You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bill Barker <wb...@wilshire.com> on 2002/12/14 08:18:40 UTC
Re: SSL Connection Tomcat and Apache
While there seems to be a demand for SSL from Apache->Tomcat, the fact is
that it is not currently implemented. Both the Warp & Ajp13 protocols send
the messages un-encrypted and easily enough decipherable to a sniffer. They
are designed around the assumption the your Tomcat Server is in the same DMZ
as your Apache/httpd server.
Of course, patches are always welcome, if anyone wants to add SSL support to
either Warp or Ajp13 ;-).
"Turner, John" <JT...@AAS.com> wrote in message
news:83F0258A9996D311B14200A0C98F17360202C3AC@aas-internet.aas.com...
With the increase in web services, and different companies working as
partners, it's very conceivable (in my mind) that there would be a situation
where the initial web request was handled by apache owned by Company A, and
for one reason or another, needed to connect to tomcat owned by Company B
across the public internet to fulfill the request. Rather than incorporate
some sort of separate VPN scenario with software or hardware (or both) it
would be nice to be able to create an encrypted tunnel from one server to
the other (apache<->tomcat) on the fly.
I'm definitely interested in hearing from people who have this working, and
how they did it. I intend to try setting it up myself as soon as I have the
time.
John Turner
jturner@NOSPAM.aas.com
-----Original Message-----
From: Ralph Einfeldt [mailto:ralph.einfeldt@uptime-isc.de]
Sent: Tuesday, August 13, 2002 12:50 PM
Subject: AW: SSL Connection Tomcat and Apache
Why do you care ?
In most cases this traffic is not seen by anybody
but yourself.
It's a complete different topic if you allow third
parties access to systems inside your network and you
want to make shure that they don't listen to traffic,
that isn't owned by them (E.G if your are an ISP).
> -----Urspr�ngliche Nachricht-----
> Von: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com]
> Gesendet: Montag, 12. August 2002 22:21
> An: 'tomcat-user@jakarta.apache.org'
> Betreff: SSL Connection Tomcat and Apache
>
>
> I have Apache and Tomcat working together, but now I am
> curious on security.
> How I do implement SSL on that connection?
>
> Mike Wills
> IT Corporate Support
> Taylor Corporation
> mnwills@taylorcorp.com
> Phone: (507) 386-3187
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: SSL Connection Tomcat and Apache
Posted by "Noel J. Bergman" <no...@devtech.com>.
Since apparently this capability is not available, yet, nor a high priority,
might I suggest ssh tunneling. We use it here to tunnel MySQL replication
through a set of firewalls:
ssh -2 -N -T -q -L <localport>:<remote-host>:<remote-port> <remote-host>
Using PKE means that I can run that tunnel as a particular pseudo-user with
its own set of keys. I use a daemon to make sure that if the tunnel dies,
it comes back. As I said, this technique supports the real-time replication
that we've been running for more than two years.
I see no reason why I couldn't run an SSH tunnel over which to transparently
run Connector protocols, which makes more sense to me than bolting SSL onto
them. SSH tunnels not only protect the data, they authenticate the user.
If I were Company B, I would not want just anyone connecting to my Tomcat
via a Connector!
--- Noel
-----Original Message-----
From: news [mailto:news@main.gmane.org]On Behalf Of Bill Barker
Sent: Saturday, December 14, 2002 2:19
To: tomcat-user@jakarta.apache.org
Subject: Re: SSL Connection Tomcat and Apache
While there seems to be a demand for SSL from Apache->Tomcat, the fact is
that it is not currently implemented. Both the Warp & Ajp13 protocols send
the messages un-encrypted and easily enough decipherable to a sniffer. They
are designed around the assumption the your Tomcat Server is in the same DMZ
as your Apache/httpd server.
Of course, patches are always welcome, if anyone wants to add SSL support to
either Warp or Ajp13 ;-).
"Turner, John" <JT...@AAS.com> wrote in message
news:83F0258A9996D311B14200A0C98F17360202C3AC@aas-internet.aas.com...
With the increase in web services, and different companies working as
partners, it's very conceivable (in my mind) that there would be a situation
where the initial web request was handled by apache owned by Company A, and
for one reason or another, needed to connect to tomcat owned by Company B
across the public internet to fulfill the request. Rather than incorporate
some sort of separate VPN scenario with software or hardware (or both) it
would be nice to be able to create an encrypted tunnel from one server to
the other (apache<->tomcat) on the fly.
I'm definitely interested in hearing from people who have this working, and
how they did it. I intend to try setting it up myself as soon as I have the
time.
John Turner
jturner@NOSPAM.aas.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>