Mark - For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? Oh and make sure the following line is in the server.xml file to start the APR lifecycle listener. <Listener className="org.apache.catalina.core.AprLifecycleListener" />
Steve, you can download the latest APR lib from the Tomcat website. Follow the "Tomcat Native" link and get the one for your environment. Jeff -----Original Message----- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 9:08 AM To: Tomcat Users List Subject: Re: SSLv3/TLS man-in-middle vulnerability Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" keystorePass="xxx" keystoreType="PKCS12" /> - <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> - <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> - <!-- See proxy documentation for more information about using this. --> - <!-- <Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> --> Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas <ma...@apache.org > To Tomcat Users List 01/19/2010 06:48 <users@tomcat.apache.org> AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle "Tomcat Users vulnerability List" <us...@tomcat.apa che.org> Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: > Mark, > Since we do not know how to "switch connectors", or install OpenSSL, and do > not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet > is to wait until Tomcat is fixed ("coming soon"). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ******************************* NOTICE ********************************* This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
