Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat tweak your server.xml to use Java's own NIO conector (SSL implementation):
"The NIO connector is not vulnerable as it does not support renegotiation."
Note: May impact performance / expose new issues.
PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.
Testing for SSL renegotiation
Edit: Please note that the test described here works only with OpenSSL version that was not patched to deal with insecure renegotiation. I recommend that you download version 0.9.8k directly from the OpenSSL web site and compile a special binary to use for testing.
Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the
s_client tool (you'll type the bits in blue):
$ openssl s_client -connect www.ssllabs.com:443
[snip... a lot of openssl output]
HEAD / HTTP/1.0
28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:
- Your HTTP request completes, which means that renegotiation is enabled
- You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
- The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.
Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.