You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/06/04 13:04:03 UTC

DO NOT REPLY [Bug 20473] New: - ajp13 connection between apache and tomcat is not encrypted

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20473>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20473

ajp13 connection between apache and tomcat is not encrypted

           Summary: ajp13 connection between apache and tomcat is not
                    encrypted
           Product: Tomcat 4
           Version: 4.0 Beta 1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Connector:Coyote JK 2
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: david.cassidy@db.com


The connection between apache and tomcat is not encrypted.

This means if your network is breached and a packet sniffer installed then
your credit card details / passwords etc can be picked up even though the 
connection to apache was https & encrypted.

This tar adds an extra channel which provides a TLS encrypted channel between
apache and tomcat. 
With this encrypted channel this means that data transfer between apache and
tomcat is re-encryted.

The channel adds in the ability to do the following type of connections.

tomcat & apache communicate securly but not authenticating each other.
Tomcat will only let in connections from a host who's cert has been signed by a
CA it trusts.
Apache will only connect to a tomcat whos CA it trusts
Both apache and tomcat will only allow connections from & to hosts that it
trusts their CA.

Note: This trusting has NOTHING to do with the browsers connection to apache.
Both apache and tomcat will pass nothing to either end about this secure
connection - it is as transparent as if it were a normal socket connection.

Note - 2: You need jsse.jar and jcert.jar for tomcat and openssl for apache. 
Best if you have setup apache with ssl ( otherwise whats the point eh ?)

I have this running with jdk1.4 on linux. Tested with both apache 1.3 and apache
2. I've used tomcat 4.1.24 on the tomcat end. Although I don't see why it won't
work with any tomcat 4.x or tmocat 5.x versions. TC3 i don't know!

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org