• CVE-2011-1473 tomcat


    Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat  tweak your server.xml to use Java's own NIO conector (SSL implementation):

    "The NIO connector is not vulnerable as it does not support renegotiation."

    e.g.

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"


    Note: May impact performance / expose new issues.
              PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
              If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.

    https://www.experts-exchange.com/questions/27859898/Disabling-SSL-TLS-Renegotiation-in-Tomcat.html

    Testing for SSL renegotiation

    December 15, 2009

    Edit: Please note that the test described here works only with OpenSSL version that was not patched to deal with insecure renegotiation. I recommend that you download version 0.9.8k directly from the OpenSSL web site and compile a special binary to use for testing.


    Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

    $ openssl s_client -connect www.ssllabs.com:443
    [snip... a lot of openssl output]
    ---
    HEAD / HTTP/1.0
    R
    RENEGOTIATING
    28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

    • Your HTTP request completes, which means that renegotiation is enabled
    • You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
    • The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.

    Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.

  • 相关阅读:
    c# ThreadPool 判断子线程全部执行完毕的四种方法
    很多人都爱玩的lol..
    Go 的位操作
    wrk压测工具
    Go函数作为值与类型
    家用PC发展设想
    开车的烦恼
    一款一体机的设想
    nodejs开发环境的搭建
    Python网页抓取程序(续)
  • 原文地址:https://www.cnblogs.com/diyunpeng/p/7396584.html
Copyright © 2020-2023  润新知