tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Singleton <p...@jbgb.com>
Subject refusing low-grade SSL connections
Date Fri, 19 Aug 2005 20:37:10 GMT
According to the OWASP Web Application Penetration Checklist
(available from www.owasp.org), a secure application server
should:

  * Ensure that supported SSL versions do not have
    cryptographic weaknesses. Typically, this means
    supporting SSL 3 and TLS 1.0 only.

  * Ensure that the web server does not allow anonymous
    key exchange methods. Typically ADH Anonymous
    Diffie-Hellman.

  * Ensure that weak algorithms are not available.
    Typically, algorithms such as RC2 and DES.

  * Ensure the web site uses an appropriate length key.
    Most web sites should enforce 128 bit encryption.


How can we achieve all this (esp. with Tomcat 5.5)?

Paul Singleton


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.12/77 - Release Date: 18/Aug/2005


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message