Tc 3.2.3 & SSL/HTTPS config (fwd)

[Richard Troy <rt...@ScienceTools.com>]

Date: Wed, 17 Oct 2001 16:19:06 -0700 (PDT)
From: Richard Troy <rt...@sciencetools.com>
Reply-To: tomcat-user@jakarta.apache.org
To: Tomcat-user <to...@jakarta.apache.org>
Subject: Tc 3.2.3 & SSL/HTTPS config

----- Message Text -----

Hi All,

I've got an older Tomcat 3.2.2 installation that's apparently fully
functional (haven't tried servlets/JSP yet) and I've just set up a new
Tomcat 3.2.3 installation. Both installations serve their pages just fine.
...I realize that someone might tell me to go talk to another group
regarding these topics but I'm posting here because this audience has to
_use_ these tools whereas these questions would be lost on other groups
(like JRE)...

I'd like to get some more insight related to certificates and encryption
strength:

1) When I connect to my new 3.2.3 installation and have my certificate
read, it reports to the browser that during a "Certificate Name Check" the
certificate presented does not contain the correct site name. I'd like to
know how to avoid this warning message. I also note that I don't get this
message when I connect to my older 3.2.2 installation, yet the keys were
created (more or less) the same way (see below). Ideas?

2) Additionally, the new 3.2.3 installation reports that it's certificate
uses "Export Grade (RC4-Export with 40-bit secret key). After a second
look, so does the older 3.2.2 installation. I'm not too worried about the
encryption of the certificate, but this brought up an interesting question
for which I don't know where to look: what's the actual encryption used
for communications? I'm a Netscape fan, and eschew IE, and for various
reasons I only use Netscape 4.7 - it doesn't tell me what the
communications algorithem or strength is. Any clues where I find this out?
(I saw that Tomcat with JSSE has a LOT of choices...) Does the Tomcat
server automatically pick the highest strength encryption available with
the connecting client? I haven't seen anything on this anywhere and I
have looked... What gets me thinking here is that I downloaded the full
strength US versions in every case. If it's going to only use export 40
bit, what's the point and where's that stronger encryption?

Certificate details: In installing Tomcat 3.2.2 I ran into a "bug" in that
the certificate generator 'keytool' from the JRE in my environ apparantly
didn't include RSA support. (java version "1.2.2" Solaris VM - build
Solaris_JDK_1.2.2_06, native threads, sunwjit) . So, I loaded version
1.3.1 of the Java2 runtime environment and the keytool from that works
fine. There should be some different flags for specifying what grade
of key gets generated in each case - I haven't found them yet. ...On my
new 3.2.3 installation, I ran the keytool that came with Java 1.3.0. The
certificate served by the 3.2.3 installation reports a bad certificate
name check, and the one from JRE 1.3.1 doesn't...

Minor, unrelated point: "${TOMCAT_HOME}/bin/tomcat.sh" doesn't seem
to work properly on my RedHat 6.2 box. On one occasion it crashed the
shell I was in when I accidentally ran start twice. I suppose it
could be unrelated but nothing else died. -shrug- I'm not spending any
time on that one. -smile-

Thanks for your comments,
Richard

-- 
Richard Troy, Chief Scientist
Science Tools Corporation
rtroy@ScienceTools.com, 510-567-9957, http://ScienceTools.com/


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>