You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by André Warnier <aw...@ice-sa.com> on 2008/09/22 10:57:21 UTC
HTTPS and Virtual Hosts
Hi.
I'm not an expert at anything below, that's why I am asking.
I am also not looking for a very precise answer, just a rough summary.
The question :
As I remember from reading about this a while ago, there is/was a
fundamental incompatibility between the HTTP Virtual Host mechanism, and
HTTPS/SSL, in the sense that there is some egg-and-chicken problem
involved, which roughly goes like this :
- the client connects to the host and requests an encrypted connection
to a certain hostname
- the host and client negociate the encryption (based or not on the name
of the host)
- on subsequent requests, the client sends the request encrypted,
including the "Host:" header that (acording to the HTTP protocol) should
indicate the name of the Virtual Host it wants to talk to
- the server should decode the request (including this "Host:" HTTP
header) in order to determine which Host the request is addressed to,
but it can't because it does not know which host it is yet, and thus
cannot decode the request
- we are thus stuck
Is the above, very roughly and approximatively still a valid explanation
of what happens, or is it totally wrong, or has something changed
in-between that I am unaware of ?
Thanks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
So is being a d-bag.
> Date: Mon, 8 Dec 2008 17:23:10 +0100> From: tomcat-users@list-post.mks-mail.de> To: users@tomcat.apache.org> Subject: Re: SSL/Apache and Proxy> > Doctor Khumalo:> > > Anyone know anything about this or will my post be ignored?> > Hijacking unrelated threads is a good way to get ignored.> > Regards> mks> > > ---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Suspicious message? There’s an alert for that.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008
Re: SSL/Apache and Proxy
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
Doctor Khumalo:
> Anyone know anything about this or will my post be ignored?
Hijacking unrelated threads is a good way to get ignored.
Regards
mks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
This is what I placed in my httpd-ssl.conf entry for this particular sight
<VirtualHost local3:443> ServerName local3:443 DocumentRoot /usr/local/apache2/htdocs/stir DirectoryIndex index.html index.jsp index.shtml ErrorLog logs/local3_ssl_error_log TransferLog logs/local3_ssl_access_log ProxyPass / https://local3:8443/ ProxyPassReverse / https://local3:8443/
> Date: Mon, 8 Dec 2008 15:53:38 +0100> From: kdekooter@gmail.com> To: users@tomcat.apache.org> Subject: Re: SSL/Apache and Proxy> > Could you post your apache proxy configuration?> > > > On Mon, Dec 8, 2008 at 15:38, Doctor Khumalo <do...@hotmail.com> wrote:> >> > Anyone know anything about this or will my post be ignored?> >> >> >> >> From: doctortechie@hotmail.com> >> To: users@tomcat.apache.org> >> Subject: RE: SSL/Apache and Proxy> >> Date: Fri, 5 Dec 2008 14:18:12 +0000> >>> >>> >> Here is my server.xml config.> >>> >> I can see the main localhost but whenever I try to type https://local3, it gives me a 503 Error> >>> >>> >> ############################> >>> >>> >>> >> <?xml> >> version='1.0' encoding='utf-8'?>> >>> >> <Server> >> port="8005" shutdown="SHUTDOWN">> >>> >> <Listener> >> className="org.apache.catalina.core.AprLifecycleListener"> >> SSLEngine="on" />> >>> >> <Listener> >> className="org.apache.catalina.core.JasperListener" />> >>> >> <Listener> >> className="org.apache.catalina.mbeans.ServerLifecycleListener" />> >>> >> <Listener> >> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"> >> />> >>> >> <GlobalNamingResources>> >>> >> <Resource name="UserDatabase"> >> auth="Container"> >>> >> type="org.apache.catalina.UserDatabase"> >>> >> description="User database> >> that can be updated and saved"> >>> >>> >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"> >>> >>> >> pathname="conf/tomcat-users.xml" />> >>> >> </GlobalNamingResources>> >>> >> <Service name="Catalina">> >>> >> <Connector port="80"> >> protocol="HTTP/1.1"> >>> >>> >> connectionTimeout="20000"> >>> >> redirectPort="8443"> >> />> >>> >>> >>> >> <!-- Define a SSL HTTP/1.1 Connector on> >> port 8443> >>> >> This connector uses the JSSE configuration,> >> when using APR, the> >>> >> connector should be using the OpenSSL> >> style configuration> >>> >> described in the APR documentation> >> -->> >>> >>> >>> >> <Connector port="8443"> >> proxyPort="443" proxyName="local3" />> >>> >>> >>> >> <Connector port="8009"> >> protocol="AJP/1.3" redirectPort="8443" />> >>> >> <Engine name="Catalina"> >> defaultHost="localhost">> >>> >> <Realm> >> className="org.apache.catalina.realm.UserDatabaseRealm"> >>> >>> >> resourceName="UserDatabase"/>> >>> >>> >>> >> <Host name="localhost"> >> appBase="webapps"> >>> >> unpackWARs="true"> >> autoDeploy="true"> >>> >> xmlValidation="false"> >> xmlNamespaceAware="false">> >>> >>> >>> >> </Host>> >>> >>> >>> >> <Host name="local2"> >> debug="1" appBase="webapps/local2"> >> unpackWARs="true">> >>> >> <Logger> >> className="org.apache.catalina.logger.FileLogger"> >> directory="logs"> >>> >> prefix="projects."> >> suffix=".txt" timestamp="true"/>> >>> >> <Context path=""> >> docBase="" debug="1" reloadable="true"> >> crossContext="true" />> >>> >> <Alias>local2</Alias>> >>> >> </Host>> >>> >>> >>> >> <Host name="local3"> >> debug="1" appBase="webapps/local3"> >> unpackWARs="true">> >>> >> <Logger> >> className="org.apache.catalina.logger.FileLogger"> >> directory="logs"> >>> >> prefix="projects."> >> suffix=".txt" timestamp="true"/>> >>> >> <Context path=""> >> docBase="" debug="1" reloadable="true"> >> crossContext="true" />> >>> >> <Alias>local3</Alias>> >>> >> </Host>> >>> >>> >>> >> </Engine>> >>> >> </Service>> >>> >> </Server>> >>> >> ######################################> >>> >>> >> > From: doctortechie@hotmail.com> >> > To: users@tomcat.apache.org> >> > Subject: SSL/Apache and Proxy> >> > Date: Fri, 5 Dec 2008 02:31:34 +0000> >> >> >> >> >> > How do I configure server.xml on Tomcat? I have> >> > configured SSL through Apache and the proxy part works, however, I get> >> > this error in the ssl log> >> >> >> >> >> > [Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed> >> > [Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)> >> >> >> > _________________________________________________________________> >> > Send e-mail anywhere. No map, no compass.> >> > http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008> >>> >> _________________________________________________________________> >> Send e-mail anywhere. No map, no compass.> >> http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008> >> > _________________________________________________________________> > Send e-mail faster without improving your typing skills.> > http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008> > ---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
Re: SSL/Apache and Proxy
Posted by Kees de Kooter <kd...@gmail.com>.
Could you post your apache proxy configuration?
On Mon, Dec 8, 2008 at 15:38, Doctor Khumalo <do...@hotmail.com> wrote:
>
> Anyone know anything about this or will my post be ignored?
>
>
>
>> From: doctortechie@hotmail.com
>> To: users@tomcat.apache.org
>> Subject: RE: SSL/Apache and Proxy
>> Date: Fri, 5 Dec 2008 14:18:12 +0000
>>
>>
>> Here is my server.xml config.
>>
>> I can see the main localhost but whenever I try to type https://local3, it gives me a 503 Error
>>
>>
>> ############################
>>
>>
>>
>> <?xml
>> version='1.0' encoding='utf-8'?>
>>
>> <Server
>> port="8005" shutdown="SHUTDOWN">
>>
>> <Listener
>> className="org.apache.catalina.core.AprLifecycleListener"
>> SSLEngine="on" />
>>
>> <Listener
>> className="org.apache.catalina.core.JasperListener" />
>>
>> <Listener
>> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>>
>> <Listener
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>> />
>>
>> <GlobalNamingResources>
>>
>> <Resource name="UserDatabase"
>> auth="Container"
>>
>> type="org.apache.catalina.UserDatabase"
>>
>> description="User database
>> that can be updated and saved"
>>
>>
>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>
>>
>> pathname="conf/tomcat-users.xml" />
>>
>> </GlobalNamingResources>
>>
>> <Service name="Catalina">
>>
>> <Connector port="80"
>> protocol="HTTP/1.1"
>>
>>
>> connectionTimeout="20000"
>>
>> redirectPort="8443"
>> />
>>
>>
>>
>> <!-- Define a SSL HTTP/1.1 Connector on
>> port 8443
>>
>> This connector uses the JSSE configuration,
>> when using APR, the
>>
>> connector should be using the OpenSSL
>> style configuration
>>
>> described in the APR documentation
>> -->
>>
>>
>>
>> <Connector port="8443"
>> proxyPort="443" proxyName="local3" />
>>
>>
>>
>> <Connector port="8009"
>> protocol="AJP/1.3" redirectPort="8443" />
>>
>> <Engine name="Catalina"
>> defaultHost="localhost">
>>
>> <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>>
>>
>> resourceName="UserDatabase"/>
>>
>>
>>
>> <Host name="localhost"
>> appBase="webapps"
>>
>> unpackWARs="true"
>> autoDeploy="true"
>>
>> xmlValidation="false"
>> xmlNamespaceAware="false">
>>
>>
>>
>> </Host>
>>
>>
>>
>> <Host name="local2"
>> debug="1" appBase="webapps/local2"
>> unpackWARs="true">
>>
>> <Logger
>> className="org.apache.catalina.logger.FileLogger"
>> directory="logs"
>>
>> prefix="projects."
>> suffix=".txt" timestamp="true"/>
>>
>> <Context path=""
>> docBase="" debug="1" reloadable="true"
>> crossContext="true" />
>>
>> <Alias>local2</Alias>
>>
>> </Host>
>>
>>
>>
>> <Host name="local3"
>> debug="1" appBase="webapps/local3"
>> unpackWARs="true">
>>
>> <Logger
>> className="org.apache.catalina.logger.FileLogger"
>> directory="logs"
>>
>> prefix="projects."
>> suffix=".txt" timestamp="true"/>
>>
>> <Context path=""
>> docBase="" debug="1" reloadable="true"
>> crossContext="true" />
>>
>> <Alias>local3</Alias>
>>
>> </Host>
>>
>>
>>
>> </Engine>
>>
>> </Service>
>>
>> </Server>
>>
>> ######################################
>>
>>
>> > From: doctortechie@hotmail.com
>> > To: users@tomcat.apache.org
>> > Subject: SSL/Apache and Proxy
>> > Date: Fri, 5 Dec 2008 02:31:34 +0000
>> >
>> >
>> > How do I configure server.xml on Tomcat? I have
>> > configured SSL through Apache and the proxy part works, however, I get
>> > this error in the ssl log
>> >
>> >
>> > [Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed
>> > [Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)
>> >
>> > _________________________________________________________________
>> > Send e-mail anywhere. No map, no compass.
>> > http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
>>
>> _________________________________________________________________
>> Send e-mail anywhere. No map, no compass.
>> http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
>
> _________________________________________________________________
> Send e-mail faster without improving your typing skills.
> http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
> > <Connector port="8443" minSpareThreads="5"> > maxSpareThreads="75" proxyName="local3"> > enableLookups="true" disableUploadTimeout="true"> > acceptCount="100" maxThreads="200" scheme="https"> > secure="true" SSLEnabled="true"> > SSLCertificateFile="/usr/local/apache2/conf/ssl.key/local3.crt"> > SSLCertificateKeyFile="/usr/local/apache2/conf/ssl.key/server.key"> > clientAuth="false" sslProtocol="TLS"/>> > Can you talk to Tomcat port 8443 using HTTPS directly with your browser?> As long as that doesn't work, the combination with Apache in front will> not do it as well.> > Is the encryption between Apache and Tomcat important for you? If no,> then don't bother setting up an https port and instead use http between> Apache and Tomcat.
So, would I comment out the above and use HTTPS by pointing Apache to the Tomcat host root folder?
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
RE: SSL/Apache and Proxy
Posted by Charlie Wingate <cw...@valco-data.com>.
The funny thing is that the Doc wanted to be removed from "this aweful blog" not barely a day before it was found to be useful; I wish I had a "filter" for posts from this type of user.
~Charlie
The significant problems we have can not be solved at the same level of thinking with which we created them. ~Albert Einstein
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Monday, December 08, 2008 2:19 PM
To: Tomcat Users List
Subject: Re: SSL/Apache and Proxy
Dear Doctor,
With the kind of postings you did previously on this forum, you could
consider yourself lucky to get any answers at all.
A bit of basic civility would certainly not hurt your future prospects.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL/Apache and Proxy
Posted by André Warnier <aw...@ice-sa.com>.
Dear Doctor,
With the kind of postings you did previously on this forum, you could
consider yourself lucky to get any answers at all.
A bit of basic civility would certainly not hurt your future prospects.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
How would I do that?
> Date: Mon, 8 Dec 2008 18:01:16 +0100> From: m.cvejic@inbox-online.com> To: users@tomcat.apache.org> Subject: Re: SSL/Apache and Proxy> > You can just use proxy_pass_ajp instead just proxy_pass. This way you > don't need tomcat ssl listener.> > Rainer Jung wrote:> > Doctor Khumalo schrieb:> > > >> OK, thanks.> >>> >> If I remove Tomcat from the equation, I can get HTTPS to work with> >> Apache but when I try to start Tomcat and proxy the HTTPS request to> >> Tomcat, it fails. So, enabling HTTPS on Tomcat 8443 like the> >> following still fails:> >>> >> <Connector port="8443" minSpareThreads="5"> >> maxSpareThreads="75" proxyName="local3"> >> enableLookups="true" disableUploadTimeout="true"> >> acceptCount="100" maxThreads="200" scheme="https"> >> secure="true" SSLEnabled="true"> >> SSLCertificateFile="/usr/local/apache2/conf/ssl.key/local3.crt"> >> SSLCertificateKeyFile="/usr/local/apache2/conf/ssl.key/server.key"> >> clientAuth="false" sslProtocol="TLS"/>> >> > >> > Can you talk to Tomcat port 8443 using HTTPS directly with your browser?> > As long as that doesn't work, the combination with Apache in front will> > not do it as well.> >> > Is the encryption between Apache and Tomcat important for you? If no,> > then don't bother setting up an https port and instead use http between> > Apache and Tomcat.> >> > Regards,> >> > Rainer> >> > ---------------------------------------------------------------------> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> > For additional commands, e-mail: users-help@tomcat.apache.org> >> > > > > -- > Milan Cvejić> Sistem Administrator> Inbox d.o.o.> Software for Internet> Bulevar Zorana Đinđića 99, 11000 Beograd, Srbija> tel +381 11 313 07 21> mob +381 65 344 42 23> fax +381 11 313 37 34> m.cvejic@inbox-online.com> www.inbox-online.com > > > ---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
Re: SSL/Apache and Proxy
Posted by Milan Cvejic <m....@inbox-online.com>.
You can just use proxy_pass_ajp instead just proxy_pass. This way you
don't need tomcat ssl listener.
Rainer Jung wrote:
> Doctor Khumalo schrieb:
>
>> OK, thanks.
>>
>> If I remove Tomcat from the equation, I can get HTTPS to work with
>> Apache but when I try to start Tomcat and proxy the HTTPS request to
>> Tomcat, it fails. So, enabling HTTPS on Tomcat 8443 like the
>> following still fails:
>>
>> <Connector port="8443" minSpareThreads="5"
>> maxSpareThreads="75" proxyName="local3"
>> enableLookups="true" disableUploadTimeout="true"
>> acceptCount="100" maxThreads="200" scheme="https"
>> secure="true" SSLEnabled="true"
>> SSLCertificateFile="/usr/local/apache2/conf/ssl.key/local3.crt"
>> SSLCertificateKeyFile="/usr/local/apache2/conf/ssl.key/server.key"
>> clientAuth="false" sslProtocol="TLS"/>
>>
>
> Can you talk to Tomcat port 8443 using HTTPS directly with your browser?
> As long as that doesn't work, the combination with Apache in front will
> not do it as well.
>
> Is the encryption between Apache and Tomcat important for you? If no,
> then don't bother setting up an https port and instead use http between
> Apache and Tomcat.
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Milan Cvejić
Sistem Administrator
Inbox d.o.o.
Software for Internet
Bulevar Zorana Đinđića 99, 11000 Beograd, Srbija
tel +381 11 313 07 21
mob +381 65 344 42 23
fax +381 11 313 37 34
m.cvejic@inbox-online.com
www.inbox-online.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL/Apache and Proxy
Posted by Rainer Jung <ra...@kippdata.de>.
Doctor Khumalo schrieb:
> OK, thanks.
>
> If I remove Tomcat from the equation, I can get HTTPS to work with
> Apache but when I try to start Tomcat and proxy the HTTPS request to
> Tomcat, it fails. So, enabling HTTPS on Tomcat 8443 like the
> following still fails:
>
> <Connector port="8443" minSpareThreads="5"
> maxSpareThreads="75" proxyName="local3"
> enableLookups="true" disableUploadTimeout="true"
> acceptCount="100" maxThreads="200" scheme="https"
> secure="true" SSLEnabled="true"
> SSLCertificateFile="/usr/local/apache2/conf/ssl.key/local3.crt"
> SSLCertificateKeyFile="/usr/local/apache2/conf/ssl.key/server.key"
> clientAuth="false" sslProtocol="TLS"/>
Can you talk to Tomcat port 8443 using HTTPS directly with your browser?
As long as that doesn't work, the combination with Apache in front will
not do it as well.
Is the encryption between Apache and Tomcat important for you? If no,
then don't bother setting up an https port and instead use http between
Apache and Tomcat.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
OK, thanks.
If I remove Tomcat from the equation, I can get HTTPS to work with Apache but when I try to start Tomcat and proxy the HTTPS request to Tomcat, it fails. So, enabling HTTPS on Tomcat 8443 like the following still fails:
<Connector port="8443" minSpareThreads="5" maxSpareThreads="75" proxyName="local3" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/usr/local/apache2/conf/ssl.key/local3.crt" SSLCertificateKeyFile="/usr/local/apache2/conf/ssl.key/server.key" clientAuth="false" sslProtocol="TLS"/>
> Date: Mon, 8 Dec 2008 15:53:04 +0100> From: rainer.jung@kippdata.de> To: users@tomcat.apache.org> Subject: Re: SSL/Apache and Proxy> > Your configuration doesn't look like you are speaking HTTPS on Tomcat> port 8443, but your Apache error looks like you configured httpd to> proxy to an HTTPS port. So either enable HTTPS on Tomcat 8443 or tell> Apache to talk HTTP to the backend. See also> > http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html> > Regards,> > Rainer> > > Doctor Khumalo schrieb:> > Anyone know anything about this or will my post be ignored?> > > > > > > >> From: doctortechie@hotmail.com> >> To: users@tomcat.apache.org> >> Subject: RE: SSL/Apache and Proxy> >> Date: Fri, 5 Dec 2008 14:18:12 +0000> >>> >>> >> Here is my server.xml config.> >>> >> I can see the main localhost but whenever I try to type https://local3, it gives me a 503 Error> >>> >>> >> ############################> >>> >>> >>> >> <?xml> >> version='1.0' encoding='utf-8'?>> >>> >> <Server> >> port="8005" shutdown="SHUTDOWN">> >>> >> <Listener> >> className="org.apache.catalina.core.AprLifecycleListener"> >> SSLEngine="on" />> >>> >> <Listener> >> className="org.apache.catalina.core.JasperListener" />> >>> >> <Listener> >> className="org.apache.catalina.mbeans.ServerLifecycleListener" />> >>> >> <Listener> >> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"> >> />> >>> >> <GlobalNamingResources>> >>> >> <Resource name="UserDatabase"> >> auth="Container"> >>> >> type="org.apache.catalina.UserDatabase"> >>> >> description="User database> >> that can be updated and saved"> >>> >> > >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"> >>> >> > >> pathname="conf/tomcat-users.xml" />> >>> >> </GlobalNamingResources>> >>> >> <Service name="Catalina">> >>> >> <Connector port="80"> >> protocol="HTTP/1.1"> >>> >> > >> connectionTimeout="20000"> >>> >> redirectPort="8443"> >> />> >>> >> > >>> >> <!-- Define a SSL HTTP/1.1 Connector on> >> port 8443> >>> >> This connector uses the JSSE configuration,> >> when using APR, the> >>> >> connector should be using the OpenSSL> >> style configuration> >>> >> described in the APR documentation> >> -->> >>> >> > >>> >> <Connector port="8443"> >> proxyPort="443" proxyName="local3" />> >>> >> > >>> >> <Connector port="8009"> >> protocol="AJP/1.3" redirectPort="8443" />> >>> >> <Engine name="Catalina"> >> defaultHost="localhost">> >>> >> <Realm> >> className="org.apache.catalina.realm.UserDatabaseRealm"> >>> >> > >> resourceName="UserDatabase"/>> >>> >> > >>> >> <Host name="localhost"> >> appBase="webapps"> >>> >> unpackWARs="true"> >> autoDeploy="true"> >>> >> xmlValidation="false"> >> xmlNamespaceAware="false">> >>> >> > >>> >> </Host>> >>> >> > >>> >> <Host name="local2"> >> debug="1" appBase="webapps/local2"> >> unpackWARs="true">> >>> >> <Logger> >> className="org.apache.catalina.logger.FileLogger"> >> directory="logs"> >>> >> prefix="projects."> >> suffix=".txt" timestamp="true"/>> >>> >> <Context path=""> >> docBase="" debug="1" reloadable="true"> >> crossContext="true" />> >>> >> <Alias>local2</Alias>> >>> >> </Host>> >>> >> > >>> >> <Host name="local3"> >> debug="1" appBase="webapps/local3”> >> unpackWARs="true">> >>> >> <Logger> >> className="org.apache.catalina.logger.FileLogger"> >> directory="logs"> >>> >> prefix="projects."> >> suffix=".txt" timestamp="true"/>> >>> >> <Context path=""> >> docBase="" debug="1" reloadable="true"> >> crossContext="true" />> >>> >> <Alias>local3</Alias>> >>> >> </Host>> >>> >> > >>> >> </Engine>> >>> >> </Service>> >>> >> </Server>> >>> >> ######################################> >>> >>> >>> From: doctortechie@hotmail.com> >>> To: users@tomcat.apache.org> >>> Subject: SSL/Apache and Proxy> >>> Date: Fri, 5 Dec 2008 02:31:34 +0000> >>>> >>>> >>> How do I configure server.xml on Tomcat? I have> >>> configured SSL through Apache and the proxy part works, however, I get> >>> this error in the ssl log > >>>> >>>> >>> [Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed> >>> [Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)> > ---------------------------------------------------------------------> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org> For additional commands, e-mail: users-help@tomcat.apache.org>
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
Re: SSL/Apache and Proxy
Posted by Rainer Jung <ra...@kippdata.de>.
Your configuration doesn't look like you are speaking HTTPS on Tomcat
port 8443, but your Apache error looks like you configured httpd to
proxy to an HTTPS port. So either enable HTTPS on Tomcat 8443 or tell
Apache to talk HTTP to the backend. See also
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
Regards,
Rainer
Doctor Khumalo schrieb:
> Anyone know anything about this or will my post be ignored?
>
>
>
>> From: doctortechie@hotmail.com
>> To: users@tomcat.apache.org
>> Subject: RE: SSL/Apache and Proxy
>> Date: Fri, 5 Dec 2008 14:18:12 +0000
>>
>>
>> Here is my server.xml config.
>>
>> I can see the main localhost but whenever I try to type https://local3, it gives me a 503 Error
>>
>>
>> ############################
>>
>>
>>
>> <?xml
>> version='1.0' encoding='utf-8'?>
>>
>> <Server
>> port="8005" shutdown="SHUTDOWN">
>>
>> <Listener
>> className="org.apache.catalina.core.AprLifecycleListener"
>> SSLEngine="on" />
>>
>> <Listener
>> className="org.apache.catalina.core.JasperListener" />
>>
>> <Listener
>> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>>
>> <Listener
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>> />
>>
>> <GlobalNamingResources>
>>
>> <Resource name="UserDatabase"
>> auth="Container"
>>
>> type="org.apache.catalina.UserDatabase"
>>
>> description="User database
>> that can be updated and saved"
>>
>>
>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>
>>
>> pathname="conf/tomcat-users.xml" />
>>
>> </GlobalNamingResources>
>>
>> <Service name="Catalina">
>>
>> <Connector port="80"
>> protocol="HTTP/1.1"
>>
>>
>> connectionTimeout="20000"
>>
>> redirectPort="8443"
>> />
>>
>>
>>
>> <!-- Define a SSL HTTP/1.1 Connector on
>> port 8443
>>
>> This connector uses the JSSE configuration,
>> when using APR, the
>>
>> connector should be using the OpenSSL
>> style configuration
>>
>> described in the APR documentation
>> -->
>>
>>
>>
>> <Connector port="8443"
>> proxyPort="443" proxyName="local3" />
>>
>>
>>
>> <Connector port="8009"
>> protocol="AJP/1.3" redirectPort="8443" />
>>
>> <Engine name="Catalina"
>> defaultHost="localhost">
>>
>> <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>>
>>
>> resourceName="UserDatabase"/>
>>
>>
>>
>> <Host name="localhost"
>> appBase="webapps"
>>
>> unpackWARs="true"
>> autoDeploy="true"
>>
>> xmlValidation="false"
>> xmlNamespaceAware="false">
>>
>>
>>
>> </Host>
>>
>>
>>
>> <Host name="local2"
>> debug="1" appBase="webapps/local2"
>> unpackWARs="true">
>>
>> <Logger
>> className="org.apache.catalina.logger.FileLogger"
>> directory="logs"
>>
>> prefix="projects."
>> suffix=".txt" timestamp="true"/>
>>
>> <Context path=""
>> docBase="" debug="1" reloadable="true"
>> crossContext="true" />
>>
>> <Alias>local2</Alias>
>>
>> </Host>
>>
>>
>>
>> <Host name="local3"
>> debug="1" appBase="webapps/local3”
>> unpackWARs="true">
>>
>> <Logger
>> className="org.apache.catalina.logger.FileLogger"
>> directory="logs"
>>
>> prefix="projects."
>> suffix=".txt" timestamp="true"/>
>>
>> <Context path=""
>> docBase="" debug="1" reloadable="true"
>> crossContext="true" />
>>
>> <Alias>local3</Alias>
>>
>> </Host>
>>
>>
>>
>> </Engine>
>>
>> </Service>
>>
>> </Server>
>>
>> ######################################
>>
>>
>>> From: doctortechie@hotmail.com
>>> To: users@tomcat.apache.org
>>> Subject: SSL/Apache and Proxy
>>> Date: Fri, 5 Dec 2008 02:31:34 +0000
>>>
>>>
>>> How do I configure server.xml on Tomcat? I have
>>> configured SSL through Apache and the proxy part works, however, I get
>>> this error in the ssl log
>>>
>>>
>>> [Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed
>>> [Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
Anyone know anything about this or will my post be ignored?
> From: doctortechie@hotmail.com
> To: users@tomcat.apache.org
> Subject: RE: SSL/Apache and Proxy
> Date: Fri, 5 Dec 2008 14:18:12 +0000
>
>
> Here is my server.xml config.
>
> I can see the main localhost but whenever I try to type https://local3, it gives me a 503 Error
>
>
> ############################
>
>
>
> <?xml
> version='1.0' encoding='utf-8'?>
>
> <Server
> port="8005" shutdown="SHUTDOWN">
>
> <Listener
> className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>
> <Listener
> className="org.apache.catalina.core.JasperListener" />
>
> <Listener
> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> />
>
> <GlobalNamingResources>
>
> <Resource name="UserDatabase"
> auth="Container"
>
> type="org.apache.catalina.UserDatabase"
>
> description="User database
> that can be updated and saved"
>
>
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>
>
> pathname="conf/tomcat-users.xml" />
>
> </GlobalNamingResources>
>
> <Service name="Catalina">
>
> <Connector port="80"
> protocol="HTTP/1.1"
>
>
> connectionTimeout="20000"
>
> redirectPort="8443"
> />
>
>
>
> <!-- Define a SSL HTTP/1.1 Connector on
> port 8443
>
> This connector uses the JSSE configuration,
> when using APR, the
>
> connector should be using the OpenSSL
> style configuration
>
> described in the APR documentation
> -->
>
>
>
> <Connector port="8443"
> proxyPort="443" proxyName="local3" />
>
>
>
> <Connector port="8009"
> protocol="AJP/1.3" redirectPort="8443" />
>
> <Engine name="Catalina"
> defaultHost="localhost">
>
> <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"
>
>
> resourceName="UserDatabase"/>
>
>
>
> <Host name="localhost"
> appBase="webapps"
>
> unpackWARs="true"
> autoDeploy="true"
>
> xmlValidation="false"
> xmlNamespaceAware="false">
>
>
>
> </Host>
>
>
>
> <Host name="local2"
> debug="1" appBase="webapps/local2"
> unpackWARs="true">
>
> <Logger
> className="org.apache.catalina.logger.FileLogger"
> directory="logs"
>
> prefix="projects."
> suffix=".txt" timestamp="true"/>
>
> <Context path=""
> docBase="" debug="1" reloadable="true"
> crossContext="true" />
>
> <Alias>local2</Alias>
>
> </Host>
>
>
>
> <Host name="local3"
> debug="1" appBase="webapps/local3”
> unpackWARs="true">
>
> <Logger
> className="org.apache.catalina.logger.FileLogger"
> directory="logs"
>
> prefix="projects."
> suffix=".txt" timestamp="true"/>
>
> <Context path=""
> docBase="" debug="1" reloadable="true"
> crossContext="true" />
>
> <Alias>local3</Alias>
>
> </Host>
>
>
>
> </Engine>
>
> </Service>
>
> </Server>
>
> ######################################
>
>
> > From: doctortechie@hotmail.com
> > To: users@tomcat.apache.org
> > Subject: SSL/Apache and Proxy
> > Date: Fri, 5 Dec 2008 02:31:34 +0000
> >
> >
> > How do I configure server.xml on Tomcat? I have
> > configured SSL through Apache and the proxy part works, however, I get
> > this error in the ssl log
> >
> >
> > [Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed
> > [Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)
> >
> > _________________________________________________________________
> > Send e-mail anywhere. No map, no compass.
> > http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
>
> _________________________________________________________________
> Send e-mail anywhere. No map, no compass.
> http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
RE: SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
Here is my server.xml config.
I can see the main localhost but whenever I try to type https://local3, it gives me a 503 Error
############################
<?xml
version='1.0' encoding='utf-8'?>
<Server
port="8005" shutdown="SHUTDOWN">
<Listener
className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener
className="org.apache.catalina.core.JasperListener" />
<Listener
className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<GlobalNamingResources>
<Resource name="UserDatabase"
auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database
that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
/>
<!-- Define a SSL HTTP/1.1 Connector on
port 8443
This connector uses the JSSE configuration,
when using APR, the
connector should be using the OpenSSL
style configuration
described in the APR documentation
-->
<Connector port="8443"
proxyPort="443" proxyName="local3" />
<Connector port="8009"
protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina"
defaultHost="localhost">
<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false">
</Host>
<Host name="local2"
debug="1" appBase="webapps/local2"
unpackWARs="true">
<Logger
className="org.apache.catalina.logger.FileLogger"
directory="logs"
prefix="projects."
suffix=".txt" timestamp="true"/>
<Context path=""
docBase="" debug="1" reloadable="true"
crossContext="true" />
<Alias>local2</Alias>
</Host>
<Host name="local3"
debug="1" appBase="webapps/local3”
unpackWARs="true">
<Logger
className="org.apache.catalina.logger.FileLogger"
directory="logs"
prefix="projects."
suffix=".txt" timestamp="true"/>
<Context path=""
docBase="" debug="1" reloadable="true"
crossContext="true" />
<Alias>local3</Alias>
</Host>
</Engine>
</Service>
</Server>
######################################
> From: doctortechie@hotmail.com
> To: users@tomcat.apache.org
> Subject: SSL/Apache and Proxy
> Date: Fri, 5 Dec 2008 02:31:34 +0000
>
>
> How do I configure server.xml on Tomcat? I have
> configured SSL through Apache and the proxy part works, however, I get
> this error in the ssl log
>
>
> [Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed
> [Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)
>
> _________________________________________________________________
> Send e-mail anywhere. No map, no compass.
> http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
_________________________________________________________________
Send e-mail anywhere. No map, no compass.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
SSL/Apache and Proxy
Posted by Doctor Khumalo <do...@hotmail.com>.
How do I configure server.xml on Tomcat? I have
configured SSL through Apache and the proxy part works, however, I get
this error in the ssl log
[Thu Dec 04 15:06:12 2008] [error] (111)Connection refused: proxy: HTTPS: attempt to connect to 165.112.28.126:8443 (localhost) failed
[Thu Dec 04 15:06:12 2008] [error] ap_proxy_connect_backend disabling worker for (localhost)
_________________________________________________________________
Send e-mail anywhere. No map, no compass.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008
Re: HTTPS and Virtual Hosts
Posted by Mark Thomas <ma...@apache.org>.
Steffen Heil wrote:
> Hi
>
> Actually, most answers in this thread are more or less outdated.
> It IS possible to use one IP with multiple certificates, just not with
> tomcat to far.
>
> There IS (since June 2003, that is more than 5 years!) a TLS extension SNI
> (server name indication) that does the trick: It sends Information about the
> requested hostname to the server during ClientHello handshake.
> It IS supported by almost all browsers in their current versions.
>
> See:
> http://www.ietf.org/rfc/rfc3546.txt, Section 3.1
RFC3546 is a proposed standard. There are many standards in this state and
it can be hard to determine which are de facto standards (eg the cookie
ones) and which are still works in progress. Based on the limited support,
RFC3546 appears to be more of a work in progress.
Browser support is still limited. For example, all the references I could
find require IE7 on Vista, FF2, Opera 7.6+
The lack of support on IE < 7 and WinOS != Vista significantly reduces the
number of users that could use this. I am not sure how a browser that
doesn't support SNI would behave. I suspect it would have to be redirected
to some default (which would probably cause the browser to complain about
an invalid certificate).
> I hope this will find it's way into java/tomat soon.
Now support exists for this in OpenSSL it should be possible to add this to
the APR connector. I'm not sure what the take up would be given the browser
support picture but if someone wants to provide a proposed patch then I am
sure it would be looked at.
For the other Tomcat connectors, this needs to find its way into JSSE
first. At the moment, I don't see any sign of that.
Finally, with support for SNI in httpd, you could front Tomcat with httpd
to get this functionality.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
Actually, most answers in this thread are more or less outdated.
It IS possible to use one IP with multiple certificates, just not with
tomcat to far.
There IS (since June 2003, that is more than 5 years!) a TLS extension SNI
(server name indication) that does the trick: It sends Information about the
requested hostname to the server during ClientHello handshake.
It IS supported by almost all browsers in their current versions.
See:
http://www.ietf.org/rfc/rfc3546.txt, Section 3.1
See:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-host
s-with-mod_gnutls/
I hope this will find it's way into java/tomat soon.
Regards,
Steffen
-----Ursprüngliche Nachricht-----
Von: Johnny Kewl [mailto:john@kewlstuff.co.za]
Gesendet: Montag, 22. September 2008 15:02
An: Tomcat Users List
Betreff: Re: [OT] RE: HTTPS and Virtual Hosts
----- Original Message -----
From: "Peter Crowther" <Pe...@melandra.com>
To: "'Tomcat Users List'" <us...@tomcat.apache.org>
Sent: Monday, September 22, 2008 2:30 PM
Subject: [OT] RE: HTTPS and Virtual Hosts
[Marked OT as this is not even remotely about Tomcat]
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> http://support.microsoft.com/kb/257591
... OK...
> If it send the HOST info in step one....
... which it doesn't as far as I can see...
> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)
Yes, exactly. So anything sent across the wire (such as the host header) is
subject to eavesdropping.
The URL, in particular, MUST NOT be sent in cleartext - consider a URL of
the form
https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The
user would no doubt expect SSL to defend his/her access to that URL from
eavesdropping :-).
The case for not sending the host header in cleartext is weaker, but still
present. Consider a blog site such as LiveJournal, for example. It hosts a
range of content, separated onto one hostname per blog. Some of that
content is pretty explicit, and some people might get rather upset if they
knew that *even though they thought they were on a secure channel* then
others could eavesdrop on the mere fact that they were reading *that*
content, rather than some other innocent content that happened to be on the
same IP. So I consider that the ID vul is still present, even via
disclosure of just the host header.
> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)
You're thinking about ID vuls from the side of the server admin. Broaden
your thinking - what might a *client* get upset about?
- Peter
Ok... its off thread, but I disagree.... the secure session doesnt start out
secure... even a certificate is clear text, dont see the big deal... once
you in a session, different story...
I guess this means you not going to help me with my new book ;)
Curve Ball technology for biz sake... ha ha
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] RE: HTTPS and Virtual Hosts
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Peter Crowther" <Pe...@melandra.com>
To: "'Tomcat Users List'" <us...@tomcat.apache.org>
Sent: Monday, September 22, 2008 2:30 PM
Subject: [OT] RE: HTTPS and Virtual Hosts
[Marked OT as this is not even remotely about Tomcat]
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> http://support.microsoft.com/kb/257591
... OK...
> If it send the HOST info in step one....
... which it doesn't as far as I can see...
> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)
Yes, exactly. So anything sent across the wire (such as the host header) is
subject to eavesdropping.
The URL, in particular, MUST NOT be sent in cleartext - consider a URL of
the form
https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The
user would no doubt expect SSL to defend his/her access to that URL from
eavesdropping :-).
The case for not sending the host header in cleartext is weaker, but still
present. Consider a blog site such as LiveJournal, for example. It hosts a
range of content, separated onto one hostname per blog. Some of that
content is pretty explicit, and some people might get rather upset if they
knew that *even though they thought they were on a secure channel* then
others could eavesdrop on the mere fact that they were reading *that*
content, rather than some other innocent content that happened to be on the
same IP. So I consider that the ID vul is still present, even via
disclosure of just the host header.
> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)
You're thinking about ID vuls from the side of the server admin. Broaden
your thinking - what might a *client* get upset about?
- Peter
Ok... its off thread, but I disagree.... the secure session doesnt start out
secure... even a certificate is clear text, dont see the big deal... once
you in a session, different story...
I guess this means you not going to help me with my new book ;)
Curve Ball technology for biz sake... ha ha
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] RE: HTTPS and Virtual Hosts
Posted by Peter Crowther <Pe...@melandra.com>.
[Marked OT as this is not even remotely about Tomcat]
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> http://support.microsoft.com/kb/257591
... OK...
> If it send the HOST info in step one....
... which it doesn't as far as I can see...
> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)
Yes, exactly. So anything sent across the wire (such as the host header) is subject to eavesdropping.
The URL, in particular, MUST NOT be sent in cleartext - consider a URL of the form https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The user would no doubt expect SSL to defend his/her access to that URL from eavesdropping :-).
The case for not sending the host header in cleartext is weaker, but still present. Consider a blog site such as LiveJournal, for example. It hosts a range of content, separated onto one hostname per blog. Some of that content is pretty explicit, and some people might get rather upset if they knew that *even though they thought they were on a secure channel* then others could eavesdrop on the mere fact that they were reading *that* content, rather than some other innocent content that happened to be on the same IP. So I consider that the ID vul is still present, even via disclosure of just the host header.
> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)
You're thinking about ID vuls from the side of the server admin. Broaden your thinking - what might a *client* get upset about?
- Peter
* With thanks to User Friendly (http://www.userfriendly.org), over the years, for warping my mind enough to devise this URL.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Peter Crowther" <Pe...@melandra.com>
To: "'Tomcat Users List'" <us...@tomcat.apache.org>
Sent: Monday, September 22, 2008 12:19 PM
Subject: RE: HTTPS and Virtual Hosts
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> I actually cant see any
> reason why the hand shake couldnt be extended to look at the
> incoming URL...
Because the URL (or at least the host header) would have to be sent over the
wire in cleartext, as it's before the encrypted connection is negotiated.
This is an information disclosure vulnerability.
- Peter
http://support.microsoft.com/kb/257591
If it send the HOST info in step one.... and the server chose the correct
cert.... I see no problem, the secure session hasnt even kicked in yet ;)
So what are they not allowing?
I think the only vulnerability is to the CA's biz model ;)
If not what is the vulnerability? Whatever cert is sent what oput there by
the admin dudes, and will be checked client side anyway ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: HTTPS and Virtual Hosts
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> I actually cant see any
> reason why the hand shake couldnt be extended to look at the
> incoming URL...
Because the URL (or at least the host header) would have to be sent over the wire in cleartext, as it's before the encrypted connection is negotiated. This is an information disclosure vulnerability.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "André Warnier" <aw...@ice-sa.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, September 22, 2008 10:57 AM
Subject: HTTPS and Virtual Hosts
> Hi.
>
> I'm not an expert at anything below, that's why I am asking.
> I am also not looking for a very precise answer, just a rough summary.
>
> The question :
>
> As I remember from reading about this a while ago, there is/was a
> fundamental incompatibility between the HTTP Virtual Host mechanism, and
> HTTPS/SSL, in the sense that there is some egg-and-chicken problem
> involved, which roughly goes like this :
> - the client connects to the host and requests an encrypted connection to
> a certain hostname
> - the host and client negociate the encryption (based or not on the name
> of the host)
> - on subsequent requests, the client sends the request encrypted,
> including the "Host:" header that (acording to the HTTP protocol) should
> indicate the name of the Virtual Host it wants to talk to
> - the server should decode the request (including this "Host:" HTTP
> header) in order to determine which Host the request is addressed to, but
> it can't because it does not know which host it is yet, and thus cannot
> decode the request
> - we are thus stuck
>
> Is the above, very roughly and approximatively still a valid explanation
> of what happens, or is it totally wrong, or has something changed
> in-between that I am unaware of ?
>
> Thanks
--------------------------------------
Mmmmmmm yes... kinda
Andre check out the hand shake in SSL...
Keeping it very conceptual... the secure system between a browser and server
is owned by Verisign, or GoDaddy, or whatever CA.
And it is checking a few things...
Like the domain name used and the expiry date...
So when you buy a cert and give them www.andre.com
Thats it...
This is because the cert is pulled (checked) during the handshake... and
"host headers" only come later...
.... thats the official version of the story, but I actually cant see any
reason why the hand shake couldnt be extended to look at the incoming URL...
other than people would start doing server tricks and making extra free
certs ;)
I conclude... its more about biz, that it is about technology....
certificates are sold per domain... this is the real issue ;)
Its actually interesting, because when we were making the Pojo server, this
issue came up... especially because we want to give the company using the
system the ability to be a CA... so we dropped the domain check, and then
the only condition on the server is that the administrator knows the private
key...
... clearly a really crap biz model because one can use the certs on a
million servers... but an interesting thing happens...
... virtual host are NOT and issue
... Its secure on any port
Ha ha... its about the biz model.... I believe ;)
Hell they got to make money and it is beeeeeeeeeeeeeeeeeeg bucks... a local
chap made a cool 3 billion dollars out of his CA ;)
.... Yup... I think its about biz ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: HTTPS and Virtual Hosts
Posted by Peter Crowther <Pe...@melandra.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> As I remember from reading about this a while ago, there is/was a
> fundamental incompatibility between the HTTP Virtual Host
> mechanism, and
> HTTPS/SSL, in the sense that there is some egg-and-chicken problem
> involved, which roughly goes like this :
> - the client connects to the host and requests an encrypted connection
> to a certain hostname
Almost. The client connects to the host on a given IP address and port, which requires an encrypted connection. No hostname is transferred at this point, as encryption must happen first.
> - the host and client negociate the encryption (based or not
> on the name of the host)
Based on the certificate that the host sends to the client as part of negotiating the encryption. That certificate contains the common name of the host (or occasionally a wildcard name such as *.melandra.com). The client should be suspicious if the common name in the certificate does not match the hostname the client thinks it sent the request to.
Therefore, the host cannot know to which virtual host the client wishes to connect when it sends the certificate.
Therefore, the host cannot send the "right" certificate unless all requests to a given hostname and port are designed to use the same certificate.
Therefore, virtual hosting using SSL is a problem.
> Is the above, very roughly and approximatively still a valid
> explanation
> of what happens, or is it totally wrong, or has something changed
> in-between that I am unaware of ?
It's close, but the problem occurs at an earlier step than you outline :-).
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] RE: HTTPS and Virtual Hosts
Posted by Ognjen Blagojevic <og...@etf.bg.ac.yu>.
Peter Crowther wrote:
> Or configure multiple IP addresses on one card - almost all operating systems these days allow multiple IP addresses on one adapter. Cheaper, and you don't run out of card slots so fast :-).
Didn't know that. That's definitely better.
-Ognjen
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] RE: HTTPS and Virtual Hosts
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Ognjen Blagojevic [mailto:ognjen@etf.bg.ac.yu]
> For instance, you
> could put 2 or more network cards in the server, and than
> configure one virtual host for each of these cards.
Or configure multiple IP addresses on one card - almost all operating systems these days allow multiple IP addresses on one adapter. Cheaper, and you don't run out of card slots so fast :-).
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "André Warnier" <aw...@ice-sa.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, September 22, 2008 12:21 PM
Subject: Re: HTTPS and Virtual Hosts
> Mark Thomas wrote:
>> Ognjen Blagojevic wrote:
>>> André Warnier wrote:
>>>> Is the above, very roughly and approximatively still a valid
>>>> explanation of what happens, or is it totally wrong, or has something
>>>> changed in-between that I am unaware of ?
>>> Yes, that's about it. Here is the official explanation:
>>>
>>> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>>
>>> The workaround is also proposed. You can use different ports or IP
>>> adresses for different SSL enabled virtual hosts. For instance, you
>>> could put 2 or more network cards in the server, and than configure one
>>> virtual host for each of these cards.
>>
>> You do not need multiple NICs to support multiple IP addresses. You can
>> quite happily configure a NIC with multiple IP addresses.
>>
> Allright.
> Thanks to everyone for the answers and references.
> This was also linked to another thread "Re. Connector problem", for which
> I am also interested in the practical solution.
>
> Now, a follow-up question :
>
> I seem to remember that there was talk about a scheme or a protocol that
> would allow (very roughly) a client/server pair to start a session using
> HTTP (not SSL), negociate, then in the course of the session "upgrade"
> this link to HTTPS. And that this somehow could be a solution to the
> Virtual Host issue under HTTPS.
> Am I dreaming this up, or does there exist something in that general area
> ?
Andre, I'm not aware of anything like it... one can actually do anything
with crypto stuff, but the problem is that half the engine is built into the
browser, if it doesnt want to play, it doesnt happen... there are do it
yourself secure layers out there at javascript level, but they have
issues... dont secure whole page etc.
... dont think so...
However as soon as you leave the browser environment... anything is
possible.
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: HTTPS and Virtual Hosts
Posted by Peter Crowther <Pe...@melandra.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> I seem to remember that there was talk about a scheme or a
> protocol that
> would allow (very roughly) a client/server pair to start a
> session using
> HTTP (not SSL), negociate, then in the course of the session "upgrade"
> this link to HTTPS. And that this somehow could be a solution to the
> Virtual Host issue under HTTPS.
> Am I dreaming this up, or does there exist something in that
> general area ?
I've no idea whether such a protocol exists today; however, the current set of browsers don't appear to support such a beast. It might be a good solution 5 years down the line, once all the old browsers that don't support it have fallen out of use, but even if the protocol's ready to go now the installed browser base isn't ready for a site that uses it.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> Ognjen Blagojevic wrote:
>> André Warnier wrote:
>>> Is the above, very roughly and approximatively still a valid
>>> explanation of what happens, or is it totally wrong, or has something
>>> changed in-between that I am unaware of ?
>> Yes, that's about it. Here is the official explanation:
>>
>> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>
>> The workaround is also proposed. You can use different ports or IP
>> adresses for different SSL enabled virtual hosts. For instance, you
>> could put 2 or more network cards in the server, and than configure one
>> virtual host for each of these cards.
>
> You do not need multiple NICs to support multiple IP addresses. You can
> quite happily configure a NIC with multiple IP addresses.
>
Allright.
Thanks to everyone for the answers and references.
This was also linked to another thread "Re. Connector problem", for
which I am also interested in the practical solution.
Now, a follow-up question :
I seem to remember that there was talk about a scheme or a protocol that
would allow (very roughly) a client/server pair to start a session using
HTTP (not SSL), negociate, then in the course of the session "upgrade"
this link to HTTPS. And that this somehow could be a solution to the
Virtual Host issue under HTTPS.
Am I dreaming this up, or does there exist something in that general area ?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by Mark Thomas <ma...@apache.org>.
Ognjen Blagojevic wrote:
> André Warnier wrote:
>> Is the above, very roughly and approximatively still a valid
>> explanation of what happens, or is it totally wrong, or has something
>> changed in-between that I am unaware of ?
>
> Yes, that's about it. Here is the official explanation:
>
> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>
> The workaround is also proposed. You can use different ports or IP
> adresses for different SSL enabled virtual hosts. For instance, you
> could put 2 or more network cards in the server, and than configure one
> virtual host for each of these cards.
You do not need multiple NICs to support multiple IP addresses. You can
quite happily configure a NIC with multiple IP addresses.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS and Virtual Hosts
Posted by Ognjen Blagojevic <og...@etf.bg.ac.yu>.
André Warnier wrote:
> Is the above, very roughly and approximatively still a valid explanation
> of what happens, or is it totally wrong, or has something changed
> in-between that I am unaware of ?
Yes, that's about it. Here is the official explanation:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The workaround is also proposed. You can use different ports or IP
adresses for different SSL enabled virtual hosts. For instance, you
could put 2 or more network cards in the server, and than configure one
virtual host for each of these cards.
-Ognjen
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org