Re: SSL encryption

2004-12-27 Thread John Smith 
 I think you may do that the same way that hotmail and google does, namely;
immediatly redirecting the user after loggin and placing some user
authorized/online flag on a database

 run ethereal and trace the request/responce conversation while logging into
hotmail . . .

- Original Message -
From: "VAN DER MARLIERE FREDERIC" <[EMAIL PROTECTED]>
To: 
Sent: Monday, December 27, 2004 10:03 AM
Subject: SSL encryption


> Hi all.
>
> I would like to encrypt my login process so that login and password are
not
> visible on the network. That's why I defined a SSL connector on port 8443
in
> my server.xml. My problem is that after the user logged in, request keep
on
> using the https protocol on port 8443.
>
> Does someone know how to encrypt only the login process and afterwards use
> the http protocol again, on port 8080 ?
>
> Thanks.
> Fred.
>
>
> 
> Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
> Toute utilisation ou diffusion non autorisee est interdite.Tout message
electronique est susceptible d'alteration.
> Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre
de ce message s'il a ete altere, deforme ou falsifie.
> This message and any attachments ( the "message") are confidential and
intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.E-mails are
susceptible to alteration.
> Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be
liable for the message if altered, changed or falsified.
> 
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL encryption

2004-12-27 Thread Bob Feretich 
A general solution for this will probably not be available until/unless
rfc-2965 is approved. There is currently no standard that states the
scope of a session as related to protocol or port. The servlet working
group delayed clarifying this until Java Servlet Spec 2.5.
Best practice rfc-2964 states that you should write as if a session
scope can span accesses in different protocols and ports (state
management and authentication are independent).
Tomcat disabled the ability to have sessions span protocols (http/https)
in Tomcat 4. Tomcat 3 had a server configuration flag that controlled it.
It is not just a Tomcat problem. IE and Netscape/Firefox have come down
on different sides of the issue in the way they permit cookie access.
The easy work around is to require your users to use IE, have cookies
enabled and initiate all sessions on a non-secure page (using http).
That way your JSESSIONID cookie is stored as non secure. This seemed to 
 work on Tomcat 4.

If you set these requirements you need to modify Tomcat
AuthenticatorBase SSL redirection and the HttpResponse URL rewriting
methods.
Tomcat 5 seems to have rewritten these classes, so I don't know the
precise changes. You will probably have to install a http sniffer to see
what Tomcat and the browser are doing and make changes until Tomcat
performs the way you need it to.
If you make JSESSIONID cookies non secure, then your application is
exposed to hijacking. You should also implement a security mechanism to
provide hijack protection.
Regards,
Bob Feretich
> Hi all.
>
> I would like to encrypt my login process so that login and password 
are not visible on the network. That's why I defined a SSL connector on 
port 8443 in my server.xml. My problem is that after the user logged in, 
request keep on using the https protocol on port 8443.
>
> Does someone know how to encrypt only the login process and 
afterwards use the http protocol again, on port 8080 ?
>
> Thanks.
> Fred.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SV: SSL encryption

2004-12-27 Thread Roland Carlsson 
Hi!

SSL in tomcat does not allow for having the same session both http and
https. Something about developer misstakes leading to security-holes that
would reflekt badly back on Tomcat... At least that is the answer I got.

You can write your own Connector if you really need to work your way around
this. 

Regards
Roland Carlsson


Den 04-12-27 16.03, skrev "VAN DER MARLIERE FREDERIC"
<[EMAIL PROTECTED]>:

> Hi all.
> 
> I would like to encrypt my login process so that login and password are not
> visible on the network. That's why I defined a SSL connector on port 8443 in
> my server.xml. My problem is that after the user logged in, request keep on
> using the https protocol on port 8443.
> 
> Does someone know how to encrypt only the login process and afterwards use
> the http protocol again, on port 8080 ?
> 
> Thanks.
> Fred.
> 
> 
> 
> Ce message et toutes les pieces jointes (ci-apres le "message") sont
> confidentiels et etablis a l'intention exclusive de ses destinataires.
> Toute utilisation ou diffusion non autorisee est interdite.Tout message
> electronique est susceptible d'alteration.
> Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de
> ce message s'il a ete altere, deforme ou falsifie.
> This message and any attachments ( the "message") are confidential and
> intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.E-mails are susceptible to
> alteration.
> Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be
> liable for the message if altered, changed or falsified.
> 
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL encryption

2004-12-27 Thread VAN DER MARLIERE FREDERIC 
Hi all.

I would like to encrypt my login process so that login and password are not
visible on the network. That's why I defined a SSL connector on port 8443 in
my server.xml. My problem is that after the user logged in, request keep on
using the https protocol on port 8443.

Does someone know how to encrypt only the login process and afterwards use
the http protocol again, on port 8080 ?

Thanks.
Fred.



Ce message et toutes les pieces jointes (ci-apres le "message") sont 
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.Tout message 
electronique est susceptible d'alteration.
Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce 
message s'il a ete altere, deforme ou falsifie.
This message and any attachments ( the "message") are confidential and intended 
solely for the addressees.
Any unauthorised use or dissemination is prohibited.E-mails are susceptible to 
alteration.
Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be 
liable for the message if altered, changed or falsified.

SSL encryption

2004-09-08 Thread Robert Harper 
What is the default encryption level with SSL in Tomcat? I have created a
private key with the RSA algorithm an using SSL in the connection descriptor. I
need to know what bit encryption is used whit a default setup and if I can
change that.

 

Robert S. Harper

Senior Engineer

1100 East 6600 South, Suite 300

Salt Lake City, UT 84121-7411

801.265.8800 ex. 255

SSL Encryption buffer size

2003-09-24 Thread William Bondy 
I have SSL clients that can process maximum 4Kb of encrypted data per chunk.
Is there a way to configure the Coyote SSL factory to produce SSL sockets
that will not use an encrypt buffer greater than 4Kb?
 
 
 Thank you.
 
  Bill.

Re: Tomcat & SSL Encryption Level

2001-08-27 Thread Craig R. McClanahan 



On Mon, 27 Aug 2001, Colin Freas wrote:

> Date: Mon, 27 Aug 2001 17:10:41 -0400
> From: Colin Freas <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Tomcat & SSL Encryption Level
>
>
> I wrote this class some time ago to determine the security level of user
> connections before allowing them to login.
>
> It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
> working.
>
> Is there some relatively painless way of accessing the key length of SSL
> connections?
>

In Servlet 2.3 (i.e. Tomcat 4.0) there is -- there's a new request
attribute that returns the key size:

  javax.servlet.request.cipher_suite

Unfortunately, this won't help you on Tomcat 3.2.3.

> Thanks,
> Colin Freas
>

Craig

Tomcat & SSL Encryption Level

2001-08-27 Thread Colin Freas 


I wrote this class some time ago to determine the security level of user
connections before allowing them to login.

It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
working.

Is there some relatively painless way of accessing the key length of SSL
connections?

Thanks,
Colin Freas

---

import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;

public abstract class secureHttpServlet extends HttpServlet {

  String LoginURL, SecurityTooLowURL, BadProtocolURL;

  public void init() {
//  Set default URLs for possible redirection.
BadProtocolURL = "badProtocol.html";
SecurityTooLowURL = "securityTooLow.html";
LoginURL = "login.html";
  }

  //  secureXXX should be overridden to provide desired behavior.
  public void secureGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
  }

  public final void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
Object ks = req.getAttribute("javax.servlet.request.key-size");
HttpSession session = req.getSession(false);
//  Check that https protocol used...
if (req.getScheme().equals("https")) {
  //  Ensure at least 128-bit encryption used...
  if ((ks != null) && (Integer.parseInt(ks.toString()) >= 128)) {
//  Check login status...
if (session != null && session.getValue("s") != null) {
  secureGet(req,res);
}
else {
  res.sendRedirect(LoginURL);
}
  }
  else {
res.sendRedirect(SecurityTooLowURL);
System.out.println("Security level: " + ks.toString());
  }
}
else {
  res.sendRedirect(BadProtocolURL);
}
  }
}

How can I determine SSL encryption strength in Tomcat 3.2?

2001-08-24 Thread Colin Freas 


When I enumerate the attributes for the http request, I don't get a null
enumeration.  I thought that was where the information should be.

I built Tomcat with SSL support on my Redhat 7.1 box.

Any help appreciated.

Colin Freas

Way to require 128-bit SSL encryption with Tomcat 3.2.2?

2001-07-16 Thread Jonathan Eric Miller 

Does anyone know if there is a way to require 128-bit SSL encryption using
Tomcat 3.2.2?

I found that if nothing else you can query the
javax.servlet.request.key_size attribute using Tomcat 4.0.

However, I would like to be able to do this with the current release version
of Tomcat and this version does not seem to set that attribute (neither does
3.3-m4).

Anyone know of some other way to require 128-bit SSL encryption.

If so, please be somewhat specific. Also, if you can, please CC
[EMAIL PROTECTED] in the response as I am not actually subscribed to
this list.

Thanks, Jon