[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4725
  • Last Modified:

Disabling SSL/TLS Renegotiation in Tomcat

Per CVE-2011-1473 web servers are open to a DoS attack if client SSL renegotiation are allowed (e.g. an attacker could send a stream of renegotiation requests and cause CPU usage on the web server to spike).

I am using Tomcat 7.0.30 on Windows 2008 R2 as my web server. Is it possible to turn off or disable client renegotiations ?

Thanks.

Dan
0
danchernoff
Asked:
danchernoff
  • 6
  • 3
1 Solution
 
arober11Commented:
Does your server currently suport renegotiation e.g.

http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html

And which SSL implementation is your Tomcat pointed at (Oracle's, OpenSSL, another)?
0
 
danchernoffAuthor Commented:
Currently we are using the SSL/TLS provided by java via JSSE (Oracles Jrockit 1.6).

I can confirm our Tomcat implementation does support the renegotiation. An external PCI scan lists it as a vulnerability.
0
 
arober11Commented:
Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat  tweak your server.xml to use Java's own NIO conector (SSL implementation):

"The NIO connector is not vulnerable as it does not support renegotiation."

e.g.

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"


Note: May impact performance / expose new issues.
          PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
          If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
danchernoffAuthor Commented:
Okay, gotcha I will try that in the morning!
0
 
danchernoffAuthor Commented:
So I applied the connector protocol you suggested. when I browse the site i get the error below.

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
0
 
arober11Commented:
Can you post your Connector def.
0
 
danchernoffAuthor Commented:
Connector Profile Attached:

      <Connector port="443"
               address="xx.xx.20.150"
               protocol="org.apache.coyote.http11.Http11NioProtocol"  
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               clientAuth="false"
               
               keystoreFile="C:/cert/tomcat.keystore"
               keystorePass="changeit"      
               keyAlias="tomcat"                     
               sslProtocol="TLSv1"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
               />
0
 
danchernoffAuthor Commented:
Solved by removing all CBC and DHE ciphers
0
 
danchernoffAuthor Commented:
Solved on my own.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now