danchernoff
asked on
Disabling SSL/TLS Renegotiation in Tomcat
Per CVE-2011-1473 web servers are open to a DoS attack if client SSL renegotiation are allowed (e.g. an attacker could send a stream of renegotiation requests and cause CPU usage on the web server to spike).
I am using Tomcat 7.0.30 on Windows 2008 R2 as my web server. Is it possible to turn off or disable client renegotiations ?
Thanks.
Dan
I am using Tomcat 7.0.30 on Windows 2008 R2 as my web server. Is it possible to turn off or disable client renegotiations ?
Thanks.
Dan
ASKER
Currently we are using the SSL/TLS provided by java via JSSE (Oracles Jrockit 1.6).
I can confirm our Tomcat implementation does support the renegotiation. An external PCI scan lists it as a vulnerability.
I can confirm our Tomcat implementation does support the renegotiation. An external PCI scan lists it as a vulnerability.
Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat tweak your server.xml to use Java's own NIO conector (SSL implementation):
"The NIO connector is not vulnerable as it does not support renegotiation."
e.g.
<Connector protocol="org.apache.coyot
Note: May impact performance / expose new issues.
PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.
"The NIO connector is not vulnerable as it does not support renegotiation."
e.g.
<Connector protocol="org.apache.coyot
Note: May impact performance / expose new issues.
PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.
ASKER
Okay, gotcha I will try that in the morning!
ASKER
So I applied the connector protocol you suggested. when I browse the site i get the error below.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Can you post your Connector def.
ASKER
Connector Profile Attached:
<Connector port="443"
address="xx.xx.20.150"
protocol="org.apache.coyot
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="C:/cert/tomc
keystorePass="changeit"
keyAlias="tomcat"
sslProtocol="TLSv1"
ciphers="TLS_RSA_WITH_AES_
/>
<Connector port="443"
address="xx.xx.20.150"
protocol="org.apache.coyot
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="C:/cert/tomc
keystorePass="changeit"
keyAlias="tomcat"
sslProtocol="TLSv1"
ciphers="TLS_RSA_WITH_AES_
/>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solved on my own.
http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html
And which SSL implementation is your Tomcat pointed at (Oracle's, OpenSSL, another)?