Hello sir, I am sorry. I am using tomcat 4 <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="150" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" keystoreFile=".keystore" keystorePass="mypass" clientAuth="false" protocol="TLS" /> </Connector>
this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. please help me. regards Sunil C --- On Tue, 4/8/09, Mark Thomas <ma...@apache.org> wrote: From: Mark Thomas <ma...@apache.org> Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" <users@tomcat.apache.org> Date: Tuesday, 4 August, 2009, 2:42 PM sunil chandran wrote: > there are some vulnerability existing on my server: > > SSL Server Allows Cleartext Communication Vulnerability <snip/> > Can someone help me identify the place in server.xml file to avoid these > vulnerabilties. You didn't say which Tomcat version so I am going to assume 6.0.20. Neither did you say which connector you are using. I am going to assume the default Java blocking IO connector. The info you require is in the docs. Take a look at the SSL section of this page: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/