tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olaf Kock <tom...@olafkock.de>
Subject Re: Tomcat 8 HTTPS issue with old browser
Date Tue, 04 Oct 2016 11:46:43 GMT


Am 04.10.2016 um 12:43 schrieb Garratt, Dave:
> To elaborate, there is only this single application running on the server. All other
web applications use Windows IIS. 
>
> I have mentioned that the problem is down to the old software on the scanner but it’s
a huge international organisation and making a upgrade to their entire line of devices is
likely to take some time.
IMHO you should point out that weakening encryption server-side is
nothing but a workaround, valid until the problem has been solved at its
root: The barcode scanners need to be upgraded.
If you rely on trusted CA certs instead of self-signing them, you might
be out of luck when the current certs need to be extended: *None* of the
OS's trusted root CAs will issue any SHA-1 certificate any more as of
this year. Doublecheck if the scanners can operate on a currently issued
cert. Alternatively you will need to roll out your own CA with - more or
less - self-signed certificates. Any one of these solutions will do, but
they might bite you if they come unsuspected and at an inconvenient time.
> However silly it may seem this is a “tick the box” exercise when it comes to security
- HTTPS - yes/no.
>
> On the assumption that a weak encryption is better than none then I can’t really argue
with the customer. 
well... at least you can mention it - make an impression by pointing to
an insecure requirement that has been made under the assumption of
adding security.
> Someone did suggest using Apache HTTP server to do the comms - maybe and IIS connector
to Tomcat would accomplish the same ?
I've mentioned "Apache httpd (or equivalent webserver of your choice)".
In this case IIS seems to be the webserver of your choice.
>
> As I mentioned before I’m a bit of a novice with the server config.
>
> Dave
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message