Re: SSLv3/TLS man-in-middle vulnerability

Tue, 19 Jan 2010 07:09:00 -0800 

Mark,
Our JRE is 1.6.0_17.
Below are server.xml entries for connectors minus security tag values.
Please suggest changes. Is that all I have to do before Security runs
another HP scan?
Thanks
<!--
       Define a SSL HTTP/1.1 Connector on port 8443
        -->
          <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
        minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
        disableUploadTimeout="true" acceptCount="100" scheme="https" secure
        ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx"
        keystorePass="xxx" keystoreType="PKCS12" />
      - <!--
       Define an AJP 1.3 Connector on port 8009
        -->
          <Connector port="8009" enableLookups="false" redirectPort="8443"
        protocol="AJP/1.3" />
      - <!--
       Define a Proxied HTTP/1.1 Connector on port 8082
        -->
      - <!--
       See proxy documentation for more information about using this.
        -->
      - <!--
            <Connector port="8082"
                       maxThreads="150" minSpareThreads="25"
        maxSpareThreads="75"
                       enableLookups="false" acceptCount="100"
        connectionTimeout="20000"
                       proxyPort="80" disableUploadTimeout="true" />

        -->



Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.





                                                                       
             Mark Thomas                                               
             <ma...@apache.org                                         
             >                                                          To
                                       Tomcat Users List               
             01/19/2010 06:48          <users@tomcat.apache.org>       
             AM                                                         cc
                                                                       
                                                                   Subject
             Please respond to         Re: SSLv3/TLS man-in-middle     
               "Tomcat Users           vulnerability                   
                   List"                                               
             <us...@tomcat.apa                                         
                 che.org>                                              
                                                                       
                                                                       
                                                                       



Caterpillar: Confidential Green                 Retain Until: 02/18/2010




On 19/01/2010 02:31, Steve G. Johnson wrote:
> Mark,
> Since we do not know how to "switch connectors", or install OpenSSL, and
do
> not have JDK on the server (only JRE 1.6.0_17), then I suppose the best
bet
> is to wait until Tomcat is fixed ("coming soon").

You can replace JDK with JRE in what I previously. Switching from BIO to
NIO is a simple change to server.xml, if you are interested.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to