tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Tue, 04 Aug 2009 12:24:28 GMT
Just to clarify, authentication to my mind means providing
username/password credentials.  There's nothing in the connector aside
from maybe the clientAuth="false" attribute that controls this.  Setting
that true would mean the client browser is required to send an
authentication certificate during the initial handshake.  Do you mean
accessing without encryption or server certificate?  If so, are there
any other connectors configured?  Can you offer any more specific
information regarding what the support team found?

--David

sunil chandran wrote:
> Hello sir,
>  
> I am sorry. I am using tomcat 4
>  
>  <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>                port="8443" minProcessors="5" maxProcessors="150"
>                enableLookups="true"
>                acceptCount="100" debug="0" scheme="https" secure="true"
>                useURIValidationHack="false" disableUploadTimeout="true">
>       <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>                keystoreFile=".keystore" keystorePass="mypass"
>                clientAuth="false" protocol="TLS" />
>     </Connector>
>
> this is the portion of server.xml. I have anabled ssl.
>  
> still there is some vulnerabilities as informed by supprot team. They say that tomcat
is configured to access without authentication. 
>  
> 1. is it true?
> 2. How can we confirm  if the tomcat SSL is configure using any algorithm to authenticate
or “none”.
>  
> please help me.
>  
> regards
> Sunil C
>  
>  
>
>
> --- On Tue, 4/8/09, Mark Thomas <markt@apache.org> wrote:
>
>
> From: Mark Thomas <markt@apache.org>
> Subject: Re: avoiding ssl vulnerabilities in tomcat
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Date: Tuesday, 4 August, 2009, 2:42 PM
>
>
> sunil chandran wrote:
>   
>> there are some vulnerability existing on my server:
>>   
>> SSL Server Allows Cleartext Communication Vulnerability 
>>     
>
> <snip/>
>
>   
>> Can someone help me identify the place in server.xml file to avoid these vulnerabilties.
>>     
>
> You didn't say which Tomcat version so I am going to assume 6.0.20.
> Neither did you say which connector you are using. I am going to assume
> the default Java blocking IO connector.
>
> The info you require is in the docs. Take a look at the SSL section of
> this page:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>       Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message