tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <>
Subject SSL, AJP13, and security related questions
Date Fri, 01 Dec 2000 06:37:54 GMT
THIS LIST. I would like to be on the list, but, I can't handle getting all
the email right now. I really wish there were a Usenet newsgroup for Tomcat
to be honest.

I'm using Tomcat 3.2 release with Apache 1.3.12, mod_ssl, and mod_jk. What I
would like to be able to do is determine what cipher suite was negotiated
between the Web server and client. It states that there is a variable named
SSL_CIPHER in the tomcat-ssl-howto.html document. I'm trying to figure out
how to access this variable. I'm wondering if someone could answer the
following questions for me.

1. If the SSL_CIPHER variable is being passed to Tomcat, I should be able to
call HttpServletRequest.getHeaderNames() and see that header, correct? If I
don't see it, does that mean that something is configured incorrectly?

2. Do I have to use the AJP13 connector instead of the AJP12 connector in
order to access the SSL_CIPHER variable?

I'm using AJP13, but, it's still not working.  I added the AJP13 connector
to the server.xml file. I'm also using a custom mod_jk.conf file which I
used mod_jk.conf-auto as a template. In this file, I changed the root
settings to use ajp13 instead of ajp12. I also added the commands that are
listed in tomcat-ssl-howto.html with regard to setting JkExtractSSL On (just
to be on the safe side even though in theory it's on by default). I disabled
the AJP12 connector in server.xml to make sure that the ajp13 connector was
being used. I then ran https://myhost/servlet/SnoopServlet. I would assume
that I should see the SSL_CIPHER header in the Headers section of the
output, but, it isn't there.

3. Why is the default connector still AJP12 if AJP13 is the recommended one
to use?

4. If I'm using Tomcat in stand alone mode with SSL enabled can I access the
SSL_CIPHER variable? Or, is this variable specific to using Tomcat with
Apache Web Server?

5. When running Tomcat in stand alone mode with SSL enabled, is it possible
to specify in a configuration file that only connections that support strong
encryption will be accepted? i.e. 128 bit.

6. Apache Web Server allows one to restrict access to a URL to a specific IP
address or range of IP addresses. Is it possible to do this using Tomcat in
stand alone mode?

7. Does Tomcat, or is it planned to in the future, support having user
passwords crypt encrypted? i.e. like Apache Web Server.

Thanks in advance for answering any of the above questions that you might
know the answers to,


View raw message