tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Mon, 10 Aug 2009 10:07:01 GMT
sunil chandran wrote:
> Hello all,
> I found this issue form support team:
> THREAT:
> The Secure 
> Socket Layer (SSL) protocol allows for secure communication between a client and 
> a server. The client usually authenticates the server using an  algorithm like 
> RSA or DSS. Some SSL ciphers allow SSL communication without authentication. 
> Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla 
> do not use anonymous authentication ciphers by default.
> A vulnerability 
> exists in SSL communications when clients are allowed to connect using no 
> authentication algorithm. 
> SSL 
> client-server communication may use several different types of authentication: 
> RSA, Diffie-Hellman, DSS or none. When 'none' is 
> used, the communications are vulnerable to a man-in-the-middle 
> attack."
> IMPACT:
> An attacker can 
> exploit this vulnerability to impersonate your server to 
> clients.

It would have saved a lot of time of you had quoted the CVE reference
for this issue. It is CVE-2007-1858.

> SOLUTION:
> Disable support 
> for anonymous authentication
> Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties.
> Please help.

Again, *Tomcat 4 is no longer supported - you REALLY need to upgrade*.

If you insist on continuing to use Tomcat 4 then as per
http://tomcat.apache.org/security-4.html you need to upgrade to 4.1.32
or later to avoid this issue.

Given that there are other, arguably more serious vulnerabilities, still
present in 4.1.32 if you must stay on 4.1.x then you should upgrade to
4.1.40.

Mark

> regardsSunil C
> 
> --- On Tue, 4/8/09, Mark Thomas <markt@apache.org> wrote:
> 
> From: Mark Thomas <markt@apache.org>
> Subject: Re: avoiding ssl vulnerabilities in tomcat
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Date: Tuesday, 4 August, 2009, 9:39 PM
> 
> sunil chandran wrote:
>> Hello sir,
>>   
>> I am sorry. I am using tomcat 4
> 
> Tomcat 4 is no longer supported. You *really* need to upgrade.
> 
>>   <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>>      <Connector className="org.apache.coyote.tomcat4..CoyoteConnector"
>>                 port="8443" minProcessors="5" maxProcessors="150"
>>                 enableLookups="true"
>>                 acceptCount="100" debug="0" scheme="https" secure="true"
>>                 useURIValidationHack="false" disableUploadTimeout="true">
> 
> Again, read the docs. If you must use Tomcat 4 (and that is a bad idea)
> you should not be using the Factory element.
> 
>>        <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>                 keystoreFile=".keystore" keystorePass="mypass"
>>                 clientAuth="false" protocol="TLS" />
>>      </Connector>
>>
>> this is the portion of server.xml. I have anabled ssl.
>>   
>> still there is some vulnerabilities as informed by supprot team. They say that tomcat
is configured to access without authentication. 
>>   
>> 1. is it true?
> 
> Maybe.
> 
>> 2. How can we confirm  if the tomcat SSL is configure using any algorithm to authenticate
or “none”.
> 
> With clientAuth="false" authentication will be controlled by your app's
> web.xml.
> 
> Mark
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message