-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 4/9/13 8:17 AM, Harris, Jeffrey E. wrote: > > >> -----Original Message----- From: André Warnier >> [mailto:a...@ice-sa.com] Sent: Tuesday, April 09, 2013 6:04 AM To: >> Tomcat Users List Subject: Re: Better SSL connector setup >> >> Christopher Schultz wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> Martin, >>> >>> On 4/8/13 8:25 PM, Martin Gainty wrote: >>>> Identification of keys and supported ciphers are an important >>>> for >> Key >>>> Exchange But before that happensThe certificates attributes >>>> are the only means the CA-Authority can verify the the name >>>> in the cert The certificate attributes should contain 1)1 and >>>> only 1 Hostname to contact 2)Identification information from >>>> a DN in LDAP or a suitably unique Name Service Server >>>> (ADS)allowing verification of client to a 'Name >>>> Service'http://docs.oracle.com/cd/E19575-01/820- >> 3885/gimog/index.html >>>> >>>> Allowing your cert to authenticate to n hosts invites 2n as >>>> many potential DOS attacks Not requiring DN would negate the >>>> CA-Authority ability to verify DN CN == SSL-Host. Think of >>>> online banking and clients need to circumvent forged sites as >>>> 'The official bank site' to send your money If you are FE >>>> with Apache you will want to configure in >>>> mod-sslhttp://www.modssl.org/ >>> >>> Yes, you definitely want to make sure to download and install >>> mod_ssl into your your Apache 1.3 install on your Windows NT >>> 3.5 server. All of your Netscape clients will be able to access >>> full 48-bit export encryption over a modern HTTP 0.9 >>> connection. >> >> And don't forget to check that your RS-232 dial-up modem can >> handle the increased baud-rate necessary for the SSL-encrypted >> data. >> > > You can improve the performance of the existing RS-232 modem pool > by doing some ROT-13 and Fourier transforms prior to data > encoding. However, this does require the equivalent capability on > the receiving side. - -1 Using ROT-13 can certainly improve the security of your data in-transit and *is* a NIST recommendation, but it unfortunately does not improve performance as it introduces an additional operation in the pipeline. As usual, real security is a trade-off between convenience (here, speed) and actual security (the superior cipher algorithm ROT-13). I believe recent versions of OpenSSL (0.9.1c?) include the new ROT13-XOR-MD2 cipher, but since it is optimized for 8-bit processors you need to make sure to have a modern CPU -- I recommend one of the "DX2" Intel processors. As for Fourier transforms, that's just security through obscurity (though it's pretty good obscurity). "Fast" Fourier transforms also work best with data sizes that are powers-of-two in length and so your throughput can experience odd pulsing behavior while your buffers fill waiting to be transformed. Unless you have one of the aforementioned "DX2" style processors coupled with a V.22bis-capable device, you are probably not going to be able to keep up with all the traffic your Gopher server is likely to generate. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRZB84AAoJEBzwKT+lPKRY7+YQAJCHvqodBpuagJxRIR0aOr8m JJKSMyvyuiE1NFJ0Fk8X7l1yoR7MUNMmcLt7E79DZU3TaBzCxePNg68UGEOEg/u7 NDpXtBr48aYTCExszCTID1epkyu7K9HWL91KQvcCgSaReheFl8kKQg/kIXHJjpwK 4zShxZKhC7xFJ6sC92hptZkbw1a7dsgeVCE3hEWx4bOz9w5S/ejRgqyqEOgplPxg XW4JyJqyzwZjvYb9UUoWH3I7kKP5V/cuxmpzAhrXXHX/YjVcNx/pdCZSJ5bWGHXJ 20xoyhAYsSOogosYZQoRmY0IPCXVn+Ngyg8TZ3SqfXhSQAe7IPbPysp1uapGu2HR ZU0y8Xho4wlNK86Ffb4bc7g4ORgOkcZciN3YezhMNi2ipqrQ9awIWnPEewjmBUfe IgVVM0rliNgcMPRw6oe0iCnmd3kf1C2b5x+r6pFdOOdfxfYX0y919aOjywuhjqb9 Cf7cK5u9yL7qTgsr/qpoLQsMSfcVM81jPh3gISBgkwFH53rWKy/iGoMD62cA05HD 4oCyEgl7Q4SpuUq++eRIbQ/+G+2jHqX5yxpG9/0wBDbay+6qIQiWo14EZ/bYK491 YUFIXv97CbnLyGsisqB1TTo66p1psu7a3d1KLEx+0PhuZoZIGJ+/ZDQpa0aLnl0P P6ZA0lOSoifPXYnAjhGu =pYL0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
