tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gaël Lams" <>
Subject Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Date Mon, 19 Jun 2006 09:01:49 GMT
> The problem is that Microsoft Internet Explore and Netscape now are serious about the
Root > Trust Authorities. ...

I'm not sure what you mean by "serious about the Root Trust
Authorities" but I tested the ssl client authentication on several
computers, both inside and outside our LAN with both Internet Explorer
6 and Firefox 1.0.x and it works for me. If you don't use a trusted
certificate, the "only practical" issue (see my PS for a security
issue) is that the user trying to connect to that web site will be
prompted by a message saying that the certificate does not come from a
trusted root, and asking you whether you want to have a look at the
information provided with the certificate and whether you want to
accept it.



PS: when you use self-signed certificates, there is also a security
risk, i.e the risk of what it called a man-in-the-middle attack : an
attacker could send the client his own self-signed certificate which
has the same name as that in the server's self-signed certificate. The
attacker then connects to the real server himself. When the client
sends data to the server the attacker reads it and then sends it along
to the real server.
View raw message