tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ach...@saysit.com
Subject Off topic : tools for testing mod_ssl/OpenSSL ???
Date Wed, 06 Aug 2003 02:54:42 GMT
Hi All.
TCPDUMP-ing the login for NYTimes.com as a control group I can certainly
see USERID and PASSWORD (and other things) eg.  
...
Referer: http://www.nytimes.com/auth/login
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Host: www.nytimes.com
Content-Length: 84
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d;
tpopunder_orbitz23-nyt4; spopunder;
NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA
is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES÷
1?&(r)
...
After enabling httpd with mod_ssl, the TCPDUMP from the following client
browsers are mostly NOT human-readable :
* Mozilla
* MSIE5
* Nescape 6.2
* Netspcae 7.1 (which is the bee in the bonnet)
They all present the login dialogue box and the "untrusted self-signed
certificate" screen.
Therefore it might be a bug with 7.1, which seemingly does not report an
embedded secure link from an unsecured page as such eg. from
http:/my.first.do which as a link to https://my.secure.dom
However,in 7.1, if I key in the URL https://my.secure.dom (ie without
going through http://my.first.dom), the lock closes and one can view the
certificate info by clicking on it.

I assume this is how it works :
Step 1: certificate presented, accepts and ecrypt input from client
browser
Step 2: transmit to mod_ssl enabled Apache2 server
Step 3: Off to Tomcat courtesy of following bits of code :
...
<VirtualHost 192.168.1.3:443>
    ServerName my.dom.com
    ServerAdmin webmaster@dom.com
    DocumentRoot /home/king/public_html
    ErrorLog /usr/local/apache2/logs/king_error.log
    CustomLog /usr/local/apache2/logs/king_access.log common
    <IfModule mod_ssl.c>
       SSLEngine on
       SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
       SSLCertificateFile /path/to/ssl/server.crt
       SSLCertificateKeyFile /path/to/server.key
    </IfModule>
    JkExtractSSL on
    JkHTTPSIndicator HTTPS
    JkSESSIONIndicator SSL_SESSION_ID
    JkCIPHERIndicator SSL_CIPHER
    JkCERTSIndicator SSL_CLIENT_CERT
    JkMount /dom ajp13
    JkMount /dom/* ajp13
</VirtualHost>
...
Step 4 : FIX ME - does Apache2 unecrypt content before passing on to
Tomcat ???
Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data
get encrypted there ???


If anyone out there has similar or diff experience, please share it.


Ralph Einfeldt wrote:
> 
> One way to verify this, is to use a packet sniffer
> and watch the pakets that are exchanged bewenn server
> and browser.
> 
> Under linux you can use tcpdump.
>   http://www.tcpdump.org/
> 
> 
> tcpdump has also a windows brother (or sister):
>   http://windump.polito.it/
> 
> Under linux and windows you can use ethereal:
>   http://www.ethereal.com/
> 
> > -----Original Message-----
> > From: achana@saysit.com [mailto:achana@saysit.com]
> > Sent: Tuesday, August 05, 2003 9:17 AM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ???
> >
> >
> > Hi All.
> > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using
> > MSIE5, Netscape 6.2 and Mozilla.
> > On Netscape 7.1, it says I am transmiting in clear text for all to see
> > AFTER logging in and accepting the certificate !?! SOmehow I
> > doubt that,
> > I think it is telling me fips.
> > Are there any tools to tes whether the transmission is in clear text ?
> > TIA :-)
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Mime
View raw message