tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Better SSL connector setup
Date Tue, 09 Apr 2013 14:01:29 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
> 
> 
>> -----Original Message----- From: André Warnier
>> [mailto:aw@ice-sa.com] Sent: Tuesday, April 09, 2013 6:04 AM To:
>> Tomcat Users List Subject: Re: Better SSL connector setup
>> 
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> 
>>> Martin,
>>> 
>>> On 4/8/13 8:25 PM, Martin Gainty wrote:
>>>> Identification of keys and supported ciphers are an important
>>>> for
>> Key
>>>> Exchange But before that happensThe certificates attributes
>>>> are the only means the CA-Authority can verify the the name
>>>> in the cert The certificate attributes should contain 1)1 and
>>>> only 1 Hostname to contact 2)Identification information from
>>>> a DN in LDAP or a suitably unique Name Service Server
>>>> (ADS)allowing verification of client to a 'Name 
>>>> Service'http://docs.oracle.com/cd/E19575-01/820-
>> 3885/gimog/index.html
>>>> 
>>>> Allowing your cert  to authenticate to n hosts invites 2n as
>>>> many potential DOS attacks Not requiring DN would negate the
>>>> CA-Authority ability to verify DN CN == SSL-Host. Think of
>>>> online banking and clients need to circumvent forged sites as
>>>> 'The official bank site' to send your money If you are FE
>>>> with Apache you will want to configure in
>>>> mod-sslhttp://www.modssl.org/
>>> 
>>> Yes, you definitely want to make sure to download and install
>>> mod_ssl into your your Apache 1.3 install on your Windows NT
>>> 3.5 server. All of your Netscape clients will be able to access
>>> full 48-bit export encryption over a modern HTTP 0.9
>>> connection.
>> 
>> And don't forget to check that your RS-232 dial-up modem can
>> handle the increased baud-rate necessary for the SSL-encrypted
>> data.
>> 
> 
> You can improve the performance of the existing RS-232 modem pool 
> by doing some ROT-13 and Fourier transforms prior to data
> encoding. However, this does require the equivalent capability on
> the receiving side.

- -1

Using ROT-13 can certainly improve the security of your data
in-transit and *is* a NIST recommendation, but it unfortunately does
not improve performance as it introduces an additional operation in
the pipeline. As usual, real security is a trade-off between
convenience (here, speed) and actual security (the superior cipher
algorithm ROT-13). I believe recent versions of OpenSSL (0.9.1c?)
include the new ROT13-XOR-MD2 cipher, but since it is optimized for
8-bit processors you need to make sure to have a modern CPU -- I
recommend one of the "DX2" Intel processors.

As for Fourier transforms, that's just security through obscurity
(though it's pretty good obscurity). "Fast" Fourier transforms also
work best with data sizes that are powers-of-two in length and so your
throughput can experience odd pulsing behavior while your buffers fill
waiting to be transformed. Unless you have one of the aforementioned
"DX2" style processors coupled with a V.22bis-capable device, you are
probably not going to be able to keep up with all the traffic your
Gopher server is likely to generate.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZB84AAoJEBzwKT+lPKRY7+YQAJCHvqodBpuagJxRIR0aOr8m
JJKSMyvyuiE1NFJ0Fk8X7l1yoR7MUNMmcLt7E79DZU3TaBzCxePNg68UGEOEg/u7
NDpXtBr48aYTCExszCTID1epkyu7K9HWL91KQvcCgSaReheFl8kKQg/kIXHJjpwK
4zShxZKhC7xFJ6sC92hptZkbw1a7dsgeVCE3hEWx4bOz9w5S/ejRgqyqEOgplPxg
XW4JyJqyzwZjvYb9UUoWH3I7kKP5V/cuxmpzAhrXXHX/YjVcNx/pdCZSJ5bWGHXJ
20xoyhAYsSOogosYZQoRmY0IPCXVn+Ngyg8TZ3SqfXhSQAe7IPbPysp1uapGu2HR
ZU0y8Xho4wlNK86Ffb4bc7g4ORgOkcZciN3YezhMNi2ipqrQ9awIWnPEewjmBUfe
IgVVM0rliNgcMPRw6oe0iCnmd3kf1C2b5x+r6pFdOOdfxfYX0y919aOjywuhjqb9
Cf7cK5u9yL7qTgsr/qpoLQsMSfcVM81jPh3gISBgkwFH53rWKy/iGoMD62cA05HD
4oCyEgl7Q4SpuUq++eRIbQ/+G+2jHqX5yxpG9/0wBDbay+6qIQiWo14EZ/bYK491
YUFIXv97CbnLyGsisqB1TTo66p1psu7a3d1KLEx+0PhuZoZIGJ+/ZDQpa0aLnl0P
P6ZA0lOSoifPXYnAjhGu
=pYL0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message