https://issues.apache.org/bugzilla/show_bug.cgi?id=48158--- Comment #5 from Ralf Hauser <
hauser@...> 2009-11-12 09:52:53 UTC ---
(In reply to comment #3)
> > Couldn't you make this an optional server.xml attribute
> See the "clientAuth" connector attribute for options already available for
> limiting server side re-negotiation.
Hmm, the word "re-negotiation" doesn't really appear in
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20Filefor the attribute nor does one know whether it is a mandatory or optional
attribute (same for "truststoreFile" - is there a "*" wildcard option to accept
any issuer?).
> > > We can't do anything to prevent client initiated renegotiation.
> > Sure, but closing 2 out of 3 attack vectors is at least something, isn't it?
> In this case, I don't think it is. However, the options are already in place
> if you wish to use them.
looking at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(boolean
force), I see
if(jsseCerts.length <= 0 && force) {
session.invalidate();
handShake();
session = ssl.getSession();
}
isn't that the renegotiation we want to avoid?
Shouldn't this now be commented out for the time being?
(One scenario being that an MITM attacker in the handshake eliminates the
optional "CertificateRequest*" as per section "7.3. Handshake Protocol overview
"
http://www.ietf.org/rfc/rfc2246.txtWith that the client might first do a non-client-cert SSL session and the
server might soon notice and trigger a TLS-re-handshake [just speculating...])
At least the javax.net.ssl.SSLSocket.startHandshake() executed inside the above
"handShake()" doesn't dissipate my suspicions that there may be a problem:
/**
* Starts an SSL handshake on this connection.
*/
public void startHandshake() throws IOException {
checkWrite();
try {
if (getConnectionState() == cs_HANDSHAKE) {
// do initial handshake
performInitialHandshake();
} else {
// start renegotiation
kickstartHandshake();
}
} catch (Exception e) {
// shutdown and rethrow (wrapped) exception as appropriate
handleException(e);
}
}
but maybe
http://marc.info/?l=tomcat-dev&m=125796482429041&w=2 got there too...
--
Configure bugmail:
https://issues.apache.org/bugzilla/userprefs.cgi?tab=email------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail:
dev-unsubscribe@...
For additional commands, e-mail:
dev-help@...
