sunil chandran wrote: > Hello all, > I found this issue form support team: > THREAT: > The Secure > Socket Layer (SSL) protocol allows for secure communication between a client > and > a server. The client usually authenticates the server using an algorithm > like > RSA or DSS. Some SSL ciphers allow SSL communication without authentication. > Most common Web browsers like Microsoft Internet Explorer, Netscape and > Mozilla > do not use anonymous authentication ciphers by default. > A vulnerability > exists in SSL communications when clients are allowed to connect using no > authentication algorithm. > SSL > client-server communication may use several different types of > authentication: > RSA, Diffie-Hellman, DSS or none. When 'none' is > used, the communications are vulnerable to a man-in-the-middle > attack." > IMPACT: > An attacker can > exploit this vulnerability to impersonate your server to > clients.
It would have saved a lot of time of you had quoted the CVE reference for this issue. It is CVE-2007-1858. > SOLUTION: > Disable support > for anonymous authentication > Please tell me what exactly i must do in tomcat 4 to avoid this ssl > vulnerabilties. > Please help. Again, *Tomcat 4 is no longer supported - you REALLY need to upgrade*. If you insist on continuing to use Tomcat 4 then as per http://tomcat.apache.org/security-4.html you need to upgrade to 4.1.32 or later to avoid this issue. Given that there are other, arguably more serious vulnerabilities, still present in 4.1.32 if you must stay on 4.1.x then you should upgrade to 4.1.40. Mark > regardsSunil C > > --- On Tue, 4/8/09, Mark Thomas <ma...@apache.org> wrote: > > From: Mark Thomas <ma...@apache.org> > Subject: Re: avoiding ssl vulnerabilities in tomcat > To: "Tomcat Users List" <users@tomcat.apache.org> > Date: Tuesday, 4 August, 2009, 9:39 PM > > sunil chandran wrote: >> Hello sir, >> >> I am sorry. I am using tomcat 4 > > Tomcat 4 is no longer supported. You *really* need to upgrade. > >> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> >> <Connector className="org.apache.coyote.tomcat4..CoyoteConnector" >> port="8443" minProcessors="5" maxProcessors="150" >> enableLookups="true" >> acceptCount="100" debug="0" scheme="https" secure="true" >> useURIValidationHack="false" disableUploadTimeout="true"> > > Again, read the docs. If you must use Tomcat 4 (and that is a bad idea) > you should not be using the Factory element. > >> <Factory >> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" >> keystoreFile=".keystore" keystorePass="mypass" >> clientAuth="false" protocol="TLS" /> >> </Connector> >> >> this is the portion of server.xml. I have anabled ssl. >> >> still there is some vulnerabilities as informed by supprot team. They say >> that tomcat is configured to access without authentication. >> >> 1. is it true? > > Maybe. > >> 2. How can we confirm if the tomcat SSL is configure using any algorithm to >> authenticate or “none”. > > With clientAuth="false" authentication will be controlled by your app's > web.xml. > > Mark > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download > Now! http://messenger.yahoo.com/download.php --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
