• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Whether tomcat version 6.0.x/7.0.x uses SHA-1 or not?

 
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can anyone please let me know ,whether tomcat version 6.0.x/7.0.x uses SHA-1 or not?
If uses then how and for which purpose?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't know one way or the other (and am curious what prompted this question), but the fastest way to find out is probably to download the source code, and then search for "SHA1" and "SHA-1" in it.
 
Sehgal Mohit
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:I don't know one way or the other (and am curious what prompted this question), but the fastest way to find out is probably to download the source code, and then search for "SHA1" and "SHA-1" in it.



Due to the reason mentioned on the below URL:
http://windowsitpro.com/security/your-organization-using-sha-1-ssl-certificates


Can you please tell me the way by which i can search the same in tomcat source code(i mean any configuration files of tomcat)?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What does that have to do with Tomcat? The user supplies SSL certificates; Tomcat doesn't care whether they're secure or not, it just serves them to the client.
 
Sehgal Mohit
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:What does that have to do with Tomcat? The user supplies SSL certificates; Tomcat doesn't care whether they're secure or not, it just serves them to the client.



Yes i know that basically handle or taken care at browser side,but for investigation point of view,i just want to know Web server(tomcat) certificate using this SHA-1 or not somewhere in its configuration files?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You missed my point. Tomcat (or whatever other web server is used) has nothing to do with whether SHA-1 is used or not - that is a feature of the certificate. If you do not want to use a SHA-1 certificate (which is wise) then you need to get one created with SHA-2.
 
Sehgal Mohit
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry:)

OK,I understood your point,but can you please elaborate be more whether certificate is provided by browser side only(Am i right)?

Is SHA-1 is some how interrelated to tomcat(or any web server or not) or only it is used at browser side only?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The certificate is installed in (and subsequently served by) the server and used by the browser. That's why browser makers have leverage over whether to consider certificates secure or not. It is created and/or installed by the server admin.
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The ultimate definer of the available encryption protocols available to Tomcat is the JVM that Tomcat runs in, because unless I've forgotten something, Tomcat uses the standard JVM encryption services, not adding its own.

From that set of available services, you can customize what protocols Tomcat will participate in by setting the desired algorithm list in the HTTPS Tomcat Connector element in server.xml.

There are also ways you can check the negotiation process to see what Tomcat's offering, but I'd have to dig for that info. I think some web clients have the ability to display it.
 
The two armies met. But instead of battle, they decided to eat some pie and contemplate this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic