tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sunil chandran <>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Mon, 10 Aug 2009 09:59:40 GMT
Hello all,
I found this issue form support team:
The Secure 
Socket Layer (SSL) protocol allows for secure communication between a client and 
a server. The client usually authenticates the server using an  algorithm like 
RSA or DSS. Some SSL ciphers allow SSL communication without authentication. 
Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla 
do not use anonymous authentication ciphers by default.
A vulnerability 
exists in SSL communications when clients are allowed to connect using no 
authentication algorithm. 
client-server communication may use several different types of authentication: 
RSA, Diffie-Hellman, DSS or none. When 'none' is 
used, the communications are vulnerable to a man-in-the-middle 
An attacker can 
exploit this vulnerability to impersonate your server to 
Disable support 
for anonymous authentication
Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties.
Please help.
regardsSunil C

--- On Tue, 4/8/09, Mark Thomas <> wrote:

From: Mark Thomas <>
Subject: Re: avoiding ssl vulnerabilities in tomcat
To: "Tomcat Users List" <>
Date: Tuesday, 4 August, 2009, 9:39 PM

sunil chandran wrote:
> Hello sir,
> I am sorry. I am using tomcat 4

Tomcat 4 is no longer supported. You *really* need to upgrade.

>  <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>     <Connector className="org.apache.coyote.tomcat4..CoyoteConnector"
>                port="8443" minProcessors="5" maxProcessors="150"
>                enableLookups="true"
>                acceptCount="100" debug="0" scheme="https" secure="true"
>                useURIValidationHack="false" disableUploadTimeout="true">

Again, read the docs. If you must use Tomcat 4 (and that is a bad idea)
you should not be using the Factory element.

>       <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>                keystoreFile=".keystore" keystorePass="mypass"
>                clientAuth="false" protocol="TLS" />
>     </Connector>
> this is the portion of server.xml. I have anabled ssl.
> still there is some vulnerabilities as informed by supprot team. They say that tomcat
is configured to access without authentication. 
> 1. is it true?


> 2. How can we confirm  if the tomcat SSL is configure using any algorithm to authenticate
or “none”.

With clientAuth="false" authentication will be controlled by your app's


To unsubscribe, e-mail:
For additional commands, e-mail:

Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now!
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message