Info on how SSL works is off topic here and there are some very good papers on the net on the subject. I did a short search with Google (search terms: SSL encryption protocol) and found a reasonable intro paper from Netsape on the subject. It's at least enough to get your feet wet.
As far as Tomcat is concerned, I use 4.0.1 and can't authoratatively give you an answer on the level of SSL encription supported by 3.2.3. The docs should say so somewhere. I would suggest using the latest stable JDK (not JRE) and downloading the latest version of JSSE from Sun since it does not come with JDK 1.3.x. I believe server.xml has instructions on generating a self signed cert for Tomcat as well. On Wednesday 17 October 2001 07:19 pm, you wrote: > ----- Message Text ----- > > Hi All, > > I've got an older Tomcat 3.2.2 installation that's apparently fully > functional (haven't tried servlets/JSP yet) and I've just set up a new > Tomcat 3.2.3 installation. Both installations serve their pages just fine. > ...I realize that someone might tell me to go talk to another group > regarding these topics but I'm posting here because this audience has to > _use_ these tools whereas these questions would be lost on other groups > (like JRE)... > > I'd like to get some more insight related to certificates and encryption > strength: > > 1) When I connect to my new 3.2.3 installation and have my certificate > read, it reports to the browser that during a "Certificate Name Check" the > certificate presented does not contain the correct site name. I'd like to > know how to avoid this warning message. I also note that I don't get this > message when I connect to my older 3.2.2 installation, yet the keys were > created (more or less) the same way (see below). Ideas? > > 2) Additionally, the new 3.2.3 installation reports that it's certificate > uses "Export Grade (RC4-Export with 40-bit secret key). After a second > look, so does the older 3.2.2 installation. I'm not too worried about the > encryption of the certificate, but this brought up an interesting question > for which I don't know where to look: what's the actual encryption used > for communications? I'm a Netscape fan, and eschew IE, and for various > reasons I only use Netscape 4.7 - it doesn't tell me what the > communications algorithem or strength is. Any clues where I find this out? > (I saw that Tomcat with JSSE has a LOT of choices...) Does the Tomcat > server automatically pick the highest strength encryption available with > the connecting client? I haven't seen anything on this anywhere and I > have looked... What gets me thinking here is that I downloaded the full > strength US versions in every case. If it's going to only use export 40 > bit, what's the point and where's that stronger encryption? > > Certificate details: In installing Tomcat 3.2.2 I ran into a "bug" in that > the certificate generator 'keytool' from the JRE in my environ apparantly > didn't include RSA support. (java version "1.2.2" Solaris VM - build > Solaris_JDK_1.2.2_06, native threads, sunwjit) . So, I loaded version > 1.3.1 of the Java2 runtime environment and the keytool from that works > fine. There should be some different flags for specifying what grade > of key gets generated in each case - I haven't found them yet. ...On my > new 3.2.3 installation, I ran the keytool that came with Java 1.3.0. The > certificate served by the 3.2.3 installation reports a bad certificate > name check, and the one from JRE 1.3.1 doesn't... > > Minor, unrelated point: "${TOMCAT_HOME}/bin/tomcat.sh" doesn't seem > to work properly on my RedHat 6.2 box. On one occasion it crashed the > shell I was in when I accidentally ran start twice. I suppose it > could be unrelated but nothing else died. -shrug- I'm not spending any > time on that one. -smile- > > Thanks for your comments, > Richard