CVE-2011-1473 tomcat

Per the bottom of:  tweak your server.xml to use Java's own NIO conector (SSL implementation):

"The NIO connector is not vulnerable as it does not support renegotiation."


<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

Note: May impact performance / expose new issues.
          PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
          If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.


Testing for SSL renegotiation

December 15, 2009

Edit: Please note that the test described here works only with OpenSSL version that was not patched to deal with insecure renegotiation. I recommend that you download version 0.9.8k directly from the OpenSSL web site and compile a special binary to use for testing.

Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

$ openssl s_client -connect
[snip... a lot of openssl output]
28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

  • Your HTTP request completes, which means that renegotiation is enabled
  • You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
  • The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.

Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.