0 Replies Latest reply on Oct 27, 2014 9:49 AM by Carolina Contiu

    Jboss 6.1.0 Disable TLS renegotiation

    Carolina Contiu Newbie

      My application is deployed in Jboss 6.1.0 AS and  uses java version "1.7.0_40".

      After a vulnerability scan,  I was suggested to disable the tls renegotiation.

       

      If connecting with the OpenSSL (version OpenSSL 1.0.1 14 Mar 2012)  I get:

            Server public key is 1024 bit

            Secure Renegotiation IS supported

            Compression: NONE

       

      If trying to renegotiate, I receive an error in the openssl and the following exception is printed in my server console log:

      WARN  [org.apache.tomcat.util.net.jsse.JSSESocketFactory] SSL renegotiation is disabled, closing connection

       

       

       

      If connecting with sslyze I get:

             Session Renegotiation:

             Client-initiated Renegotiations:   VULNERABLE - Server honors client-initiated renegotiations

            Secure Renegotiation:              OK - Supported

      The same warn is displayed if I try to renegotiate using sslyze.

       

      How can I disable  the tls  client initiated Renegotiation?or is it already disabled by default given the fact that I receive the above mentioned

      WARN every time I try to renegotiate.