Re: Question about ssl
John,
On 3/31/22 10:50, John Dale (DB2DOM) wrote:
Hi Chris;
I'm measuring the time taken to process a request as reported by
inspector-network in brave.
SSL time to process through tomcat is 11ms.
Same request for a smaller file using a java SSL socket is taking 50ms
.. like this:
public static SSLServerSocket getServerSocketWithCert(int port,
InputStream pathToCert, String passwordFromCert,
ServerSecureType type) throws IOException,
KeyManagementException, NoSuchAlgorithmException,
CertificateException, KeyStoreException,
UnrecoverableKeyException
{
X509TrustManager[] tmm;
X509KeyManager[] kmm;
KeyStore ks = KeyStore.getInstance(instance);
ks.load(pathToCert, passwordFromCert.toCharArray());
tmm=tm(ks);
kmm=km(ks, passwordFromCert);
SSLContext ctx = SSLContext.getInstance(type.getType());
ctx.init(kmm, tmm, null);
SSLServerSocketFactory socketFactory =
(SSLServerSocketFactory) ctx.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)
socketFactory.createServerSocket(port);
return ssocket;
}
I'm using the cert at https://db2dom.com
It's still a tenth of a second to process the request with this "hand
rolled" method, but it's several orders of magnitude slower, and I'm
trying to figure out why (I'm obsessive with response times).
So you have a hand-rolled TLS server (selected code above) and you are
comparing it to Tomcat?
It all depends upon what you are doing with that code above. Tomcat is
doing something like the above basically once and then re-using the same
Socket for a long time. Are you re-initializing your Socket for each
request perhaps?
Are you using exactly the same trust store and key store between your
hand-rolled code and Tomcat? The client is negotiating the exaxt same
cipher suite, etc.?
How many requests are you running your code through -- like after JVM
startup? Just one? Many? How many? Same questions for Tomcat.
It's always hard to set up a fair comparison, and you aren't giving us
very much information.
-chris
On 3/28/22, Christopher Schultz wrote:
John,
On 3/26/22 22:29, John Dale (DB2DOM) wrote:
Can you help me understand why Tomcat's SSL handling is so much faster
than hand rolling it on a regular socket?
I think you'll need to define some terms.
For example, what do you mean when you say "faster", and how are you
measuring that?
What do you mean when you say "hand-rolling" your SSL and what is a
"regular socket"?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about ssl
Hi Chris;
I'm measuring the time taken to process a request as reported by
inspector-network in brave.
SSL time to process through tomcat is 11ms.
Same request for a smaller file using a java SSL socket is taking 50ms
.. like this:
public static SSLServerSocket getServerSocketWithCert(int port,
InputStream pathToCert, String passwordFromCert,
ServerSecureType type) throws IOException,
KeyManagementException, NoSuchAlgorithmException,
CertificateException, KeyStoreException,
UnrecoverableKeyException
{
X509TrustManager[] tmm;
X509KeyManager[] kmm;
KeyStore ks = KeyStore.getInstance(instance);
ks.load(pathToCert, passwordFromCert.toCharArray());
tmm=tm(ks);
kmm=km(ks, passwordFromCert);
SSLContext ctx = SSLContext.getInstance(type.getType());
ctx.init(kmm, tmm, null);
SSLServerSocketFactory socketFactory =
(SSLServerSocketFactory) ctx.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)
socketFactory.createServerSocket(port);
return ssocket;
}
I'm using the cert at https://db2dom.com
It's still a tenth of a second to process the request with this "hand
rolled" method, but it's several orders of magnitude slower, and I'm
trying to figure out why (I'm obsessive with response times).
Sincerely,
John
On 3/28/22, Christopher Schultz wrote:
> John,
>
> On 3/26/22 22:29, John Dale (DB2DOM) wrote:
>> Can you help me understand why Tomcat's SSL handling is so much faster
>> than hand rolling it on a regular socket?
>
> I think you'll need to define some terms.
>
> For example, what do you mean when you say "faster", and how are you
> measuring that?
>
> What do you mean when you say "hand-rolling" your SSL and what is a
> "regular socket"?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about ssl
John, On 3/26/22 22:29, John Dale (DB2DOM) wrote: Can you help me understand why Tomcat's SSL handling is so much faster than hand rolling it on a regular socket? I think you'll need to define some terms. For example, what do you mean when you say "faster", and how are you measuring that? What do you mean when you say "hand-rolling" your SSL and what is a "regular socket"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 2/23/2010 5:18 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Question about SSL 1. transport-guarantee doesn't apply (I think) to the login page that Tomcat serves, even if you set it. If the requested resource is covered by the security constraint that includes the transport-guarantee of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. Good to know. I'd have to check the behavior of: 1. Request protected resource, non-CONFIDENTIAL 2. Tomcat responds with login page, login page is configured as CONFIDENTIAL In this case, is the user redirected to the login page using SSL? Is the (potentially newly-created) JSESSIONID cookie set to secure or not? I'm not currently using Tomcat-based auth, and I'm too lazy to test right now: do you know off the top of your head? That last one can be a real PITA: if you're looking for secure-auth /only/, then you'll have to design your pages to ensure that your cookies are always in non-secure-mode but that j_security_check does get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. Actually, I disagree with your conclusion, here. If you have a trivial and/or not-particularly-sensitive webapp that requires a login, using SSL for the credentialing process isn't a bad idea: people tend to use the same password all over the place. If someone can sniff your JSESSIONID, yes, they can steal your session and maybe steal all your favorite kitten memorabilia. On the other hand, if they sniff your username and password, they might be able to get into your online banking system. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFRxIACgkQ9CaO5/Lv0PDVEACfSb93sNr7bGfSctNzW2quru4d YbcAoJMr5aJuGJTGFZyZ0hlc/pa2xBxR =vXVl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 2/23/2010 6:18 PM, Leo Donahue - PLANDEVX wrote: My sysadmin suggested we disable IIS and let Tomcat handle the SSL certificates, since it seems easier to implement. Removing unnecessary complexity is always a good idea. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFR1gACgkQ9CaO5/Lv0PCDZgCfdkVPCR/R/Pb476Stp4HWWjAz C8cAnR6U886AGHv4aoTldwtrrQGJwgcI =CNd6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Question about SSL 1. Request protected resource, non-CONFIDENTIAL 2. Tomcat responds with login page, login page is configured as CONFIDENTIAL I can't remember if that works; it would only be useful if the resumed request stayed with HTTPS. I've never found a case where encrypting the login without encrypting the protected resource makes any sense. In this case, is the user redirected to the login page using SSL? My recollection is that the login page is SSL, and the cookie is secure, but I'd have to double-check. We've managed to convince people that a secure login for unsecure resources is pretty much pointless. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Question about SSL
The docs say you can change the location of the .keystore file. Where should
it go?
The docs show server.xml has it here: keystoreFile=${user.home}/.keystore
That would be the root directory where tomcat is installed?
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, February 24, 2010 8:44 AM
To: Tomcat Users List
Subject: RE: Question about SSL
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Question about SSL
1. Request protected resource, non-CONFIDENTIAL 2. Tomcat responds
with login page, login page is configured as CONFIDENTIAL
I can't remember if that works; it would only be useful if the resumed request
stayed with HTTPS. I've never found a case where encrypting the login without
encrypting the protected resource makes any sense.
In this case, is the user redirected to the login page using SSL?
My recollection is that the login page is SSL, and the cookie is secure, but
I'd have to double-check. We've managed to convince people that a secure login
for unsecure resources is pretty much pointless.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Question about SSL
The docs say you can change the location of the .keystore file. Where
should it go?
Wherever the administrative policies of the site say it should go.
The docs show server.xml has it here:
keystoreFile=${user.home}/.keystore
That would be the root directory where tomcat is installed?
No, that's the home directory of whatever userid Tomcat is running under.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
Generating the .keystore is not tied to the user issuing the java command is
it? Can I move the .keystore file to home directory of the account tomcat is
running under, or do I have to log in as that tomcat account and issue the java
command?
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, February 24, 2010 12:12 PM
To: Tomcat Users List
Subject: RE: Question about SSL
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Question about SSL
The docs say you can change the location of the .keystore file. Where
should it go?
Wherever the administrative policies of the site say it should go.
The docs show server.xml has it here:
keystoreFile=${user.home}/.keystore
That would be the root directory where tomcat is installed?
No, that's the home directory of whatever userid Tomcat is running under.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: RE: Question about SSL Generating the .keystore is not tied to the user issuing the java command is it? No. Can I move the .keystore file to home directory of the account tomcat is running under You can place the .keystore file anywhere you want, as long as you configure Tomcat to know where it is. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
https://localhost:8443 Using IE6, I get a message saying you are about to view a page over a secure connection, but the page never loads. No errors in the logs. The ROOT webapp is still there, no lock icon in the browser. IE6 status bar just says: Opening page https://localhost:8443/...; And eventually, IE6 responds with The page cannot be displayed. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, February 24, 2010 12:46 PM To: Tomcat Users List Subject: RE: Question about SSL From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: RE: Question about SSL Generating the .keystore is not tied to the user issuing the java command is it? No. Can I move the .keystore file to home directory of the account tomcat is running under You can place the .keystore file anywhere you want, as long as you configure Tomcat to know where it is. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
Leo Donahue - PLANDEVX wrote: https://localhost:8443 Using IE6, I get a message saying you are about to view a page over a secure connection, but the page never loads. No errors in the logs. The ROOT webapp is still there, no lock icon in the browser. IE6 status bar just says: Opening page https://localhost:8443/...; And eventually, IE6 responds with The page cannot be displayed. Maybe you should read this : http://www.bbc.co.uk/blogs/thereporters/maggieshiels/2010/02/last_rites_for_microsofts_most.html (and I totally agree with the author, that its demise will be feted by developers worldwide) More seriously : IE6 has (had ?) this feature called friendly error messages which basically hides what the server is really saying, and displays an internal and useless error page instead, always the same. You can turn it off, somewhere in the preferences. Better : there exists an IE add-on, called Fiddler2, which does about the same as similar add-ons for Firefox like HttpFox e.g. It allows you to /really/ see what the browser is sending, and what it receives from the server. Better yet : use Firefox with the HttpFox add-on. And the ultimate, but not for the faint-hearted : you can use a program like Wireshark to grab and memorise and see absolutely every TCP/IP packet circulating on the wire, even the ones you never wanted to know about. All of that does not solve your problem, but at least it should give you an idea of what is really going on. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
I feel his pain. We're still on IE6. : ( But yes, like Andre says, go to Tools | Options or Internet Options | Advanced and uncheck the Show friendly HTTP error messages box. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, February 24, 2010 3:22 PM To: Tomcat Users List Subject: Re: Question about SSL Leo Donahue - PLANDEVX wrote: https://localhost:8443 Using IE6, I get a message saying you are about to view a page over a secure connection, but the page never loads. No errors in the logs. The ROOT webapp is still there, no lock icon in the browser. IE6 status bar just says: Opening page https://localhost:8443/...; And eventually, IE6 responds with The page cannot be displayed. Maybe you should read this : http://www.bbc.co.uk/blogs/thereporters/maggieshiels/2010/02/last_rites_for_microsofts_most.html (and I totally agree with the author, that its demise will be feted by developers worldwide) More seriously : IE6 has (had ?) this feature called friendly error messages which basically hides what the server is really saying, and displays an internal and useless error page instead, always the same. You can turn it off, somewhere in the preferences. Better : there exists an IE add-on, called Fiddler2, which does about the same as similar add-ons for Firefox like HttpFox e.g. It allows you to /really/ see what the browser is sending, and what it receives from the server. Better yet : use Firefox with the HttpFox add-on. And the ultimate, but not for the faint-hearted : you can use a program like Wireshark to grab and memorise and see absolutely every TCP/IP packet circulating on the wire, even the ones you never wanted to know about. All of that does not solve your problem, but at least it should give you an idea of what is really going on. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
This is the command I issued:
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Documents and
Settings\tomcat_user\.keystore
I noticed that java 1.6.0.14 doesn't have this -genkey argument, it has
-genkeypair. Is that a problem?
Server.xml:
Connector port=8443 SSLEnabled=true
maxThreads=150 scheme=https secure=true
keystoreFile=${user.home}/.keystore
keystorePass=mycustompassword
clientAuth=false sslProtocol=TLS /
Is the ${user.home} syntax literal or does it use the path shown in the java
command?
We have wireshark, I'll get my sysadmin to run it.
I did uncheck the show friendly HTTP errors. I'll let you know when the page
dies, it takes a long time to get anything back.
I appreciate all the feedback.
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Wednesday, February 24, 2010 2:22 PM
To: Tomcat Users List
Subject: Re: Question about SSL
Leo Donahue - PLANDEVX wrote:
https://localhost:8443
Using IE6, I get a message saying you are about to view a page over a secure
connection, but the page never loads. No errors in the logs. The ROOT
webapp is still there, no lock icon in the browser.
IE6 status bar just says: Opening page https://localhost:8443/...;
And eventually, IE6 responds with The page cannot be displayed.
Maybe you should read this :
http://www.bbc.co.uk/blogs/thereporters/maggieshiels/2010/02/last_rites_for_microsofts_most.html
(and I totally agree with the author, that its demise will be feted by
developers worldwide)
More seriously : IE6 has (had ?) this feature called friendly error messages
which basically hides what the server is really saying, and displays an
internal and useless error page instead, always the same.
You can turn it off, somewhere in the preferences.
Better : there exists an IE add-on, called Fiddler2, which does about the same
as similar add-ons for Firefox like HttpFox e.g.
It allows you to /really/ see what the browser is sending, and what it receives
from the server.
Better yet : use Firefox with the HttpFox add-on.
And the ultimate, but not for the faint-hearted : you can use a program like
Wireshark to grab and memorise and see absolutely every TCP/IP packet
circulating on the wire, even the ones you never wanted to know about.
All of that does not solve your problem, but at least it should give you an
idea of what is really going on.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Subject: RE: Question about SSL I feel his pain. We're still on IE6. : ( Also note that IE6 has serious problems doing SSL over anything other than port 443. (Another example of Microsoft thinking it knows better than you do.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Question about SSL
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Documents and
Settings\tomcat_user\.keystore
Is Tomcat actually running under the tomcat_user account?
I'd recommend that you place the .keystore file in a fixed location and
configure that in Tomcat so that you're not subject to the whims of Windows
deciding what your home directory happens to be at any given instant.
Is the ${user.home} syntax literal or does it use the path shown in the
java command?
The XML parser in Tomcat will substitute the value of the Java system property
user.home for the reference. What user.home gets set to depends on how you
start Tomcat and the version of Windows you're running.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 2/24/2010 5:00 PM, Caldarale, Charles R wrote: From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Subject: RE: Question about SSL I feel his pain. We're still on IE6. : ( Also note that IE6 has serious problems doing SSL over anything other than port 443. (Another example of Microsoft thinking it knows better than you do.) Could you provide a reference for this? I'd like to read more about MSIE and SSL problems. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFpQIACgkQ9CaO5/Lv0PCvaQCeNiUwfP4ciOHaG021I83/7oXu R0UAn2RcexBcoHcxqtew2h0g2G8oc5wE =oMm4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Subject: RE: Question about SSL
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Documents and
Settings\tomcat_user\.keystore
Is Tomcat actually running under the tomcat_user account?
Yes.
I'd recommend that you place the .keystore file in a fixed location and
configure that in Tomcat so that you're not subject to the whims of Windows
deciding what your home directory happens to be at any given instant.
Alright, I'll try it.
Is the ${user.home} syntax literal or does it use the path shown in
the java command?
The XML parser in Tomcat will substitute the value of the Java system
property user.home for the reference. What user.home gets set to depends on
how
you start Tomcat and the version of Windows you're running.
We're on Windows 2003 R2 SP2
Tomcat is installed as a service from the zip file, running under local windows
account: tomcat_user
In windows, the service account shows up as: .\tomcat_user
I have that service set to start manually.
I've also stopped the IIS Admin service, WWW Web, and the HTTP SSL that are all
part of IIS. No changes, the page just tries to load
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Question about SSL Could you provide a reference for this? I'd like to read more about MSIE and SSL problems. http://www-01.ibm.com/support/docview.wss?uid=swg1PK37731 http://www.servlets.com/archive/servlet/ReadMsg?msgId=538662listName=jetty-discuss http://forum.springsource.org/archive/index.php/t-23941.html etc. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Question about SSL
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: RE: Question about SSL In windows, the service account shows up as: .\tomcat_user I have that service set to start manually. If you used the tomcat6w.exe program to set the service's logon account, that may have been ignored, at least on some versions of Windows. I have to change it with the Services console snap-in. Regardless, I wouldn't count on Windows getting the home directory right when running as a service. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
___
From: Caldarale, Charles R [chuck.caldar...@unisys.com]
Subject: RE: Question about SSL
In windows, the service account shows up as: .\tomcat_user
I have that service set to start manually.
If you used the tomcat6w.exe program to set the service's logon account, that
may have been ignored, at
least on some versions of Windows. I have to change it with the Services
console snap-in.
Regardless, I wouldn't count on Windows getting the home directory right when
running as a service.
Chuck, you were probably right about Windows not getting the home directory
right.
Success!
When I got home, I fired up VMWare and started a Windows Server 2003 R2 SP2 vm,
updated 34 hotfixes (I haven't turned this vm on in awhile), downloaded tomcat
6.0.24, left the default keystore password, and this time moved the .keystore
file to c:\.keystore. I changed the SSL port from 8443 to 443. IIS was never
installed on this server.
When I started tomcat, the logs told me everything I needed to know.
The logs showed the following error: java.io.FileNotFoundException:
{some-directory}/{some-file} not found.
I don't know why I wasn't seeing that error in the logs at work.
The windows tomcat_user account did not have access to the .keystore file after
moving it to the root of c:. I gave it full control and restarted tomcat.
Now, using IE8 (I know, this is not comparing apples to apples),
https://localhost:443
The There is a problem with this website's security certificate appears. I
continue to this website, and the Tomcat default webapp appears with https.
I did go back and edit server.xml for port 8443 and tried it again. Still
works using 8443!
I think it all boiled down to being able to access the .keystore file.
Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol
SSLEnabled=true
maxThreads=150 scheme=https secure=true
keystoreFile=c:/.keystore keystorePass=changeit
clientAuth=false sslProtocol=TLS /
Thank you everyone for helping me with this.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: Question about SSL I need to implement SSL for Tomcat 6.0.24 on Windows 2003 Server R2 SP2 that is already running IIS 6.0. Should I implement SSL using IIS or Tomcat? Probably IIS, but I'm not very familiar with it. Some browsers (guess who?) get confused will SSL over a non-standard port, and IIS has probably already grabbed 443. When I enable SSL, this means that it is enabled for every webapp running under that Tomcat? Enabled, but not forced; HTTPS normally uses port 443, regular HTTP port 80. If the client chooses to send the request to 443, it must use SSL. The user can choose the protocol for the URL even if it is not required? Yes. ...It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not. Where do I configure this? Read section 12 of the servlet spec. You need to configure a transport-guarantee of CONFIDENTIAL for the desired URL pattern(s). This will cause requests over non-secure connections to be redirected to the secure port. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck and Leo, On 2/23/2010 4:25 PM, Caldarale, Charles R wrote: From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: Question about SSL ...It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not. Where do I configure this? Read section 12 of the servlet spec. You need to configure a transport-guarantee of CONFIDENTIAL for the desired URL pattern(s). This will cause requests over non-secure connections to be redirected to the secure port. While it may seem like transport-guarantee will meet all your needs, we have a lot of folks asking questions on the list about secure-login, but non-secure access to the rest of the webapp. There are arguments both for and against this practice, but there are a couple of things to consider: 1. transport-guarantee doesn't apply (I think) to the login page that Tomcat serves, even if you set it. This is because Tomcat does an internal forward from the requested resource (say, /protected.jsp) to your login page. 2. Tomcat doesn't automatically use HTTPS for your call to j_security_check, so make sure that your login form /does/ use HTTPS in it's URL. 3. If you are allowing clients to use cookies, you'll need to make sure that your JSESSIONID cookie is created in non-secure mode, otherwise you'll get a session assigned to you that is only accessible via HTTPS and you'll confuse the hell our of yourself trying to figure out why it's not working. That last one can be a real PITA: if you're looking for secure-auth /only/, then you'll have to design your pages to ensure that your cookies are always in non-secure-mode but that j_security_check does get sent over HTTPS. Hope that helps., - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuEUNMACgkQ9CaO5/Lv0PC65ACeKXZiaDWg7XB11SmwjAO/1BQo TV0AoI67PshphTce5w+c76q2ESLGcnjI =FKxX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about SSL
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Question about SSL 1. transport-guarantee doesn't apply (I think) to the login page that Tomcat serves, even if you set it. If the requested resource is covered by the security constraint that includes the transport-guarantee of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. That last one can be a real PITA: if you're looking for secure-auth /only/, then you'll have to design your pages to ensure that your cookies are always in non-secure-mode but that j_security_check does get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Question about SSL
Thank you both for the feeback. Much appreciated. In my case, I am enabling SSL for a webservice that issues tokens when users connect to a secure GIS web service over http from a web client. The end user loads a page that contains a JavaScript URL with a supplied token to a secure GIS web service. End users consuming the web service via a webpage are not required to log in. I use the Token service from the local server behind our firewall to generate the token that is embeded in the JavaScript webapp that the WWW users see. It can be restricted via the HTTP Referer or an IP address. However, end users (within our local network) who connect to my secured web service using a desktop client are required to supply a http URL to the web service with a username and password in a dialogue. The desktop client makes the request to the Token service but requires that service to be running in SSL. For anyone interested: http://webhelp.esri.com/arcgisserver/9.3.1/java/token_service.htm Secure Connection (HTTPS/SSL) required for Token Service My sysadmin suggested we disable IIS and let Tomcat handle the SSL certificates, since it seems easier to implement. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, February 23, 2010 3:19 PM To: Tomcat Users List Subject: RE: Question about SSL From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Question about SSL 1. transport-guarantee doesn't apply (I think) to the login page that Tomcat serves, even if you set it. If the requested resource is covered by the security constraint that includes the transport-guarantee of CONFIDENTIAL, the login page will be protected. The redirect to the SSL port happens before the login. That last one can be a real PITA: if you're looking for secure-auth /only/, then you'll have to design your pages to ensure that your cookies are always in non-secure-mode but that j_security_check does get sent over HTTPS. And, as we keep trying to drum into people, having an encrypted login but unencrypted pages serves little purpose, since the now trusted jsessionid is visible to anyone who can see the traffic - such as your neighbor on your cable-based ISP. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
