Hello all, I found this issue form support team: THREAT: The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack." IMPACT: An attacker can exploit this vulnerability to impersonate your server to clients. SOLUTION: Disable support for anonymous authentication Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties. Please help. regardsSunil C
--- On Tue, 4/8/09, Mark Thomas <ma...@apache.org> wrote: From: Mark Thomas <ma...@apache.org> Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" <users@tomcat.apache.org> Date: Tuesday, 4 August, 2009, 9:39 PM sunil chandran wrote: > Hello sir, > > I am sorry. I am using tomcat 4 Tomcat 4 is no longer supported. You *really* need to upgrade. > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > <Connector className="org.apache.coyote.tomcat4..CoyoteConnector" > port="8443" minProcessors="5" maxProcessors="150" > enableLookups="true" > acceptCount="100" debug="0" scheme="https" secure="true" > useURIValidationHack="false" disableUploadTimeout="true"> Again, read the docs. If you must use Tomcat 4 (and that is a bad idea) you should not be using the Factory element. > <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > keystoreFile=".keystore" keystorePass="mypass" > clientAuth="false" protocol="TLS" /> > </Connector> > > this is the portion of server.xml. I have anabled ssl. > > still there is some vulnerabilities as informed by supprot team. They say > that tomcat is configured to access without authentication. > > 1. is it true? Maybe. > 2. How can we confirm if the tomcat SSL is configure using any algorithm to > authenticate or “none”. With clientAuth="false" authentication will be controlled by your app's web.xml. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php