My application is deployed in Jboss 6.1.0 AS and uses java version "1.7.0_40".
After a vulnerability scan, I was suggested to disable the tls renegotiation.
If connecting with the OpenSSL (version OpenSSL 1.0.1 14 Mar 2012) I get:
Server public key is 1024 bit
Secure Renegotiation IS supported
If trying to renegotiate, I receive an error in the openssl and the following exception is printed in my server console log:
WARN [org.apache.tomcat.util.net.jsse.JSSESocketFactory] SSL renegotiation is disabled, closing connection
If connecting with sslyze I get:
Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
The same warn is displayed if I try to renegotiate using sslyze.
How can I disable the tls client initiated Renegotiation?or is it already disabled by default given the fact that I receive the above mentioned
WARN every time I try to renegotiate.
Retrieving data ...