tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Better SSL connector setup
Date Tue, 09 Apr 2013 14:01:29 GMT
Hash: SHA256


On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote:
>> -----Original Message----- From: André Warnier
>> [] Sent: Tuesday, April 09, 2013 6:04 AM To:
>> Tomcat Users List Subject: Re: Better SSL connector setup
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> Martin,
>>> On 4/8/13 8:25 PM, Martin Gainty wrote:
>>>> Identification of keys and supported ciphers are an important
>>>> for
>> Key
>>>> Exchange But before that happensThe certificates attributes
>>>> are the only means the CA-Authority can verify the the name
>>>> in the cert The certificate attributes should contain 1)1 and
>>>> only 1 Hostname to contact 2)Identification information from
>>>> a DN in LDAP or a suitably unique Name Service Server
>>>> (ADS)allowing verification of client to a 'Name 
>>>> Service'
>> 3885/gimog/index.html
>>>> Allowing your cert  to authenticate to n hosts invites 2n as
>>>> many potential DOS attacks Not requiring DN would negate the
>>>> CA-Authority ability to verify DN CN == SSL-Host. Think of
>>>> online banking and clients need to circumvent forged sites as
>>>> 'The official bank site' to send your money If you are FE
>>>> with Apache you will want to configure in
>>>> mod-ssl
>>> Yes, you definitely want to make sure to download and install
>>> mod_ssl into your your Apache 1.3 install on your Windows NT
>>> 3.5 server. All of your Netscape clients will be able to access
>>> full 48-bit export encryption over a modern HTTP 0.9
>>> connection.
>> And don't forget to check that your RS-232 dial-up modem can
>> handle the increased baud-rate necessary for the SSL-encrypted
>> data.
> You can improve the performance of the existing RS-232 modem pool 
> by doing some ROT-13 and Fourier transforms prior to data
> encoding. However, this does require the equivalent capability on
> the receiving side.

- -1

Using ROT-13 can certainly improve the security of your data
in-transit and *is* a NIST recommendation, but it unfortunately does
not improve performance as it introduces an additional operation in
the pipeline. As usual, real security is a trade-off between
convenience (here, speed) and actual security (the superior cipher
algorithm ROT-13). I believe recent versions of OpenSSL (0.9.1c?)
include the new ROT13-XOR-MD2 cipher, but since it is optimized for
8-bit processors you need to make sure to have a modern CPU -- I
recommend one of the "DX2" Intel processors.

As for Fourier transforms, that's just security through obscurity
(though it's pretty good obscurity). "Fast" Fourier transforms also
work best with data sizes that are powers-of-two in length and so your
throughput can experience odd pulsing behavior while your buffers fill
waiting to be transformed. Unless you have one of the aforementioned
"DX2" style processors coupled with a V.22bis-capable device, you are
probably not going to be able to keep up with all the traffic your
Gopher server is likely to generate.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message