Disabling SSL/TLS Renegotiation in Tomcat

Posted on 2012-09-10
Last Modified: 2012-09-30
Per CVE-2011-1473 web servers are open to a DoS attack if client SSL renegotiation are allowed (e.g. an attacker could send a stream of renegotiation requests and cause CPU usage on the web server to spike).

I am using Tomcat 7.0.30 on Windows 2008 R2 as my web server. Is it possible to turn off or disable client renegotiations ?


Question by:danchernoff
    LVL 26

    Expert Comment

    Does your server currently suport renegotiation e.g.

    And which SSL implementation is your Tomcat pointed at (Oracle's, OpenSSL, another)?

    Author Comment

    Currently we are using the SSL/TLS provided by java via JSSE (Oracles Jrockit 1.6).

    I can confirm our Tomcat implementation does support the renegotiation. An external PCI scan lists it as a vulnerability.
    LVL 26

    Expert Comment

    Per the bottom of:  tweak your server.xml to use Java's own NIO conector (SSL implementation):

    "The NIO connector is not vulnerable as it does not support renegotiation."


    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

    Note: May impact performance / expose new issues.
              PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
              If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.

    Author Comment

    Okay, gotcha I will try that in the morning!

    Author Comment

    So I applied the connector protocol you suggested. when I browse the site i get the error below.

    Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
    LVL 26

    Expert Comment

    Can you post your Connector def.

    Author Comment

    Connector Profile Attached:

          <Connector port="443"

    Accepted Solution

    Solved by removing all CBC and DHE ciphers

    Author Closing Comment

    Solved on my own.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    file path 14 58
    IIS Site Configuration Copy 2 59
    htaccess file 3 52
    Web server settings related to keepalive 1 32
    If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
    If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now