tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Tue, 04 Aug 2009 16:09:35 GMT
sunil chandran wrote:
> Hello sir,
>  
> I am sorry. I am using tomcat 4

Tomcat 4 is no longer supported. You *really* need to upgrade.

>  <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>                port="8443" minProcessors="5" maxProcessors="150"
>                enableLookups="true"
>                acceptCount="100" debug="0" scheme="https" secure="true"
>                useURIValidationHack="false" disableUploadTimeout="true">

Again, read the docs. If you must use Tomcat 4 (and that is a bad idea)
you should not be using the Factory element.

>       <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>                keystoreFile=".keystore" keystorePass="mypass"
>                clientAuth="false" protocol="TLS" />
>     </Connector>
> 
> this is the portion of server.xml. I have anabled ssl.
>  
> still there is some vulnerabilities as informed by supprot team. They say that tomcat
is configured to access without authentication. 
>  
> 1. is it true?

Maybe.

> 2. How can we confirm  if the tomcat SSL is configure using any algorithm to authenticate
or “none”.

With clientAuth="false" authentication will be controlled by your app's
web.xml.

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message