tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sunil chandran <sunilonweb2...@yahoo.co.in>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Tue, 04 Aug 2009 09:23:53 GMT
Hello sir,
 
I am sorry. I am using tomcat 4
 
 <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8443" minProcessors="5" maxProcessors="150"
               enableLookups="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true">
      <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               keystoreFile=".keystore" keystorePass="mypass"
               clientAuth="false" protocol="TLS" />
    </Connector>

this is the portion of server.xml. I have anabled ssl.
 
still there is some vulnerabilities as informed by supprot team. They say that tomcat is
configured to access without authentication. 
 
1. is it true?
2. How can we confirm  if the tomcat SSL is configure using any algorithm to authenticate
or “none”.
 
please help me.
 
regards
Sunil C
 
 


--- On Tue, 4/8/09, Mark Thomas <markt@apache.org> wrote:


From: Mark Thomas <markt@apache.org>
Subject: Re: avoiding ssl vulnerabilities in tomcat
To: "Tomcat Users List" <users@tomcat.apache.org>
Date: Tuesday, 4 August, 2009, 2:42 PM


sunil chandran wrote:
> there are some vulnerability existing on my server:
>  
> SSL Server Allows Cleartext Communication Vulnerability 

<snip/>

> Can someone help me identify the place in server.xml file to avoid these vulnerabilties.

You didn't say which Tomcat version so I am going to assume 6.0.20.
Neither did you say which connector you are using. I am going to assume
the default Java blocking IO connector.

The info you require is in the docs. Take a look at the SSL section of
this page:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




      Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message