tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Singleton <>
Subject refusing low-grade SSL connections
Date Fri, 19 Aug 2005 20:37:10 GMT
According to the OWASP Web Application Penetration Checklist
(available from, a secure application server

  * Ensure that supported SSL versions do not have
    cryptographic weaknesses. Typically, this means
    supporting SSL 3 and TLS 1.0 only.

  * Ensure that the web server does not allow anonymous
    key exchange methods. Typically ADH Anonymous

  * Ensure that weak algorithms are not available.
    Typically, algorithms such as RC2 and DES.

  * Ensure the web site uses an appropriate length key.
    Most web sites should enforce 128 bit encryption.

How can we achieve all this (esp. with Tomcat 5.5)?

Paul Singleton

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.12/77 - Release Date: 18/Aug/2005

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message