tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Better SSL connector setup
Date Tue, 09 Apr 2013 10:04:20 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Martin,
> 
> On 4/8/13 8:25 PM, Martin Gainty wrote:
>> Identification of keys and supported ciphers are an important for
>> Key Exchange But before that happensThe certificates attributes are
>> the only means the CA-Authority can verify the the name in the
>> cert The certificate attributes should contain 1)1 and only 1
>> Hostname to contact 2)Identification information from a DN in LDAP
>> or a suitably unique Name Service Server (ADS)allowing verification
>> of client to a 'Name
>> Service'http://docs.oracle.com/cd/E19575-01/820-3885/gimog/index.html
>>
>>  Allowing your cert  to authenticate to n hosts invites 2n as many
>> potential DOS attacks Not requiring DN would negate the
>> CA-Authority ability to verify DN CN == SSL-Host. Think of online
>> banking and clients need to circumvent forged sites as 'The
>> official bank site' to send your money If you are FE with Apache
>> you will want to configure in mod-sslhttp://www.modssl.org/
> 
> Yes, you definitely want to make sure to download and install mod_ssl
> into your your Apache 1.3 install on your Windows NT 3.5 server. All
> of your Netscape clients will be able to access full 48-bit export
> encryption over a modern HTTP 0.9 connection.

And don't forget to check that your RS-232 dial-up modem can handle the increased 
baud-rate necessary for the SSL-encrypted data.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message