Re: SSL encryption
I think you may do that the same way that hotmail and google does, namely; immediatly redirecting the user after loggin and placing some user authorized/online flag on a database run ethereal and trace the request/responce conversation while logging into hotmail . . . - Original Message - From: "VAN DER MARLIERE FREDERIC" <[EMAIL PROTECTED]> To: Sent: Monday, December 27, 2004 10:03 AM Subject: SSL encryption > Hi all. > > I would like to encrypt my login process so that login and password are not > visible on the network. That's why I defined a SSL connector on port 8443 in > my server.xml. My problem is that after the user logged in, request keep on > using the https protocol on port 8443. > > Does someone know how to encrypt only the login process and afterwards use > the http protocol again, on port 8080 ? > > Thanks. > Fred. > > > > Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires. > Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. > Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. > This message and any attachments ( the "message") are confidential and intended solely for the addressees. > Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. > Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL encryption
A general solution for this will probably not be available until/unless rfc-2965 is approved. There is currently no standard that states the scope of a session as related to protocol or port. The servlet working group delayed clarifying this until Java Servlet Spec 2.5. Best practice rfc-2964 states that you should write as if a session scope can span accesses in different protocols and ports (state management and authentication are independent). Tomcat disabled the ability to have sessions span protocols (http/https) in Tomcat 4. Tomcat 3 had a server configuration flag that controlled it. It is not just a Tomcat problem. IE and Netscape/Firefox have come down on different sides of the issue in the way they permit cookie access. The easy work around is to require your users to use IE, have cookies enabled and initiate all sessions on a non-secure page (using http). That way your JSESSIONID cookie is stored as non secure. This seemed to work on Tomcat 4. If you set these requirements you need to modify Tomcat AuthenticatorBase SSL redirection and the HttpResponse URL rewriting methods. Tomcat 5 seems to have rewritten these classes, so I don't know the precise changes. You will probably have to install a http sniffer to see what Tomcat and the browser are doing and make changes until Tomcat performs the way you need it to. If you make JSESSIONID cookies non secure, then your application is exposed to hijacking. You should also implement a security mechanism to provide hijack protection. Regards, Bob Feretich > Hi all. > > I would like to encrypt my login process so that login and password are not visible on the network. That's why I defined a SSL connector on port 8443 in my server.xml. My problem is that after the user logged in, request keep on using the https protocol on port 8443. > > Does someone know how to encrypt only the login process and afterwards use the http protocol again, on port 8080 ? > > Thanks. > Fred. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SV: SSL encryption
Hi! SSL in tomcat does not allow for having the same session both http and https. Something about developer misstakes leading to security-holes that would reflekt badly back on Tomcat... At least that is the answer I got. You can write your own Connector if you really need to work your way around this. Regards Roland Carlsson Den 04-12-27 16.03, skrev "VAN DER MARLIERE FREDERIC" <[EMAIL PROTECTED]>: > Hi all. > > I would like to encrypt my login process so that login and password are not > visible on the network. That's why I defined a SSL connector on port 8443 in > my server.xml. My problem is that after the user logged in, request keep on > using the https protocol on port 8443. > > Does someone know how to encrypt only the login process and afterwards use > the http protocol again, on port 8080 ? > > Thanks. > Fred. > > > > Ce message et toutes les pieces jointes (ci-apres le "message") sont > confidentiels et etablis a l'intention exclusive de ses destinataires. > Toute utilisation ou diffusion non autorisee est interdite.Tout message > electronique est susceptible d'alteration. > Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de > ce message s'il a ete altere, deforme ou falsifie. > This message and any attachments ( the "message") are confidential and > intended solely for the addressees. > Any unauthorised use or dissemination is prohibited.E-mails are susceptible to > alteration. > Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be > liable for the message if altered, changed or falsified. > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL encryption
Hi all. I would like to encrypt my login process so that login and password are not visible on the network. That's why I defined a SSL connector on port 8443 in my server.xml. My problem is that after the user logged in, request keep on using the https protocol on port 8443. Does someone know how to encrypt only the login process and afterwards use the http protocol again, on port 8080 ? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.
SSL encryption
What is the default encryption level with SSL in Tomcat? I have created a private key with the RSA algorithm an using SSL in the connection descriptor. I need to know what bit encryption is used whit a default setup and if I can change that. Robert S. Harper Senior Engineer 1100 East 6600 South, Suite 300 Salt Lake City, UT 84121-7411 801.265.8800 ex. 255
SSL Encryption buffer size
I have SSL clients that can process maximum 4Kb of encrypted data per chunk. Is there a way to configure the Coyote SSL factory to produce SSL sockets that will not use an encrypt buffer greater than 4Kb? Thank you. Bill.
Re: Tomcat & SSL Encryption Level
On Mon, 27 Aug 2001, Colin Freas wrote: > Date: Mon, 27 Aug 2001 17:10:41 -0400 > From: Colin Freas <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Tomcat & SSL Encryption Level > > > I wrote this class some time ago to determine the security level of user > connections before allowing them to login. > > It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't > working. > > Is there some relatively painless way of accessing the key length of SSL > connections? > In Servlet 2.3 (i.e. Tomcat 4.0) there is -- there's a new request attribute that returns the key size: javax.servlet.request.cipher_suite Unfortunately, this won't help you on Tomcat 3.2.3. > Thanks, > Colin Freas > Craig
Tomcat & SSL Encryption Level
I wrote this class some time ago to determine the security level of user connections before allowing them to login. It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't working. Is there some relatively painless way of accessing the key length of SSL connections? Thanks, Colin Freas --- import java.io.*; import java.sql.*; import javax.servlet.*; import javax.servlet.http.*; public abstract class secureHttpServlet extends HttpServlet { String LoginURL, SecurityTooLowURL, BadProtocolURL; public void init() { // Set default URLs for possible redirection. BadProtocolURL = "badProtocol.html"; SecurityTooLowURL = "securityTooLow.html"; LoginURL = "login.html"; } // secureXXX should be overridden to provide desired behavior. public void secureGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { } public final void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { Object ks = req.getAttribute("javax.servlet.request.key-size"); HttpSession session = req.getSession(false); // Check that https protocol used... if (req.getScheme().equals("https")) { // Ensure at least 128-bit encryption used... if ((ks != null) && (Integer.parseInt(ks.toString()) >= 128)) { // Check login status... if (session != null && session.getValue("s") != null) { secureGet(req,res); } else { res.sendRedirect(LoginURL); } } else { res.sendRedirect(SecurityTooLowURL); System.out.println("Security level: " + ks.toString()); } } else { res.sendRedirect(BadProtocolURL); } } }
How can I determine SSL encryption strength in Tomcat 3.2?
When I enumerate the attributes for the http request, I don't get a null enumeration. I thought that was where the information should be. I built Tomcat with SSL support on my Redhat 7.1 box. Any help appreciated. Colin Freas
Way to require 128-bit SSL encryption with Tomcat 3.2.2?
Does anyone know if there is a way to require 128-bit SSL encryption using Tomcat 3.2.2? I found that if nothing else you can query the javax.servlet.request.key_size attribute using Tomcat 4.0. However, I would like to be able to do this with the current release version of Tomcat and this version does not seem to set that attribute (neither does 3.3-m4). Anyone know of some other way to require 128-bit SSL encryption. If so, please be somewhat specific. Also, if you can, please CC [EMAIL PROTECTED] in the response as I am not actually subscribed to this list. Thanks, Jon