"John MccLain" <jmcclain@tcshealthcare.com> wrote in message
news:JMEOIPJEDGMHCIOMBHLIMEALFBAA.jmcclain@tcshealthcare.com...
> We have a servlet that is served by Tomcat. IIS is employed to redirect ot
> Tomcat via AJP. IIS is also SSL enabled as our data is sensistive.
>
> I wish to call a servlet and pass SSL encrypted data. BUT, to start the
> SSL
> handshake off, I am making a servlet request with the data I wish to be
> SSL
> encrypted.
>
> My question is
>
> If I call a servlet from a browser and pass the servlet some parameters
> that
> need to be sent encrypted, do the parameters get SSL encrypted BEFORE they
> are sent, or are they sent clear text, then the SSL Handshake, then all
> other data sent is encrypted?
>
The handshake happens first. Only after the browser has decided it trusts
you and a cipher has been decided on will it send the HTTP data. This
includes the requestURI, headers, as well as the POST body.
This is the main reason that you can't use NamedVirtualHosts with SSL: The
server has to pick a certificate to send long before it knows the Host
header.
> John McClain
> Senior Software Engineer
> TCS Healthcare
> jmcclain@tcshealthcare.com
> (530)886-1700x235
> "Skepticism is the first step toward truth"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|