tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: refusing low-grade SSL connections
Date Sat, 20 Aug 2005 10:25:36 GMT
Set the ciphers attribute on the connector. See 
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html

Mark


Paul Singleton wrote:
> According to the OWASP Web Application Penetration Checklist
> (available from www.owasp.org), a secure application server
> should:
> 
>  * Ensure that supported SSL versions do not have
>    cryptographic weaknesses. Typically, this means
>    supporting SSL 3 and TLS 1.0 only.
> 
>  * Ensure that the web server does not allow anonymous
>    key exchange methods. Typically ADH Anonymous
>    Diffie-Hellman.
> 
>  * Ensure that weak algorithms are not available.
>    Typically, algorithms such as RC2 and DES.
> 
>  * Ensure the web site uses an appropriate length key.
>    Most web sites should enforce 128 bit encryption.
> 
> 
> How can we achieve all this (esp. with Tomcat 5.5)?
> 
> Paul Singleton
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message