You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ac...@saysit.com on 2003/08/06 04:54:42 UTC
Off topic : tools for testing mod_ssl/OpenSSL ???
Hi All.
TCPDUMP-ing the login for NYTimes.com as a control group I can certainly
see USERID and PASSWORD (and other things) eg.
...
Referer: http://www.nytimes.com/auth/login
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Host: www.nytimes.com
Content-Length: 84
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d;
tpopunder_orbitz23-nyt4; spopunder;
NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA
is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES÷
1?&(r)
...
After enabling httpd with mod_ssl, the TCPDUMP from the following client
browsers are mostly NOT human-readable :
* Mozilla
* MSIE5
* Nescape 6.2
* Netspcae 7.1 (which is the bee in the bonnet)
They all present the login dialogue box and the "untrusted self-signed
certificate" screen.
Therefore it might be a bug with 7.1, which seemingly does not report an
embedded secure link from an unsecured page as such eg. from
http:/my.first.do which as a link to https://my.secure.dom
However,in 7.1, if I key in the URL https://my.secure.dom (ie without
going through http://my.first.dom), the lock closes and one can view the
certificate info by clicking on it.
I assume this is how it works :
Step 1: certificate presented, accepts and ecrypt input from client
browser
Step 2: transmit to mod_ssl enabled Apache2 server
Step 3: Off to Tomcat courtesy of following bits of code :
...
<VirtualHost 192.168.1.3:443>
ServerName my.dom.com
ServerAdmin webmaster@dom.com
DocumentRoot /home/king/public_html
ErrorLog /usr/local/apache2/logs/king_error.log
CustomLog /usr/local/apache2/logs/king_access.log common
<IfModule mod_ssl.c>
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/ssl/server.crt
SSLCertificateKeyFile /path/to/server.key
</IfModule>
JkExtractSSL on
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /dom ajp13
JkMount /dom/* ajp13
</VirtualHost>
...
Step 4 : FIX ME - does Apache2 unecrypt content before passing on to
Tomcat ???
Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data
get encrypted there ???
If anyone out there has similar or diff experience, please share it.
Ralph Einfeldt wrote:
>
> One way to verify this, is to use a packet sniffer
> and watch the pakets that are exchanged bewenn server
> and browser.
>
> Under linux you can use tcpdump.
> http://www.tcpdump.org/
>
>
> tcpdump has also a windows brother (or sister):
> http://windump.polito.it/
>
> Under linux and windows you can use ethereal:
> http://www.ethereal.com/
>
> > -----Original Message-----
> > From: achana@saysit.com [mailto:achana@saysit.com]
> > Sent: Tuesday, August 05, 2003 9:17 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ???
> >
> >
> > Hi All.
> > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using
> > MSIE5, Netscape 6.2 and Mozilla.
> > On Netscape 7.1, it says I am transmiting in clear text for all to see
> > AFTER logging in and accepting the certificate !?! SOmehow I
> > doubt that,
> > I think it is telling me fips.
> > Are there any tools to tes whether the transmission is in clear text ?
> > TIA :-)
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Off topic : frightening test for mod_ssl/OpenSSL ???
Posted by ac...@saysit.com.
I forgot to add the frightening result of following test (like doctor
telling you that you've leukemia) :
[ssl]# openssl s_client -connect localhost:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q...
.....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04
.........f......
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00
...........e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00
.c..b..a..`.....
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08
......@.........
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 c9 59 35 e7
.............Y5.
0060 - c1 f3 05 15 5b ba 68 1d-76 e1 b5 a0 bf 82 f8 36
....[.h.v......6
0070 - d9 3c 79 71 a6 5f e1 11-b6 32 ea c8 .<yq._...2..
SSL_connect:SSLv2/v3 write client hello A
read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
3751:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
[ssl]#
Guess it is off topic now...
achana@saysit.com wrote:
>
> Hi All.
> TCPDUMP-ing the login for NYTimes.com as a control group I can certainly
> see USERID and PASSWORD (and other things) eg.
> ...
> Referer: http://www.nytimes.com/auth/login
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
> Host: www.nytimes.com
> Content-Length: 84
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d;
> tpopunder_orbitz23-nyt4; spopunder;
> NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA
> is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES÷
> 1?&(r)
> ...
> After enabling httpd with mod_ssl, the TCPDUMP from the following client
> browsers are mostly NOT human-readable :
> * Mozilla
> * MSIE5
> * Nescape 6.2
> * Netspcae 7.1 (which is the bee in the bonnet)
> They all present the login dialogue box and the "untrusted self-signed
> certificate" screen.
> Therefore it might be a bug with 7.1, which seemingly does not report an
> embedded secure link from an unsecured page as such eg. from
> http:/my.first.do which as a link to https://my.secure.dom
> However,in 7.1, if I key in the URL https://my.secure.dom (ie without
> going through http://my.first.dom), the lock closes and one can view the
> certificate info by clicking on it.
>
> I assume this is how it works :
> Step 1: certificate presented, accepts and ecrypt input from client
> browser
> Step 2: transmit to mod_ssl enabled Apache2 server
> Step 3: Off to Tomcat courtesy of following bits of code :
> ...
> <VirtualHost 192.168.1.3:443>
> ServerName my.dom.com
> ServerAdmin webmaster@dom.com
> DocumentRoot /home/king/public_html
> ErrorLog /usr/local/apache2/logs/king_error.log
> CustomLog /usr/local/apache2/logs/king_access.log common
> <IfModule mod_ssl.c>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /path/to/ssl/server.crt
> SSLCertificateKeyFile /path/to/server.key
> </IfModule>
> JkExtractSSL on
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
> JkMount /dom ajp13
> JkMount /dom/* ajp13
> </VirtualHost>
> ...
> Step 4 : FIX ME - does Apache2 unecrypt content before passing on to
> Tomcat ???
> Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data
> get encrypted there ???
>
> If anyone out there has similar or diff experience, please share it.
>
> Ralph Einfeldt wrote:
> >
> > One way to verify this, is to use a packet sniffer
> > and watch the pakets that are exchanged bewenn server
> > and browser.
> >
> > Under linux you can use tcpdump.
> > http://www.tcpdump.org/
> >
> >
> > tcpdump has also a windows brother (or sister):
> > http://windump.polito.it/
> >
> > Under linux and windows you can use ethereal:
> > http://www.ethereal.com/
> >
> > > -----Original Message-----
> > > From: achana@saysit.com [mailto:achana@saysit.com]
> > > Sent: Tuesday, August 05, 2003 9:17 AM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ???
> > >
> > >
> > > Hi All.
> > > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using
> > > MSIE5, Netscape 6.2 and Mozilla.
> > > On Netscape 7.1, it says I am transmiting in clear text for all to see
> > > AFTER logging in and accepting the certificate !?! SOmehow I
> > > doubt that,
> > > I think it is telling me fips.
> > > Are there any tools to tes whether the transmission is in clear text ?
> > > TIA :-)
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Off topic : frightening test for mod_ssl/OpenSSL ???
Posted by ac...@saysit.com.
I forgot to add the frightening result of following test (like doctor
telling you that you've leukemia) :
[ssl]# openssl s_client -connect localhost:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q...
.....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04
.........f......
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00
...........e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00
.c..b..a..`.....
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08
......@.........
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 c9 59 35 e7
.............Y5.
0060 - c1 f3 05 15 5b ba 68 1d-76 e1 b5 a0 bf 82 f8 36
....[.h.v......6
0070 - d9 3c 79 71 a6 5f e1 11-b6 32 ea c8 .<yq._...2..
SSL_connect:SSLv2/v3 write client hello A
read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
3751:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
[ssl]#
Guess it is off topic now...
achana@saysit.com wrote:
>
> Hi All.
> TCPDUMP-ing the login for NYTimes.com as a control group I can certainly
> see USERID and PASSWORD (and other things) eg.
> ...
> Referer: http://www.nytimes.com/auth/login
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
> Host: www.nytimes.com
> Content-Length: 84
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d;
> tpopunder_orbitz23-nyt4; spopunder;
> NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA
> is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES÷
> 1?&(r)
> ...
> After enabling httpd with mod_ssl, the TCPDUMP from the following client
> browsers are mostly NOT human-readable :
> * Mozilla
> * MSIE5
> * Nescape 6.2
> * Netspcae 7.1 (which is the bee in the bonnet)
> They all present the login dialogue box and the "untrusted self-signed
> certificate" screen.
> Therefore it might be a bug with 7.1, which seemingly does not report an
> embedded secure link from an unsecured page as such eg. from
> http:/my.first.do which as a link to https://my.secure.dom
> However,in 7.1, if I key in the URL https://my.secure.dom (ie without
> going through http://my.first.dom), the lock closes and one can view the
> certificate info by clicking on it.
>
> I assume this is how it works :
> Step 1: certificate presented, accepts and ecrypt input from client
> browser
> Step 2: transmit to mod_ssl enabled Apache2 server
> Step 3: Off to Tomcat courtesy of following bits of code :
> ...
> <VirtualHost 192.168.1.3:443>
> ServerName my.dom.com
> ServerAdmin webmaster@dom.com
> DocumentRoot /home/king/public_html
> ErrorLog /usr/local/apache2/logs/king_error.log
> CustomLog /usr/local/apache2/logs/king_access.log common
> <IfModule mod_ssl.c>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /path/to/ssl/server.crt
> SSLCertificateKeyFile /path/to/server.key
> </IfModule>
> JkExtractSSL on
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
> JkMount /dom ajp13
> JkMount /dom/* ajp13
> </VirtualHost>
> ...
> Step 4 : FIX ME - does Apache2 unecrypt content before passing on to
> Tomcat ???
> Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data
> get encrypted there ???
>
> If anyone out there has similar or diff experience, please share it.
>
> Ralph Einfeldt wrote:
> >
> > One way to verify this, is to use a packet sniffer
> > and watch the pakets that are exchanged bewenn server
> > and browser.
> >
> > Under linux you can use tcpdump.
> > http://www.tcpdump.org/
> >
> >
> > tcpdump has also a windows brother (or sister):
> > http://windump.polito.it/
> >
> > Under linux and windows you can use ethereal:
> > http://www.ethereal.com/
> >
> > > -----Original Message-----
> > > From: achana@saysit.com [mailto:achana@saysit.com]
> > > Sent: Tuesday, August 05, 2003 9:17 AM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ???
> > >
> > >
> > > Hi All.
> > > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using
> > > MSIE5, Netscape 6.2 and Mozilla.
> > > On Netscape 7.1, it says I am transmiting in clear text for all to see
> > > AFTER logging in and accepting the certificate !?! SOmehow I
> > > doubt that,
> > > I think it is telling me fips.
> > > Are there any tools to tes whether the transmission is in clear text ?
> > > TIA :-)
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org