tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Wildcard certificates
Date Wed, 17 Apr 2019 16:46:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To whom it may concern,

On 4/17/19 10:22, TurboChargedDad . wrote:
> I would have the opposite feeling.  I would not want a java process
>  parked out in the internet.  Not saying you're wrong just my 
> personal feeling.
It would be interesting to compare the number of remotely-exploitable
vulnerabilities there have been in e.g. httpd versus e.g. Tomcat in a
given period of time. My guess is that the Java-based servers have had
a better track record. The difference is that typically if you own a
web server, you just own the web server. But if you own an application
server, you typically get access to lots of great stuff like the
application's database.

> Maybe things have shifted in a different direction over the year.
Any particular year?

> I do agree that something like that would be helpful to other
> tomcat admins.  Would you consider putting it into github ?
certbot does almost everything you need. There is also this:
https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encrypt
%20Apache%20Tomcat.pdf

So unless John has done something truly amazing, maybe adding more
tools to what MUST be a secure toolchain isn't a great move.

- -chris

> On Wed, Apr 17, 2019 at 9:18 AM John Dale <jcdwrrc@gmail.com>
> wrote:
> 
>> I have a really nice process that works great with certbot.
>> Single command to renew all of my certs and I'm finished.
>> 
>> I get some piece of mind having a Java process guarding the
>> front door.  Seems to be more impervious to overflows.  What am I
>> missing?
>> 
>> I think what I have might be easily developed into something to
>> help other Tomcat users.
>> 
>> On 4/17/19, TurboChargedDad . <linuxhpceng@gmail.com> wrote:
>>> We terminated SSL above the tomcat layer using NGINX or Apache
>>> to avoid the complexities that come with managing a JKS.  I
>>> want to hear all I can on this subject.
>>> 
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3WFMACgkQHPApP6U8
pFjFUA//Q5HiqvarK/NO/o2tjtVUVs75RJaTEao7T1eUCwMIf/F9nkpZpNG8TxK7
slT0zu3GMaB5+Z5PK753M3+vZ9nytbat4ODbUNpUMrqeT1/U0eaF1LdbY0jeUmKH
hmzQFTtLEtJ9mMYn+KJ3sA8D3sIECWwFuKD+BdYmOkzAZn37HlzyI+1CMr4mEA6C
LnhlD/hEeG4HiO5FtE4BxRKZ0vcLhBp10/m27E6j6KDiiwT7+tlNfwD53S5P94vv
f/FbwSP8GJfkFu13ot+ce1IVerMNpMpc6nay1efJmYtT4oHyNP0YUVMZyN8YyCTO
5yiLYOj8yXLxLatdKBWJ+1fsqd5DXuOEv0KmaIaqi3pLHg5oJQp5CtsLKTSFVTmV
FBoWew1JFhh5DBI27uJntGzlwIGjKAq7Cq0qitL2gVCiDr6HFaI/gkvVriDjoZL/
L3E5JDSpYL/iSzBeBd5qKbGVz7+/bdsHoxdHGRFrvcNYyPZIT871bVoNjvyaSFsM
KZGYcgZgruzN6hT3+jmJpHHoINb+XQeViM140HvYJP1zrcyCZ9ejqpw1BSB+WbT0
OutjYugoJwORD2SWFTXAc5g6flP5I6JYogexzlj0UPx6v0969I6OBPkLRyMzyKnr
RTSLV2mYJifNFjLvJ98blhhRmZG3BgAJR4ussur1NTZzs6I03Bc=
=4l6s
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message