According to the OWASP Web Application Penetration Checklist (available from www.owasp.org), a secure application server should:
* Ensure that supported SSL versions do not have cryptographic weaknesses. Typically, this means supporting SSL 3 and TLS 1.0 only. * Ensure that the web server does not allow anonymous key exchange methods. Typically ADH Anonymous Diffie-Hellman. * Ensure that weak algorithms are not available. Typically, algorithms such as RC2 and DES. * Ensure the web site uses an appropriate length key. Most web sites should enforce 128 bit encryption. How can we achieve all this (esp. with Tomcat 5.5)? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.12/77 - Release Date: 18/Aug/2005 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]