RE: Appscan Issues

2016-04-10 Thread dkumar 
Dear Amith,





Thanks... I will me more detailed.
We don't use Apache HTTPD or ngnix. It's just tomcat7. Below is my 
connector configuration.

  



Regards,
Amith

Can you use sslEnabledProtocols="TLSv1.2,TLSv1.1" SSLEnabled="true" in 
connector tag as below.
  

Thanks and Regards
Deepak

-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de] 
Sent: Friday, April 08, 2016 9:29 AM
To: users@tomcat.apache.org
Subject: Re: Appscan Issues



Am 08.04.2016 um 15:17 schrieb Kikkeri, Amith:
> Hi,
> Appscan was performed on our application and 2 issues were encountered. 
Could anyone please let me know how to resolve these issues ? We use 
tomcat7.
>
> Browser Exploit Against SSL/TLS (a.k.a. BEAST)
> RC4 cipher suites were detected
> (Remove support of SSLv3/TLS1.0 cipher suites with CBC.)
Sure. Remove SSL support.

Seriously: With the level of information that you give, what's the level 
of detail that you expect back?

Are you using tomcat only? Do you front it with Apache httpd? nginx? Any 
loadbalancer or SSL-Terminator (pardon the use of SSL here)? If you only 
have tomcat, what's the configuration of your https connector? Which of 
the options that are documented in the connector's documentation (
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support or 
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html among others) do 
you need help with?

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



"Disclaimer and confidentiality clause -
 This message and any attachments relating to official business of CCIL OR ANY 
OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original 
addressee only.
The message may contain information that is confidential and subject to legal 
privilege. 
Any views expressed in this message are those of the individual sender. 
If you have received this message in error, please notify the original sender 
immediately and destroy the message and copies thereof and any attachments 
contained in it .
 If you are not the intended recipient of this message, you are hereby notified 
that you must not disseminate, copy, use, distribute, or take any action in 
connection therewith. 
 CCIL cannot ensure that the integrity of this communication has been 
maintained nor that it is free of errors, viruses, interception and/or 
interference. 
CCIL is not liable whatsoever for loss or damage resulting from the opening of 
this message and/or attachments and/or the use of the information contained in 
this message and/or attachments."

Re: Tomcat Windows Services issue

2016-04-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Saurav,

On 4/7/16 11:24 AM, Saurav Maulick wrote:
> On Thu, Apr 7, 2016 at 6:11 AM, André Warnier (tomcat)
>  wrote:
> 
>> On 07.04.2016 00:14, Saurav Maulick wrote:
>> 
>>> Hi All,
>>> 
>>> I am using tomcat 5.5.28.
>>> 
>> 
>> Before anything else, you do realise that Tomcat 5.5 was archived
>> in 2012, do you ? And that the people developing Tomcat, as well
>> as the experts available on this users list, are volunteers who
>> do this on their own time ?
>> 
>> The current released version is Tomcat 8.0.33.
>> 
>> I am pointing this out, to stress the fact that not many people
>> here - if any - would even still have a running version of Tomcat
>> 5.5 (and java 1.4), where they could even start looking at your
>> issue.
>> 
>> I would suggest that you first update to a more recent version of
>> Tomcat (and Java), and retry it all, to see if the problem still
>> exists. Look here : http://tomcat.apache.org/whichversion.html
>> 
>> 
> I know that current Tomcat version is 8.0.33, but upgrading tomcat
> is not possible for our application as our application code is not
> Java 1.7 comparable and updating code involves lots of time and
> money.

I've rarely seen an application that didn't compile with few or zero
changes with an updated version of Java. Same thing with the servlet
spec (although some questionable decisions from the servlet EG lead to
slightly different behavior).

Have you simply tried deploying your existing web application on
Tomcat 6, 7, or even 8? It's practically free to try (just spending
your own time), so why not give it a try? Tomcat 5.5 and the JVM you
are likely running it on have publicly-known vulnerabilities and
weaknesses and missing features that are likely making its continued
use a risk for both you and your clients.

> On the internet I didn`t find much help about creating windows 
> services (apart from 
> https://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html)
>  hence I request in this forum. Also, I believe below settings are 
> same for all the Tomcat versions.

Yes, the settings are the same for (almost) all Tomcat versions.

> I have a problem, when we run the tomcat`s node from console it is
> working fine, but when we run it from windows services we have
> found that application is not able to handle UTF8 encoding.

Specifically, what does "not able to handle UTF8 encoding" mean in
your case? The JVM handles the actual encoding, and it does a pretty
good job. What is it that's not working?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcKtAsACgkQ9CaO5/Lv0PDLcwCfcIm2aaQlQrvUB7E7tZOLqx1j
JEwAnjP8ppDEHRO1wg8TMUFWLkauA3oP
=VGOI
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org