Re: avoiding ssl vulnerabilities in tomcat

2009-09-10 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 9/7/2009 10:18 AM, sunil chandran wrote: > Hello all, > As per the suggestion from tomcat forum users,I went ahead and installed > tomcat4.1.40 > Then i copied the original webapps file from the back up tomcat (old version). > I tried to st

Re: avoiding ssl vulnerabilities in tomcat

2009-09-08 Thread Mark Thomas
sunil chandran wrote: > Hello all, > As per the suggestion from tomcat forum users,I went ahead and installed > tomcat4.1.40 > Then i copied the original webapps file from the back up tomcat (old version). > I tried to start the server. It shows this error > Sep 7, 2009 10:13:11 PM org.apache.coyo

Re: avoiding ssl vulnerabilities in tomcat

2009-09-08 Thread sunil chandran
: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" Date: Friday, 14 August, 2009, 7:55 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/13/2009 1:11 AM, sunil chandran wrote: > Now installing tomcat 4.1.40 what all changes will be required in my sevice.. >

Re: avoiding ssl vulnerabilities in tomcat

2009-09-07 Thread sunil chandran
: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" Date: Friday, 14 August, 2009, 7:55 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/13/2009 1:11 AM, sunil chandran wrote: > Now installing tomcat 4.1.40 what all changes will be required in my sevice.. >

Re: avoiding ssl vulnerabilities in tomcat

2009-08-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/13/2009 1:11 AM, sunil chandran wrote: > Now installing tomcat 4.1.40 what all changes will be required in my sevice.. > > no change in application? You are very unlikely to require any webapp changes. > maybe installation and configura

RE: avoiding ssl vulnerabilities in tomcat

2009-08-13 Thread George Sexton
August 13, 2009 11:20 AM > To: Tomcat Users List > Subject: Re: avoiding ssl vulnerabilities in tomcat > > sunil, > > please read this : http://slash7.com/pages/vampires > > - > To unsubscribe, e-mail: u

Re: avoiding ssl vulnerabilities in tomcat

2009-08-13 Thread André Warnier
sunil, please read this : http://slash7.com/pages/vampires - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

Re: avoiding ssl vulnerabilities in tomcat

2009-08-13 Thread Pid
investing in some Tomcat training/books/tutorials. p --- On Wed, 12/8/09, Christopher Schultz wrote: From: Christopher Schultz Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" Date: Wednesday, 12 August, 2009, 8:15 PM -BEGIN PGP SIGNED MESSAGE- Hash: S

Re: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread sunil chandran
. Can you please tell me what you mean by improving patch level. How should i install tomcat 4.1.40 on tomcat 4.1.24? is it sperate installation or patch? Please help me --- On Wed, 12/8/09, Christopher Schultz wrote: From: Christopher Schultz Subject: Re: avoiding ssl vulnerabilities in tomcat

Re: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread sunil chandran
and configuration changes will be needed? change needed in logging? should i stop the tomcat 4 service running and then install this new tomcat 4.1.40? Please help --- On Wed, 12/8/09, Christopher Schultz wrote: From: Christopher Schultz Subject: Re: avoiding ssl vulnerabilities in tomcat To

RE: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Jeffrey Janner
Chris - (I just did a reply in Outlook and this is how it got packaged. Didn't look that way to me, but got it that way on the send-back. Either Exchange or my email filter - which adds the confidentialiy footer - did this.) I figured it was only with the regular. Just wanted a clarification i

RE: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Martin Gainty
et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: RE: avoiding ssl vulnerabilities in tomcat Date: Wed, 12 Aug 200

Re: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff, (Strange... to me, your message looked like an attachment to the security notice that would typically be put at the end of a message. When I tried to reply to that, all the characters got all wonky. At least coy-paste still works :) On 8/12/200

RE: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Jeffrey Janner
e APR/OpenSSL connector. Correct? Jeff -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, August 12, 2009 9:46 AM To: Tomcat Users List Subject: Re: avoiding ssl vulnerabilities in tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil

Re: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: > The issue is SSL vulnerability. from the responses, i understood that > i need to upgrade to tomcat latest version. As per the team, it is > recommended to go for Tomcat 5 in our environment. With

RE: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Caldarale, Charles R
> From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] > Subject: Re: avoiding ssl vulnerabilities in tomcat > > As per the team, it is recommended to go for Tomcat 5 > in our environment. Why would you waste your time with Tomcat 5? If you're going to upgrade from 4,

Re: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread Mark Thomas
ny modifications you need. Be aware that > the config has changed in particular: > - the element is no longer used > - Resource configuration has changed > > See the docs for the details. > > Mark > > > >> >> >> >> --- On Mon, 10/8/09, Caldar

Re: avoiding ssl vulnerabilities in tomcat

2009-08-12 Thread sunil chandran
version?Do i need to perform some additional stuff to avoid this vulnerability?Any modification to be done in server.xml file to avoid the SSL vulnerability regardsSunil C --- On Tue, 11/8/09, Mark Thomas wrote: From: Mark Thomas Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat

Re: avoiding ssl vulnerabilities in tomcat

2009-08-11 Thread Mark Thomas
; > --- On Mon, 10/8/09, Caldarale, Charles R wrote: > > > From: Caldarale, Charles R > Subject: RE: avoiding ssl vulnerabilities in tomcat > To: "Tomcat Users List" > Date: Monday, 10 August, 2009, 7:10 PM > > >> From: sunil chandran [mailto:sunilonw

RE: avoiding ssl vulnerabilities in tomcat

2009-08-11 Thread sunil chandran
Hello all,   OK i will upgrade. But what all changes required to update to tomcat 5. what all changes reuired to upgrade to tomcat 4.1.40     --- On Mon, 10/8/09, Caldarale, Charles R wrote: From: Caldarale, Charles R Subject: RE: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users

RE: avoiding ssl vulnerabilities in tomcat

2009-08-10 Thread Caldarale, Charles R
> From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] > Subject: Re: avoiding ssl vulnerabilities in tomcat > > Is there any patch provided so that i can still use the same version > 4.1.24 itself. No, you *must* upgrade. Your reluctance to do so borders on the ridiculous.

Re: avoiding ssl vulnerabilities in tomcat

2009-08-10 Thread sunil chandran
: Mark Thomas Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" Date: Monday, 10 August, 2009, 3:37 PM sunil chandran wrote: > Hello all, > I found this issue form support team: > THREAT: > The Secure > Socket Layer (SSL) protocol allows for sec

Re: avoiding ssl vulnerabilities in tomcat

2009-08-10 Thread Mark Thomas
u need to upgrade to 4.1.32 or later to avoid this issue. Given that there are other, arguably more serious vulnerabilities, still present in 4.1.32 if you must stay on 4.1.x then you should upgrade to 4.1.40. Mark > regardsSunil C > > --- On Tue, 4/8/09, Mark Thomas wrote: > > Fr

Re: avoiding ssl vulnerabilities in tomcat

2009-08-10 Thread sunil chandran
le support for anonymous authentication Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties. Please help. regardsSunil C --- On Tue, 4/8/09, Mark Thomas wrote: From: Mark Thomas Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List"

Re: avoiding ssl vulnerabilities in tomcat

2009-08-04 Thread Mark Thomas
sunil chandran wrote: > Hello sir, > > I am sorry. I am using tomcat 4 Tomcat 4 is no longer supported. You *really* need to upgrade. > > port="8443" minProcessors="5" maxProcessors="150" >enableLookups="true" >acceptCount="100" debug="0" sc

Re: avoiding ssl vulnerabilities in tomcat

2009-08-04 Thread David Smith
; > > > this is the portion of server.xml. I have anabled ssl. > > still there is some vulnerabilities as informed by supprot team. They say > that tomcat is configured to access without authentication. > > 1. is it true? > 2. How can we confirm if the tomca

Re: avoiding ssl vulnerabilities in tomcat

2009-08-04 Thread sunil chandran
  if the tomcat SSL is configure using any algorithm to authenticate or “none”.   please help me.   regards Sunil C     --- On Tue, 4/8/09, Mark Thomas wrote: From: Mark Thomas Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" Date: Tuesday, 4 August, 200

Re: avoiding ssl vulnerabilities in tomcat

2009-08-04 Thread Mark Thomas
sunil chandran wrote: > there are some vulnerability existing on my server: > > SSL Server Allows Cleartext Communication Vulnerability > Can someone help me identify the place in server.xml file to avoid these > vulnerabilties. You didn't say which Tomcat version so I am going to assume 6.