I'm no security expert, but I was looking at mod_ssl the other day, so here are my thoughts...
1>Is there a need for SSL between web server and Tomcat? It depends on what traffic is allowed through your firewall? If webserver-tomcat communication is on port 8009 and your firewall doesn't allow access to this port from the outside then the unencrypted communication between webserver and tomcat is safe from the outside world. However, if someone was to upload an application to the web server they would then be able to monitor the traffic on 8009. Also without SSL between webserver-Tomcat you are still vulnerable from inside the network coworkers, etc. 2) In mod_ssl for Apache data is unencrypted by the webserver and then forwarded in unencrypted format to tomcat. Note - I have never setup Apache mod_ssl / Tomcat so take this with a grain of salt, all comments based on my limited understanding of the documentation. cheers, On Fri, 15 Nov 2002 [EMAIL PROTECTED] wrote: Dave > Hi All. > I know this has been discussed ad nauseum, but I do need some > clarification conceptually. > By the time the web-server applet calls a servlet in Tomcat, the http > request has already gone pass the firewall. > Ideally, I would like to see anything between the web-server and the > browser encoded in SSL. > So my questions are : > (1) Is there a need for openSSL between Tomcat and web-server ? > (2) If I implement openSSL between web-server and browser, how will this > affect Tomcat downstream, if at all ? > > -- > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>