Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 38738 invoked from network); 1 Dec 2000 06:38:29 -0000 Received: from sparrow.uchicago.edu (HELO sparrow.secns.uchicago.edu) (128.135.168.100) by locus.apache.org with SMTP; 1 Dec 2000 06:38:29 -0000 Received: from hawk ([208.137.8.170]) by sparrow.secns.uchicago.edu over TLS secured channel with Microsoft SMTPSVC(5.0.2195.1600); Fri, 1 Dec 2000 00:38:03 -0600 Message-ID: <000701c05b61$41611290$aa0889d0@hawk> From: "Jonathan Eric Miller" To: Subject: SSL, AJP13, and security related questions Date: Fri, 1 Dec 2000 00:37:54 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 01 Dec 2000 06:38:03.0493 (UTC) FILETIME=[417B5150:01C05B61] X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N NOTE, PLEASE RESPOND TO ME DIRECTLY AT JEMILLER@UCHICAGO.EDU AS I AM NOT ON THIS LIST. I would like to be on the list, but, I can't handle getting all the email right now. I really wish there were a Usenet newsgroup for Tomcat to be honest. I'm using Tomcat 3.2 release with Apache 1.3.12, mod_ssl, and mod_jk. What I would like to be able to do is determine what cipher suite was negotiated between the Web server and client. It states that there is a variable named SSL_CIPHER in the tomcat-ssl-howto.html document. I'm trying to figure out how to access this variable. I'm wondering if someone could answer the following questions for me. 1. If the SSL_CIPHER variable is being passed to Tomcat, I should be able to call HttpServletRequest.getHeaderNames() and see that header, correct? If I don't see it, does that mean that something is configured incorrectly? 2. Do I have to use the AJP13 connector instead of the AJP12 connector in order to access the SSL_CIPHER variable? I'm using AJP13, but, it's still not working. I added the AJP13 connector to the server.xml file. I'm also using a custom mod_jk.conf file which I used mod_jk.conf-auto as a template. In this file, I changed the root settings to use ajp13 instead of ajp12. I also added the commands that are listed in tomcat-ssl-howto.html with regard to setting JkExtractSSL On (just to be on the safe side even though in theory it's on by default). I disabled the AJP12 connector in server.xml to make sure that the ajp13 connector was being used. I then ran https://myhost/servlet/SnoopServlet. I would assume that I should see the SSL_CIPHER header in the Headers section of the output, but, it isn't there. 3. Why is the default connector still AJP12 if AJP13 is the recommended one to use? 4. If I'm using Tomcat in stand alone mode with SSL enabled can I access the SSL_CIPHER variable? Or, is this variable specific to using Tomcat with Apache Web Server? 5. When running Tomcat in stand alone mode with SSL enabled, is it possible to specify in a configuration file that only connections that support strong encryption will be accepted? i.e. 128 bit. 6. Apache Web Server allows one to restrict access to a URL to a specific IP address or range of IP addresses. Is it possible to do this using Tomcat in stand alone mode? 7. Does Tomcat, or is it planned to in the future, support having user passwords crypt encrypted? i.e. like Apache Web Server. Thanks in advance for answering any of the above questions that you might know the answers to, Jon