Hi All.
TCPDUMP-ing the login for NYTimes.com as a control group I can certainly
see USERID and PASSWORD (and other things) eg.
...
Referer: http://www.nytimes.com/auth/login
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Host: www.nytimes.com
Content-Length: 84
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d;
tpopunder_orbitz23-nyt4; spopunder;
NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA
is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES÷
1?&(r)
...
After enabling httpd with mod_ssl, the TCPDUMP from the following client
browsers are mostly NOT human-readable :
* Mozilla
* MSIE5
* Nescape 6.2
* Netspcae 7.1 (which is the bee in the bonnet)
They all present the login dialogue box and the "untrusted self-signed
certificate" screen.
Therefore it might be a bug with 7.1, which seemingly does not report an
embedded secure link from an unsecured page as such eg. from
http:/my.first.do which as a link to https://my.secure.dom
However,in 7.1, if I key in the URL https://my.secure.dom (ie without
going through http://my.first.dom), the lock closes and one can view the
certificate info by clicking on it.
I assume this is how it works :
Step 1: certificate presented, accepts and ecrypt input from client
browser
Step 2: transmit to mod_ssl enabled Apache2 server
Step 3: Off to Tomcat courtesy of following bits of code :
...
<VirtualHost 192.168.1.3:443>
ServerName my.dom.com
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/king/public_html
ErrorLog /usr/local/apache2/logs/king_error.log
CustomLog /usr/local/apache2/logs/king_access.log common
<IfModule mod_ssl.c>
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/ssl/server.crt
SSLCertificateKeyFile /path/to/server.key
</IfModule>
JkExtractSSL on
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /dom ajp13
JkMount /dom/* ajp13
</VirtualHost>
...
Step 4 : FIX ME - does Apache2 unecrypt content before passing on to
Tomcat ???
Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data
get encrypted there ???
If anyone out there has similar or diff experience, please share it.
Ralph Einfeldt wrote:
>
> One way to verify this, is to use a packet sniffer
> and watch the pakets that are exchanged bewenn server
> and browser.
>
> Under linux you can use tcpdump.
> http://www.tcpdump.org/
>
>
> tcpdump has also a windows brother (or sister):
> http://windump.polito.it/
>
> Under linux and windows you can use ethereal:
> http://www.ethereal.com/
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, August 05, 2003 9:17 AM
> > To: [EMAIL PROTECTED]
> > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ???
> >
> >
> > Hi All.
> > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using
> > MSIE5, Netscape 6.2 and Mozilla.
> > On Netscape 7.1, it says I am transmiting in clear text for all to see
> > AFTER logging in and accepting the certificate !?! SOmehow I
> > doubt that,
> > I think it is telling me fips.
> > Are there any tools to tes whether the transmission is in clear text ?
> > TIA :-)
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
