Info on how SSL works is off topic here and there are some very good papers
on the net on the subject. I did a short search with Google (search terms:
SSL encryption protocol) and found a reasonable intro paper from Netsape on
the subject. It's at least enough to get your feet wet.
As far as Tomcat is concerned, I use 4.0.1 and can't authoratatively give you
an answer on the level of SSL encription supported by 3.2.3. The docs should
say so somewhere. I would suggest using the latest stable JDK (not JRE) and
downloading the latest version of JSSE from Sun since it does not come with
JDK 1.3.x. I believe server.xml has instructions on generating a self signed
cert for Tomcat as well.
On Wednesday 17 October 2001 07:19 pm, you wrote:
> ----- Message Text -----
>
> Hi All,
>
> I've got an older Tomcat 3.2.2 installation that's apparently fully
> functional (haven't tried servlets/JSP yet) and I've just set up a new
> Tomcat 3.2.3 installation. Both installations serve their pages just fine.
> ...I realize that someone might tell me to go talk to another group
> regarding these topics but I'm posting here because this audience has to
> _use_ these tools whereas these questions would be lost on other groups
> (like JRE)...
>
> I'd like to get some more insight related to certificates and encryption
> strength:
>
> 1) When I connect to my new 3.2.3 installation and have my certificate
> read, it reports to the browser that during a "Certificate Name Check" the
> certificate presented does not contain the correct site name. I'd like to
> know how to avoid this warning message. I also note that I don't get this
> message when I connect to my older 3.2.2 installation, yet the keys were
> created (more or less) the same way (see below). Ideas?
>
> 2) Additionally, the new 3.2.3 installation reports that it's certificate
> uses "Export Grade (RC4-Export with 40-bit secret key). After a second
> look, so does the older 3.2.2 installation. I'm not too worried about the
> encryption of the certificate, but this brought up an interesting question
> for which I don't know where to look: what's the actual encryption used
> for communications? I'm a Netscape fan, and eschew IE, and for various
> reasons I only use Netscape 4.7 - it doesn't tell me what the
> communications algorithem or strength is. Any clues where I find this out?
> (I saw that Tomcat with JSSE has a LOT of choices...) Does the Tomcat
> server automatically pick the highest strength encryption available with
> the connecting client? I haven't seen anything on this anywhere and I
> have looked... What gets me thinking here is that I downloaded the full
> strength US versions in every case. If it's going to only use export 40
> bit, what's the point and where's that stronger encryption?
>
> Certificate details: In installing Tomcat 3.2.2 I ran into a "bug" in that
> the certificate generator 'keytool' from the JRE in my environ apparantly
> didn't include RSA support. (java version "1.2.2" Solaris VM - build
> Solaris_JDK_1.2.2_06, native threads, sunwjit) . So, I loaded version
> 1.3.1 of the Java2 runtime environment and the keytool from that works
> fine. There should be some different flags for specifying what grade
> of key gets generated in each case - I haven't found them yet. ...On my
> new 3.2.3 installation, I ran the keytool that came with Java 1.3.0. The
> certificate served by the 3.2.3 installation reports a bad certificate
> name check, and the one from JRE 1.3.1 doesn't...
>
> Minor, unrelated point: "${TOMCAT_HOME}/bin/tomcat.sh" doesn't seem
> to work properly on my RedHat 6.2 box. On one occasion it crashed the
> shell I was in when I accidentally ran start twice. I suppose it
> could be unrelated but nothing else died. -shrug- I'm not spending any
> time on that one. -smile-
>
> Thanks for your comments,
> Richard
