Per the bottom of: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat  tweak your server.xml to use Java's own NIO conector (SSL implementation):

"The NIO connector is not vulnerable as it does not support renegotiation."

e.g.

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

Note: May impact performance / expose new issues.
          PCI-DSS requires you to apply vendor patches, if there isn't a vendor patch your not expected to come upwith your own
          If you have an Application level firewall sitting in front of your Tomcat, to get another PCI-DSS tick e.g. F5 BigIP it could block any renegotiation requests.

https://www.experts-exchange.com/questions/27859898/Disabling-SSL-TLS-Renegotiation-in-Tomcat.html

Testing for SSL renegotiation

December 15, 2009

Edit: Please note that the test described here works only with OpenSSL version that was not patched to deal with insecure renegotiation. I recommend that you download version 0.9.8k directly from the OpenSSL web site and compile a special binary to use for testing.

Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

$ openssl s_client -connect www.ssllabs.com:443
[snip... a lot of openssl output]
---
HEAD / HTTP/1.0
R
RENEGOTIATING
28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

  • Your HTTP request completes, which means that renegotiation is enabled
  • You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
  • The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.

Of course, a SSL Labs report will tell you whether a particular server supports renegotiation.

https://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html

http://orchilles.com/ssl-renegotiation-dos/

CVE-2011-1473 tomcat的更多相关文章

  1. [CVE:2013-4810]Apache Tomcat/JBoss远程命令执行

    <?php $host=gethostbyname($argv[1]); $port=$argv[2]; $cmd=$argv[3]; //small jsp shell //change th ...

  2. 第十七章 Metasploit Framework

    渗透测试者的困扰▪ 需要掌握数百个工具软件,上千个命令参数,实在记不住▪ 新出现的漏洞PoC/EXP有不同的运行环境要求,准备工作繁琐▪ 大部分时间都在学习使用不同工具的使用习惯,如果能统一就好了▪ ...

  3. msf学习笔记

    metasploit frame 这是一个渗透测试框架,围绕这个框架,我们就可以完成最终的目标,即渗透测试. 渗透测试者困扰:需要掌握数百个工具,上千条命令参数,很难记住. 新出现的漏洞PoC/EXP ...

  4. 第一次亲密接触MSF

    第一次亲密接触MSF Metasploit Framework介绍 Metasploit是一款开源安全漏洞检测工具,附带数百个已知的软件漏洞,并保持频繁更新.被安全社区冠以“可以黑掉整个宇宙”之名的强 ...

  5. 密码学系列之:碰撞抵御和碰撞攻击collision attack

    密码学系列之:碰撞抵御和碰撞攻击collision attack 简介 hash是密码学和平时的程序中经常会用到的一个功能,如果hash算法设计的不好,会产生hash碰撞,甚至产生碰撞攻击. 今天和大 ...

  6. Tomcat 中响应头信息(Http Response Header) Content-Length 和 Transfer-Encoding

    户端(PC浏览器或者手机浏览器)在接受到Tomcat的响应的时候,头信息通常都会带上Content-Length ,一般情况下客户端会在接受完Content-Length长度的数据之后才会开始解析.而 ...

  7. svn工具安装下载Tomcat源码以及导入eclipse

    安装 1.svn下载地址 https://tortoisesvn.net/downloads.html 2.语言包下载 3.先安装svn,在直接安装语言包 4.桌面右键可以看到相关svn信息 下载To ...

  8. maven 项目打包 及window下部署到tomcat

    1.maven项目打包 2.将war文件拷贝到tomcat目录webapps下(不要再建目录)3.将必要的jar文件拷贝到tomcat目录libx下 war包 或jar 包 会生成到项目所在路径 的t ...

  9. CentOS7下Apache及Tomcat开启SSL

    安装: 复制代码 yum install -y openssl #使用openssl可手动创建证书 yum install -y httpd yum install -y mod_ssl 防火墙打开8 ...

  10. 结合Apache和Tomcat实现集群和负载均衡 JK 方式 2 (转)

    本文Apache+Tomcat集群配置       基于最新的Apache和Tomcat,具体是2011年4月20日最新的Tomcat和Apache集群和负载均衡配置. 准备环境 Apache Apa ...

随机推荐

  1. codevs 3945 完美拓印 (KMP)

    题目大意:给你一个神奇的印章,他左右下三个面都是直的,上面是凸凹不平的面(凸凹都平行于别的面).然后给你一个轮廓线,如果一个面能与轮廓线完全重合,可以把印章的这个沿着轮廓线拓印,求所有的拓印方案. 把 ...

  2. [NOIPlus]斗地主

    毫无意义的一道题. 用pai[i]表示某种点数的牌的剩余量,used[i]表示单,对,三,四的出牌数,大力分类讨论,大力dfs即可...真奇葩... #include <iostream> ...

  3. css不定高度实现垂直居中

    1.不知道自己高度和父容器高度的情况下, 利用绝对定位只需要以下三行: parentElement{ position:relative; } childElement{ position: abso ...

  4. 2015 Multi-University Training Contest 7 hdu 5372 Segment Game

    Segment Game Time Limit: 3000/1500 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others)Tota ...

  5. UVALive 5545 Glass Beads

    Glass Beads Time Limit: 3000ms Memory Limit: 131072KB This problem will be judged on UVALive. Origin ...

  6. 搭建ELK日志分析平台(上)—— ELK介绍及搭建 Elasticsearch 分布式集群

    笔记内容:搭建ELK日志分析平台(上)-- ELK介绍及搭建 Elasticsearch 分布式集群笔记日期:2018-03-02 27.1 ELK介绍 27.2 ELK安装准备工作 27.3 安装e ...

  7. 海尔公布首套智能套装SmartCare,主打智能、简单

        2014CIE智能硬件首发会于11月6-8日在上海国际展览中心举行.吸引了海尔.英特尔.百度等知名企业的积极參与. 作为国内智能家居领域的先驱者,海尔在本次大会上首发了轻量智能套装SmartC ...

  8. magento megatron主题加入中文

    magento的megatron默认不支持中文,全部我们须要在它的本地化目录中加入中文的cvs文件,加入方法例如以下: 1.切换至 app ▸ design ▸ frontend ▸ megatron ...

  9. pintos操作系统thread部分的实现

    pintos是斯坦福大学自己开发的一个教学用操作系统.里面的代码给我们留了很多坑.我们的目标就是解决这些坑!详细的实现大家能够看看这篇blog,尽管我的代码并非所有跟着他写的,可是这确实是一篇非常好地 ...

  10. lambda的函数式接口

    函数式接口就是只包含一个抽象方法的接口A(不包括默认抽象方法,但包括继承来的方法):这个接口用来作为一个可变作用的方法B的参数.函数式接口的抽象方法的参数类型和返回值就是一套签名,这个签名叫做函数描述 ...