Same here. I terminate all SSL in a load balancer and forward in the
clear back to 8080 or 8081. Application code is peppered non-standard
calls to see things set by a filter to see if it's considered secure
even though Tomcat thinks otherwise. In the more extreme case, I
could consider all packets to be secure in that all packets are
traveling over a VPN tunnel or on a high-speed interconnect between
nodes inside the same box.
If I recall, SSL doesn't actually require you to negotiate any
encryption standard (the NULL cipher -- http://www.openssl.org/docs/
apps/ciphers.html). And of course, selecting SSL doesn't meant the
keys haven't been unknowingly compromised.
Really, this should be a marker to denote that the connection is
administratively considered secure.
greg
On Oct 10, 2008, at 9:12 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
David Wall wrote:
No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I
want it
to report to my application that SSL is being used.
So you want quality software to lie to you? It would be a bug if
Tomcat
said it was secure when it's not, and it sounds pretty goofy to
want it.
What about the AJP connector, which does exactly the same thing? An
SSL
connection to Apache httpd is translated into a non-secure
communication
to Tomcat, and yet request.isSecure() returns true.
The deal is that I want to be able to have a localhost-only
<Connector>
that appears to be secure, but isn't actually using SSL so I can
avoid
the SSL performance hit.
So use HTTP. "Appearing" secure buys you nothing other than fooling
yourself. You are not telling us something because such a spec
makes no
sense. Your app can assume anything it wants (boolean isSecure =
true;
int one = 2;).
I would also like to use
<transport-guarantee>CONFIDENTIAL</transport-guarantee> which
essentially requires HTTPS to be used. I would like to represent a
connection as secure, not as HTTPS. Since I trust localhost, I
consider
that secure, just as I trust the connections coming from mod_jk as
outlined above.
This is not a case of true = false or 1 = 2.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvfvoACgkQ9CaO5/Lv0PCJsACffNLqYH1/ecumoMiGdldz+Plz
xh4An3/+JGTlWBRqWHUL34PMX9pSebDe
=4Bwd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
