Re: Question about ssl
John, On 3/31/22 10:50, John Dale (DB2DOM) wrote: Hi Chris; I'm measuring the time taken to process a request as reported by inspector-network in brave. SSL time to process through tomcat is 11ms. Same request for a smaller file using a java SSL socket is taking 50ms .. like this: public static SSLServerSocket getServerSocketWithCert(int port, InputStream pathToCert, String passwordFromCert, ServerSecureType type) throws IOException, KeyManagementException, NoSuchAlgorithmException, CertificateException, KeyStoreException, UnrecoverableKeyException { X509TrustManager[] tmm; X509KeyManager[] kmm; KeyStore ks = KeyStore.getInstance(instance); ks.load(pathToCert, passwordFromCert.toCharArray()); tmm=tm(ks); kmm=km(ks, passwordFromCert); SSLContext ctx = SSLContext.getInstance(type.getType()); ctx.init(kmm, tmm, null); SSLServerSocketFactory socketFactory = (SSLServerSocketFactory) ctx.getServerSocketFactory(); SSLServerSocket ssocket = (SSLServerSocket) socketFactory.createServerSocket(port); return ssocket; } I'm using the cert at https://db2dom.com It's still a tenth of a second to process the request with this "hand rolled" method, but it's several orders of magnitude slower, and I'm trying to figure out why (I'm obsessive with response times). So you have a hand-rolled TLS server (selected code above) and you are comparing it to Tomcat? It all depends upon what you are doing with that code above. Tomcat is doing something like the above basically once and then re-using the same Socket for a long time. Are you re-initializing your Socket for each request perhaps? Are you using exactly the same trust store and key store between your hand-rolled code and Tomcat? The client is negotiating the exaxt same cipher suite, etc.? How many requests are you running your code through -- like after JVM startup? Just one? Many? How many? Same questions for Tomcat. It's always hard to set up a fair comparison, and you aren't giving us very much information. -chris On 3/28/22, Christopher Schultz wrote: John, On 3/26/22 22:29, John Dale (DB2DOM) wrote: Can you help me understand why Tomcat's SSL handling is so much faster than hand rolling it on a regular socket? I think you'll need to define some terms. For example, what do you mean when you say "faster", and how are you measuring that? What do you mean when you say "hand-rolling" your SSL and what is a "regular socket"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Question about ssl
Hello, could you measure the time it takes to initialize all the keys and Key/Trustmanagers by inserting some debug output? I am not sure whether the certificate is checked for validity. This could involve checking revocation list, OCSP-Call to external server, ... Greetings, Thomas > -Ursprüngliche Nachricht- > Von: John Dale (DB2DOM) > Gesendet: Donnerstag, 31. März 2022 16:50 > An: Tomcat Users List > Betreff: Re: Question about ssl > > Hi Chris; > > I'm measuring the time taken to process a request as reported by inspector- > network in brave. > > SSL time to process through tomcat is 11ms. > > Same request for a smaller file using a java SSL socket is taking 50ms .. like > this: > > public static SSLServerSocket getServerSocketWithCert(int port, > InputStream pathToCert, String passwordFromCert, > ServerSecureType type) throws IOException, > KeyManagementException, NoSuchAlgorithmException, > CertificateException, KeyStoreException, > UnrecoverableKeyException > { > X509TrustManager[] tmm; > X509KeyManager[] kmm; > KeyStore ks = KeyStore.getInstance(instance); > ks.load(pathToCert, passwordFromCert.toCharArray()); > tmm=tm(ks); > kmm=km(ks, passwordFromCert); > SSLContext ctx = SSLContext.getInstance(type.getType()); > ctx.init(kmm, tmm, null); > SSLServerSocketFactory socketFactory = > (SSLServerSocketFactory) ctx.getServerSocketFactory(); > SSLServerSocket ssocket = (SSLServerSocket) > socketFactory.createServerSocket(port); > return ssocket; > } > > I'm using the cert at https://db2dom.com > > It's still a tenth of a second to process the request with this "hand rolled" > method, but it's several orders of magnitude slower, and I'm trying to figure > out why (I'm obsessive with response times). > > Sincerely, > > John > > > > On 3/28/22, Christopher Schultz wrote: > > John, > > > > On 3/26/22 22:29, John Dale (DB2DOM) wrote: > >> Can you help me understand why Tomcat's SSL handling is so much > >> faster than hand rolling it on a regular socket? > > > > I think you'll need to define some terms. > > > > For example, what do you mean when you say "faster", and how are you > > measuring that? > > > > What do you mean when you say "hand-rolling" your SSL and what is a > > "regular socket"? > > > > -chris > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about ssl
Hi Chris; I'm measuring the time taken to process a request as reported by inspector-network in brave. SSL time to process through tomcat is 11ms. Same request for a smaller file using a java SSL socket is taking 50ms .. like this: public static SSLServerSocket getServerSocketWithCert(int port, InputStream pathToCert, String passwordFromCert, ServerSecureType type) throws IOException, KeyManagementException, NoSuchAlgorithmException, CertificateException, KeyStoreException, UnrecoverableKeyException { X509TrustManager[] tmm; X509KeyManager[] kmm; KeyStore ks = KeyStore.getInstance(instance); ks.load(pathToCert, passwordFromCert.toCharArray()); tmm=tm(ks); kmm=km(ks, passwordFromCert); SSLContext ctx = SSLContext.getInstance(type.getType()); ctx.init(kmm, tmm, null); SSLServerSocketFactory socketFactory = (SSLServerSocketFactory) ctx.getServerSocketFactory(); SSLServerSocket ssocket = (SSLServerSocket) socketFactory.createServerSocket(port); return ssocket; } I'm using the cert at https://db2dom.com It's still a tenth of a second to process the request with this "hand rolled" method, but it's several orders of magnitude slower, and I'm trying to figure out why (I'm obsessive with response times). Sincerely, John On 3/28/22, Christopher Schultz wrote: > John, > > On 3/26/22 22:29, John Dale (DB2DOM) wrote: >> Can you help me understand why Tomcat's SSL handling is so much faster >> than hand rolling it on a regular socket? > > I think you'll need to define some terms. > > For example, what do you mean when you say "faster", and how are you > measuring that? > > What do you mean when you say "hand-rolling" your SSL and what is a > "regular socket"? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about ssl
John, On 3/26/22 22:29, John Dale (DB2DOM) wrote: Can you help me understand why Tomcat's SSL handling is so much faster than hand rolling it on a regular socket? I think you'll need to define some terms. For example, what do you mean when you say "faster", and how are you measuring that? What do you mean when you say "hand-rolling" your SSL and what is a "regular socket"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question about ssl
Greetings; Can you help me understand why Tomcat's SSL handling is so much faster than hand rolling it on a regular socket? Sincerely, John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
___ >From: Caldarale, Charles R [chuck.caldar...@unisys.com] >Subject: RE: Question about SSL > > In windows, the service account shows up as: .\tomcat_user > I have that service set to start manually. >If you used the tomcat6w.exe program to set the service's logon account, that >may have been ignored, at >least on some versions of Windows. I have to change it with the Services >console snap-in. >Regardless, I wouldn't count on Windows getting the home directory right when >running as a service. Chuck, you were probably right about Windows not getting the home directory right. Success! When I got home, I fired up VMWare and started a Windows Server 2003 R2 SP2 vm, updated 34 hotfixes (I haven't turned this vm on in awhile), downloaded tomcat 6.0.24, left the default keystore password, and this time moved the .keystore file to c:\.keystore. I changed the SSL port from 8443 to 443. IIS was never installed on this server. When I started tomcat, the logs told me everything I needed to know. The logs showed the following error: java.io.FileNotFoundException: {some-directory}/{some-file} not found". I don't know why I wasn't seeing that error in the logs at work. The windows tomcat_user account did not have access to the .keystore file after moving it to the root of c:. I gave it full control and restarted tomcat. Now, using IE8 (I know, this is not comparing apples to apples), https://localhost:443 The "There is a problem with this website's security certificate" appears. I continue to this website, and the Tomcat default webapp appears with https. I did go back and edit server.xml for port 8443 and tried it again. Still works using 8443! I think it all boiled down to being able to access the .keystore file. Thank you everyone for helping me with this. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: RE: Question about SSL > > In windows, the service account shows up as: .\tomcat_user > I have that service set to start manually. If you used the tomcat6w.exe program to set the service's logon account, that may have been ignored, at least on some versions of Windows. I have to change it with the Services console snap-in. Regardless, I wouldn't count on Windows getting the home directory right when running as a service. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > Could you provide a reference for this? I'd like to read more about > MSIE and SSL problems. http://www-01.ibm.com/support/docview.wss?uid=swg1PK37731 http://www.servlets.com/archive/servlet/ReadMsg?msgId=538662&listName=jetty-discuss http://forum.springsource.org/archive/index.php/t-23941.html etc. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Question about SSL
> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] > Subject: RE: Question about SSL > > keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Documents and > Settings\tomcat_user\.keystore" > Is Tomcat actually running under the tomcat_user account? Yes. > I'd recommend that you place the .keystore file in a fixed location and > configure that in Tomcat so that you're not subject to the whims of Windows > deciding what your home directory happens to be at any given instant. Alright, I'll try it. > Is the ${user.home} syntax literal or does it use the path shown in > the java command? > The XML parser in Tomcat will substitute the value of the Java system > property user.home for the reference. What user.home gets set to depends on > how > you start Tomcat and the version of Windows you're running. We're on Windows 2003 R2 SP2 Tomcat is installed as a service from the zip file, running under local windows account: tomcat_user In windows, the service account shows up as: .\tomcat_user I have that service set to start manually. I've also stopped the IIS Admin service, WWW Web, and the HTTP SSL that are all part of IIS. No changes, the page just tries to load - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 2/24/2010 5:00 PM, Caldarale, Charles R wrote: >> From: Propes, Barry L [mailto:barry.l.pro...@citi.com] >> Subject: RE: Question about SSL >> >> I feel his pain. We're still on IE6. : ( > > Also note that IE6 has serious problems doing SSL over anything other > than port 443. (Another example of Microsoft thinking it knows > better than you do.) Could you provide a reference for this? I'd like to read more about MSIE and SSL problems. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFpQIACgkQ9CaO5/Lv0PCvaQCeNiUwfP4ciOHaG021I83/7oXu R0UAn2RcexBcoHcxqtew2h0g2G8oc5wE =oMm4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: RE: Question about SSL > > keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Documents and > Settings\tomcat_user\.keystore" Is Tomcat actually running under the tomcat_user account? I'd recommend that you place the .keystore file in a fixed location and configure that in Tomcat so that you're not subject to the whims of Windows deciding what your home directory happens to be at any given instant. > Is the ${user.home} syntax literal or does it use the path shown in the > java command? The XML parser in Tomcat will substitute the value of the Java system property user.home for the reference. What user.home gets set to depends on how you start Tomcat and the version of Windows you're running. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Propes, Barry L [mailto:barry.l.pro...@citi.com] > Subject: RE: Question about SSL > > I feel his pain. We're still on IE6. : ( Also note that IE6 has serious problems doing SSL over anything other than port 443. (Another example of Microsoft thinking it knows better than you do.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
This is the command I issued: keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Documents and Settings\tomcat_user\.keystore" I noticed that java 1.6.0.14 doesn't have this "-genkey" argument, it has "-genkeypair". Is that a problem? Server.xml: Is the ${user.home} syntax literal or does it use the path shown in the java command? We have wireshark, I'll get my sysadmin to run it. I did uncheck the show friendly HTTP errors. I'll let you know when the page dies, it takes a long time to get anything back. I appreciate all the feedback. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, February 24, 2010 2:22 PM To: Tomcat Users List Subject: Re: Question about SSL Leo Donahue - PLANDEVX wrote: > https://localhost:8443 > > Using IE6, I get a message saying you are about to view a page over a secure > connection, but the page never loads. No errors in the logs. The ROOT > webapp is still there, no lock icon in the browser. > > IE6 status bar just says: "Opening page https://localhost:8443/..."; > > And eventually, IE6 responds with "The page cannot be displayed". > Maybe you should read this : http://www.bbc.co.uk/blogs/thereporters/maggieshiels/2010/02/last_rites_for_microsofts_most.html (and I totally agree with the author, that its demise will be feted by developers worldwide) More seriously : IE6 has (had ?) this feature called "friendly error messages" which basically hides what the server is really saying, and displays an internal and useless error page instead, always the same. You can turn it off, somewhere in the preferences. Better : there exists an IE add-on, called Fiddler2, which does about the same as similar add-ons for Firefox like HttpFox e.g. It allows you to /really/ see what the browser is sending, and what it receives from the server. Better yet : use Firefox with the HttpFox add-on. And the ultimate, but not for the faint-hearted : you can use a program like Wireshark to grab and memorise and see absolutely every TCP/IP packet circulating on the wire, even the ones you never wanted to know about. All of that does not solve your problem, but at least it should give you an idea of what is really going on. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
I feel his pain. We're still on IE6. : ( But yes, like Andre says, go to Tools | Options or Internet Options | Advanced and uncheck the ""Show friendly HTTP error messages" box. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, February 24, 2010 3:22 PM To: Tomcat Users List Subject: Re: Question about SSL Leo Donahue - PLANDEVX wrote: > https://localhost:8443 > > Using IE6, I get a message saying you are about to view a page over a secure > connection, but the page never loads. No errors in the logs. The ROOT > webapp is still there, no lock icon in the browser. > > IE6 status bar just says: "Opening page https://localhost:8443/..."; > > And eventually, IE6 responds with "The page cannot be displayed". > Maybe you should read this : http://www.bbc.co.uk/blogs/thereporters/maggieshiels/2010/02/last_rites_for_microsofts_most.html (and I totally agree with the author, that its demise will be feted by developers worldwide) More seriously : IE6 has (had ?) this feature called "friendly error messages" which basically hides what the server is really saying, and displays an internal and useless error page instead, always the same. You can turn it off, somewhere in the preferences. Better : there exists an IE add-on, called Fiddler2, which does about the same as similar add-ons for Firefox like HttpFox e.g. It allows you to /really/ see what the browser is sending, and what it receives from the server. Better yet : use Firefox with the HttpFox add-on. And the ultimate, but not for the faint-hearted : you can use a program like Wireshark to grab and memorise and see absolutely every TCP/IP packet circulating on the wire, even the ones you never wanted to know about. All of that does not solve your problem, but at least it should give you an idea of what is really going on. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
Leo Donahue - PLANDEVX wrote: https://localhost:8443 Using IE6, I get a message saying you are about to view a page over a secure connection, but the page never loads. No errors in the logs. The ROOT webapp is still there, no lock icon in the browser. IE6 status bar just says: "Opening page https://localhost:8443/..."; And eventually, IE6 responds with "The page cannot be displayed". Maybe you should read this : http://www.bbc.co.uk/blogs/thereporters/maggieshiels/2010/02/last_rites_for_microsofts_most.html (and I totally agree with the author, that its demise will be feted by developers worldwide) More seriously : IE6 has (had ?) this feature called "friendly error messages" which basically hides what the server is really saying, and displays an internal and useless error page instead, always the same. You can turn it off, somewhere in the preferences. Better : there exists an IE add-on, called Fiddler2, which does about the same as similar add-ons for Firefox like HttpFox e.g. It allows you to /really/ see what the browser is sending, and what it receives from the server. Better yet : use Firefox with the HttpFox add-on. And the ultimate, but not for the faint-hearted : you can use a program like Wireshark to grab and memorise and see absolutely every TCP/IP packet circulating on the wire, even the ones you never wanted to know about. All of that does not solve your problem, but at least it should give you an idea of what is really going on. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
https://localhost:8443 Using IE6, I get a message saying you are about to view a page over a secure connection, but the page never loads. No errors in the logs. The ROOT webapp is still there, no lock icon in the browser. IE6 status bar just says: "Opening page https://localhost:8443/..."; And eventually, IE6 responds with "The page cannot be displayed". -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, February 24, 2010 12:46 PM To: Tomcat Users List Subject: RE: Question about SSL > From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: RE: Question about SSL > > Generating the .keystore is not tied to the user issuing the java > command is it? No. > Can I move the .keystore file to home directory of the account tomcat > is running under You can place the .keystore file anywhere you want, as long as you configure Tomcat to know where it is. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: RE: Question about SSL > > Generating the .keystore is not tied to the user issuing the java > command is it? No. > Can I move the .keystore file to home directory of the > account tomcat is running under You can place the .keystore file anywhere you want, as long as you configure Tomcat to know where it is. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
Generating the .keystore is not tied to the user issuing the java command is it? Can I move the .keystore file to home directory of the account tomcat is running under, or do I have to log in as that tomcat account and issue the java command? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, February 24, 2010 12:12 PM To: Tomcat Users List Subject: RE: Question about SSL > From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: RE: Question about SSL > > The docs say you can change the location of the .keystore file. Where > "should" it go? Wherever the administrative policies of the site say it should go. > The docs show server.xml has it here: > keystoreFile="${user.home}/.keystore" > That would be the root directory where tomcat is installed? No, that's the home directory of whatever userid Tomcat is running under. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: RE: Question about SSL > > The docs say you can change the location of the .keystore file. Where > "should" it go? Wherever the administrative policies of the site say it should go. > The docs show server.xml has it here: > keystoreFile="${user.home}/.keystore" > That would be the root directory where tomcat is installed? No, that's the home directory of whatever userid Tomcat is running under. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
The docs say you can change the location of the .keystore file. Where "should" it go? The docs show server.xml has it here: keystoreFile="${user.home}/.keystore" That would be the root directory where tomcat is installed? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, February 24, 2010 8:44 AM To: Tomcat Users List Subject: RE: Question about SSL > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. Request protected resource, non-CONFIDENTIAL 2. Tomcat responds > with login page, login page is configured as CONFIDENTIAL I can't remember if that works; it would only be useful if the resumed request stayed with HTTPS. I've never found a case where encrypting the login without encrypting the protected resource makes any sense. > In this case, is the user redirected to the login page using SSL? My recollection is that the login page is SSL, and the cookie is secure, but I'd have to double-check. We've managed to convince people that a secure login for unsecure resources is pretty much pointless. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. Request protected resource, non-CONFIDENTIAL > 2. Tomcat responds with login page, login page is configured as > CONFIDENTIAL I can't remember if that works; it would only be useful if the resumed request stayed with HTTPS. I've never found a case where encrypting the login without encrypting the protected resource makes any sense. > In this case, is the user redirected to the login page using SSL? My recollection is that the login page is SSL, and the cookie is secure, but I'd have to double-check. We've managed to convince people that a secure login for unsecure resources is pretty much pointless. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 2/23/2010 6:18 PM, Leo Donahue - PLANDEVX wrote: > My sysadmin suggested we disable IIS and let Tomcat handle the SSL > certificates, since it seems easier to implement. Removing unnecessary complexity is always a good idea. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFR1gACgkQ9CaO5/Lv0PCDZgCfdkVPCR/R/Pb476Stp4HWWjAz C8cAnR6U886AGHv4aoTldwtrrQGJwgcI =CNd6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 2/23/2010 5:18 PM, Caldarale, Charles R wrote: >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Subject: Re: Question about SSL >> >> 1. doesn't apply (I think) to the login page that >> Tomcat serves, even if you set it. > > If the requested resource is covered by the security constraint that > includes the of CONFIDENTIAL, the login page will > be protected. The redirect to the SSL port happens before the login. Good to know. I'd have to check the behavior of: 1. Request protected resource, non-CONFIDENTIAL 2. Tomcat responds with login page, login page is configured as CONFIDENTIAL In this case, is the user redirected to the login page using SSL? Is the (potentially newly-created) JSESSIONID cookie set to secure or not? I'm not currently using Tomcat-based auth, and I'm too lazy to test right now: do you know off the top of your head? >> That last one can be a real PITA: if you're looking for secure-auth >> /only/, then you'll have to design your pages to ensure that your >> cookies are always in non-secure-mode but that j_security_check does >> get sent over HTTPS. > > And, as we keep trying to drum into people, having an encrypted login > but unencrypted pages serves little purpose, since the now trusted > jsessionid is visible to anyone who can see the traffic - such as > your neighbor on your cable-based ISP. Actually, I disagree with your conclusion, here. If you have a trivial and/or not-particularly-sensitive webapp that requires a login, using SSL for the credentialing process isn't a bad idea: people tend to use the same password all over the place. If someone can sniff your JSESSIONID, yes, they can steal your session and maybe steal all your favorite kitten memorabilia. On the other hand, if they sniff your username and password, they might be able to get into your online banking system. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFRxIACgkQ9CaO5/Lv0PDVEACfSb93sNr7bGfSctNzW2quru4d YbcAoJMr5aJuGJTGFZyZ0hlc/pa2xBxR =vXVl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
Thank you both for the feeback. Much appreciated. In my case, I am enabling SSL for a webservice that issues tokens when users connect to a secure GIS web service over http from a web client. The end user loads a page that contains a JavaScript URL with a supplied token to a secure GIS web service. End users consuming the web service via a webpage are not required to "log in". I use the Token service from the local server behind our firewall to generate the token that is embeded in the JavaScript webapp that the WWW users see. It can be restricted via the HTTP Referer or an IP address. However, end users (within our local network) who connect to my secured web service using a desktop client are required to supply a http URL to the web service with a username and password in a dialogue. The desktop client makes the request to the Token service but requires that service to be running in SSL. For anyone interested: http://webhelp.esri.com/arcgisserver/9.3.1/java/token_service.htm "Secure Connection (HTTPS/SSL) required for Token Service" My sysadmin suggested we disable IIS and let Tomcat handle the SSL certificates, since it seems easier to implement. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, February 23, 2010 3:19 PM To: Tomcat Users List Subject: RE: Question about SSL > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. doesn't apply (I think) to the login page > that Tomcat serves, even if you set it. If the requested resource is covered by the security constraint that includes the of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. > That last one can be a real PITA: if you're looking for secure-auth > /only/, then you'll have to design your pages to ensure that your > cookies are always in non-secure-mode but that j_security_check does > get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Question about SSL > > 1. doesn't apply (I think) to the login page that > Tomcat serves, even if you set it. If the requested resource is covered by the security constraint that includes the of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. > That last one can be a real PITA: if you're looking for secure-auth > /only/, then you'll have to design your pages to ensure that your > cookies are always in non-secure-mode but that j_security_check does > get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck and Leo, On 2/23/2010 4:25 PM, Caldarale, Charles R wrote: >> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] >> Subject: Question about SSL >> >> "...It is not strictly necessary to run an entire web application over >> SSL, and indeed a developer can pick and choose which pages require a >> secure connection and which do not." >> Where do I configure this? > > Read section 12 of the servlet spec. You need to configure a > of CONFIDENTIAL for the desired URL pattern(s). > This will cause requests over non-secure connections to be redirected to > the secure port. While it may seem like will meet all your needs, we have a lot of folks asking questions on the list about secure-login, but non-secure access to the rest of the webapp. There are arguments both for and against this practice, but there are a couple of things to consider: 1. doesn't apply (I think) to the login page that Tomcat serves, even if you set it. This is because Tomcat does an internal forward from the requested resource (say, /protected.jsp) to your login page. 2. Tomcat doesn't automatically use HTTPS for your call to j_security_check, so make sure that your login form /does/ use HTTPS in it's URL. 3. If you are allowing clients to use cookies, you'll need to make sure that your JSESSIONID cookie is created in non-secure mode, otherwise you'll get a session assigned to you that is only accessible via HTTPS and you'll confuse the hell our of yourself trying to figure out why it's not working. That last one can be a real PITA: if you're looking for secure-auth /only/, then you'll have to design your pages to ensure that your cookies are always in non-secure-mode but that j_security_check does get sent over HTTPS. Hope that helps., - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuEUNMACgkQ9CaO5/Lv0PC65ACeKXZiaDWg7XB11SmwjAO/1BQo TV0AoI67PshphTce5w+c76q2ESLGcnjI =FKxX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
> From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] > Subject: Question about SSL > > I need to implement SSL for Tomcat 6.0.24 on Windows 2003 Server R2 SP2 > that is already running IIS 6.0. Should I implement SSL using IIS or > Tomcat? Probably IIS, but I'm not very familiar with it. Some browsers (guess who?) get confused will SSL over a non-standard port, and IIS has probably already grabbed 443. > When I enable SSL, this means that it is enabled for every webapp > running under that Tomcat? Enabled, but not forced; HTTPS normally uses port 443, regular HTTP port 80. If the client chooses to send the request to 443, it must use SSL. > The user can choose the protocol for the > URL even if it is not required? Yes. > "...It is not strictly necessary to run an entire web application over > SSL, and indeed a developer can pick and choose which pages require a > secure connection and which do not." > Where do I configure this? Read section 12 of the servlet spec. You need to configure a of CONFIDENTIAL for the desired URL pattern(s). This will cause requests over non-secure connections to be redirected to the secure port. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question about SSL
I need to implement SSL for Tomcat 6.0.24 on Windows 2003 Server R2 SP2 that is already running IIS 6.0. Should I implement SSL using IIS or Tomcat? There are other webapps running under this Tomcat that do not require https. Reading through the docs: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration The process seems easy enough. Generate a keystore and uncomment the SSL connector in server.xml, changing the default password, and pointing the keystore path correctly. I do not have the Tomcat native library installed, so JSSE applies for me. "...Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. " When I enable SSL, this means that it is enabled for every webapp running under that Tomcat? The user can choose the protocol for the URL even if it is not required? "...It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not." Where do I configure this? I only need one URL to be available via https: Leo Donahue