1 Reply Latest reply on Mar 15, 2010 9:39 PM by Bill Robinson

    deactivate SSL-connect without authentication

    Reinhard Vielhaber

      Hi all,


      does someone know how to deactivate the possibility to make an SSL-connection to the AppServer-host without authentication? At the customer we had a security scan, which reports the following:


      A vulnerability exists in SSL communcations when clients are allowed to connect
      using no authentication algorithm. SSL client-server communication may use several different types of
      authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the
      communications are vulnerable to a man-in-the-middle attack.


      I have not the slightest idea, where to configure this.




        • 1. Re: deactivate SSL-connect without authentication
          Bill Robinson

          look in the admin guide for the x509 config, but i'm not sure if this will do what you want.


          i'm not sure if this is possible though - if you authenticate before the ssl connection is established, your credentials will be sent in the clear right?  or are you saying the client needs to authenticate the appserver's cert?  there might be something we can do there w/ a proper ca cert and a pre-populated keystore on the client side.