tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ohaya <oh...@cox.net>
Subject Re: New idea - Enable Tomcat for SSL?
Date Fri, 20 Aug 2004 14:24:26 GMT
John,

FYI, that (Apache+SSL) was my first approach, and I spent over a week
trying to get it working, and posted a bunch of times about my
problems.  I was able to get the SSL authentication working early on,
but what I was struggling with is getting access to the client cert
information from JSPs.  In the end, I was able to conclude that the
reason for that last problem was that the binaries that I was working
with (Apache, mod_jk/jk2) were not compiled with the "--EAPI" directive,
and that was preventing the SSL/client cert info from passing to Tomcat.

Besides the fact that I'm kind of running out of time to get something
working, so I wouldn't have the time to build Apache, mod_ssl,
mod_jk/jk2, I'm working in an environment where the binaries are
controlled and single-sourced internally, and so even if I did have the
time, I wouldn't be allowed to do and deploy a 'special' build.

After all of that, I turned back to Tomcat, and like I said, I'm "that
close" now.  Also, as I indicated in an earlier msg in this thread, this
is not going to be a high-volume website, at most maybe 1-2 people at a
time, so performance is not a major concern.

Jim




John Villar wrote:
> 
> Excuse me everyone who has talked on this thread, i haven't followed
> this thread closely, but.... why aren't you using a proven software for
> that matter like Apache HTTPD?..... it has years of SSL patches,
> corrections and improvements, also, tomcat is just too slow to serve
> static content like images or large files. If you're concerned with
> security, you should never think on the first place to begin a new
> development, security has to have a process of maturity before you can
> decide something is *secure enough*
> 
> Shapira, Yoav escribió:
> 
> >Hi,
> >I'm afraid I can't help much with CRLs on Tomcat.  I've never done that
> >before ;)  I don't see much in the docs.  I do see hits on Google, such
> >as
> >http://proj-grid-data-build.web.cern.ch/proj-grid-data-build/edg-java-se
> >curity/edg-java-security-1.5.9/tomcat/Authentication_Admin_Guide.html,
> >suggesting a custom SSLSocketFactory is in order.  Tomcat of course lets
> >you integrate whatever socket factory you want for your connector, and
> >the one in the above links allows for CRL configuration.
> >
> >Yoav Shapira
> >Millennium Research Informatics
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: ohaya [mailto:ohaya@cox.net]
> >>Sent: Friday, August 20, 2004 9:55 AM
> >>To: Tomcat Users List
> >>Subject: Re: New idea - Enable Tomcat for SSL?
> >>
> >>Yoav,
> >>
> >>The problem is that I can't find any info at all on how to configure it
> >>to use a CRL.
> >>
> >>FYI, after an all-nighter, I was just able to get the client and server
> >>SSL part working with standalone Tomcat.  Very cool :)!  And, best of
> >>all, I was able to confirm that with this, I can access the client
> >>certificate info from my JSPs.
> >>
> >>I'm just "so close" to what I need now, if I can just figure out how to
> >>enable or incorporate the CRL checking, as from a security standpoint,
> >>they won't let me deploy a PKI-enabled system if it doesn't support
> >>CRLs.
> >>
> >>Jim
> >>
> >>
> >>
> >>"Shapira, Yoav" wrote:
> >>
> >>
> >>>Hi,
> >>>I don't know about CRL support -- why not just try it out?
> >>>
> >>>Yoav Shapira
> >>>Millennium Research Informatics
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: ohaya [mailto:ohaya@cox.net]
> >>>>Sent: Thursday, August 19, 2004 7:51 PM
> >>>>To: Tomcat Users List
> >>>>Subject: Re: New idea - Enable Tomcat for SSL?
> >>>>
> >>>>
> >>>>
> >>>>"Shapira, Yoav" wrote:
> >>>>
> >>>>
> >>>>>Hi,
> >>>>>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
> >>>>>
> >>>>>And, of course,
> >>>>>http://jakarta.apache.org/tomcat/faq/connectors.html#integrate
> >>>>>
> >>>>>
> >which
> >
> >
> >>>>>should have saved you considerable time and effort.
> >>>>>
> >>>>>
> >>>>>
> >>>>Yoav,
> >>>>
> >>>>I had posted a number of messages about problems I was having, but
> >>>>
> >>>>
> >in
> >
> >
> >>>>any event, thanks for the links.
> >>>>
> >>>>One other question:  If I configure Tomcat (5.0.27) as a standalone
> >>>>SSL-enabled (client and server) webserver+container, will the Tomcat
> >>>>
> >>>>
> >>>SSL
> >>>
> >>>
> >>>>handling support the use of certificate revocation lists (CRLs)?
> >>>>
> >>>>I've been trying to research this, and so far have had no luck
> >>>>
> >>>>
> >finding
> >
> >
> >>>>anything on it, and, from the standpoint of security, support for
> >>>>
> >>>>
> >CRLs
> >
> >
> >>>>is going to be a must-have if I go this direction.
> >>>>
> >>>>If you or anyone knows the answer to this question, please let me
> >>>>
> >>>>
> >know.
> >
> >
> >>>>Thanks again,
> >>>>Jim
> >>>>
> >>>>
> >>>>
> >>---------------------------------------------------------------------
> >>
> >>
> >>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>>>
> >>>>
> >>>This e-mail, including any attachments, is a confidential business
> >>>
> >>>
> >>communication, and may contain information that is confidential,
> >>proprietary and/or privileged.  This e-mail is intended only for the
> >>individual(s) to whom it is addressed, and may not be saved, copied,
> >>printed, disclosed or used by anyone else.  If you are not the(an)
> >>
> >>
> >intended
> >
> >
> >>recipient, please immediately delete this e-mail from your computer
> >>
> >>
> >system
> >
> >
> >>and notify the sender.  Thank you.
> >>
> >>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
> >
> >
> >
> >
> >This e-mail, including any attachments, is a confidential business communication,
and may contain information that is confidential, proprietary and/or privileged.  This e-mail
is intended only for the individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an) intended recipient, please
immediately delete this e-mail from your computer system and notify the sender.  Thank you.
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message