# CVE-2011-1473 tomcat

Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat  tweak your server.xml to use Java's own NIO conector (SSL implementation):

"The NIO connector is not vulnerable as it does not support renegotiation."

e.g.

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

Note: May impact performance / expose new issues.
PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.

https://www.experts-exchange.com/questions/27859898/Disabling-SSL-TLS-Renegotiation-in-Tomcat.html

# Testing for SSL renegotiation

December 15, 2009

Edit: Please note that the test described here works only with OpenSSL version that was not patched to deal with insecure renegotiation. I recommend that you download version 0.9.8k directly from the OpenSSL web site and compile a special binary to use for testing.

Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

\$ openssl s_client -connect www.ssllabs.com:443[snip... a lot of openssl output]---HEAD / HTTP/1.0RRENEGOTIATING28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

• Your HTTP request completes, which means that renegotiation is enabled
• You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
• The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.

Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.