tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Dale <jcdw...@gmail.com>
Subject Re: Wildcard certificates
Date Wed, 17 Apr 2019 19:59:06 GMT
On 4/17/19, Christopher Schultz <chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> John,
>
> On 4/17/19 10:42, John Dale wrote:
>> My understanding is that the folks at SUN really put their backs
>> into it from the beginning:
>> https://stackoverflow.com/questions/479701/does-java-have-buffer-overf
> lows
>>
>>  Since hot spot compilers have matured, Java is virtually as fast
>> as C/++ (the Java is slow argument falls in my deaf ears, even if
>> it is amazingly repeated still today by members of other
>> programming religions).
>
> Where it really sucks, though, is crypto. When JSSE decides to use
> hardware for crypto, things go really well. But it often does not make
> that decision due to a few bugs here and there that still appear to
> remain in the runtime.
>
> Tomcat benchmarks comparing JSSE versus OpenSSL are at least an order
> of magnitude different, sometimes two, in favor of OpenSSL.
>
> Have a look at any of the slides Jean-Frederic Clere has presented at
> any recent ApacheCon conferences and you can see his benchmarks
> comparing them.
>
> The good news is that Tomcat+OpenSSL is comparable to httpd+OpenSSL,
> so if you are able to use tcnative (required for OpenSSL use from
> Tomcat), then the performance argument is pretty much moot.
>
> I myself always front Tomcat with another web server, but that is for
> other reasons. Security and performance are nice-to-haves but aren't
> really justified IMHO. Flexibility is the primary reason I front my
> Tomcat instances with web servers. Tomcat doesn't make a great
> load-balancer.
>
> - -chris

You mean on its own without modification?  I think Tomcat makes a
great load balancer, but I had to write a little code.

HTTPD has a lot of plugins and ad-ons and a history of integration
with lots of tools from firewall to email and beyond.  It's a crazy
piece of software that is very mature, but I found it to be overkill
for my purposes .. I just use LFD/CFS manually, and I will continue to
improve my DDOS, other exploit mitigation code.



> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly3WdkACgkQHPApP6U8
> pFiRrg//QcXdcysOx18yEpadFhuUekcTvogC5BGhZe5lV3AY4fgXeXQH46YZOkeY
> Lit5F6JRFb9qVwFs9Uc9Ot9hwvVt9ldFMKOKAkxMIAp1yxRk8sWuaI99OLiNBAyf
> qKmfwI0bx4H73oR22jhP5mlIITzJShZc86R9apb/v34ofncxQ6bLlAQMxu98Wo7W
> G4kBXTjnn7UzNFtpAXiZLd8t22IeBbN6CDFgM5urhOb3g7rTNdqW8Q28ik7qwenK
> gK5KmSek7+LZTsx5UD3N4WxdRkUKB30ZIvPt+cH1HMntvulQKJ39Giw9XjXHv8Hc
> VIsrh/S+2fbfG+4F0aqYmR5WuEXK30mG76DU3DW2o3v8sZ+pvuJ3C37mc0biWGy7
> fS722Uh3s6tucs4ToQtwwYkhS93NIUm8uLZJnv3FAUW5EOY7THzf0pplv/ZZEQ62
> Sg1bZ4mA7/Tdt25MKM2K04h2ERLTsAiB7Qneh2Ch4yVt3cwnGbZUFCAbXMSq01xE
> TP6j0zfLAtEx3b6Av22WLqnq5NdSDUYbvVzTQPH/TUERf4ztLRadBjHPEN0gM2vL
> zQi7BGiJix2K/fjWLicGkZKTPCWvSnknkwPgQ1JzxZwEQmCUA+hRANaZljp7KVwP
> mObnaRL5QQ/S2NhCRHFdvyLqXMgmbSsMe+FMmN2P8/mADwSdeK8=
> =4xik
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message