    《XXX重大技术需求征集系统》的可用性和可修改性战术分析
    淘宝网应用场景分析
    《架构漫谈》读后感
    《软件需求模式》阅读笔记06
    hdfs会出现的一些问题
    经常使用的架构模式之一——客户端-服务器模式
    阅读《大型网站技术架构》
    以《淘宝网》为例分析质量属性
    架构漫谈读后感
  • 原文地址:https://www.cnblogs.com/diyunpeng/p/7396584.html
Copyright © 2011-2022 走看看