Hi All. TCPDUMP-ing the login for NYTimes.com as a control group I can certainly see USERID and PASSWORD (and other things) eg. ... Referer: http://www.nytimes.com/auth/login Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98) Host: www.nytimes.com Content-Length: 84 Connection: Keep-Alive Cache-Control: no-cache Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d; tpopunder_orbitz23-nyt4; spopunder; NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES÷ 1?&(r) ... After enabling httpd with mod_ssl, the TCPDUMP from the following client browsers are mostly NOT human-readable : * Mozilla * MSIE5 * Nescape 6.2 * Netspcae 7.1 (which is the bee in the bonnet) They all present the login dialogue box and the "untrusted self-signed certificate" screen. Therefore it might be a bug with 7.1, which seemingly does not report an embedded secure link from an unsecured page as such eg. from http:/my.first.do which as a link to https://my.secure.dom However,in 7.1, if I key in the URL https://my.secure.dom (ie without going through http://my.first.dom), the lock closes and one can view the certificate info by clicking on it.
I assume this is how it works : Step 1: certificate presented, accepts and ecrypt input from client browser Step 2: transmit to mod_ssl enabled Apache2 server Step 3: Off to Tomcat courtesy of following bits of code : ... <VirtualHost 192.168.1.3:443> ServerName my.dom.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/king/public_html ErrorLog /usr/local/apache2/logs/king_error.log CustomLog /usr/local/apache2/logs/king_access.log common <IfModule mod_ssl.c> SSLEngine on SSLCipherSuite ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /path/to/ssl/server.crt SSLCertificateKeyFile /path/to/server.key </IfModule> JkExtractSSL on JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkMount /dom ajp13 JkMount /dom/* ajp13 </VirtualHost> ... Step 4 : FIX ME - does Apache2 unecrypt content before passing on to Tomcat ??? Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data get encrypted there ??? If anyone out there has similar or diff experience, please share it. Ralph Einfeldt wrote: > > One way to verify this, is to use a packet sniffer > and watch the pakets that are exchanged bewenn server > and browser. > > Under linux you can use tcpdump. > http://www.tcpdump.org/ > > > tcpdump has also a windows brother (or sister): > http://windump.polito.it/ > > Under linux and windows you can use ethereal: > http://www.ethereal.com/ > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 9:17 AM > > To: [EMAIL PROTECTED] > > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ??? > > > > > > Hi All. > > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using > > MSIE5, Netscape 6.2 and Mozilla. > > On Netscape 7.1, it says I am transmiting in clear text for all to see > > AFTER logging in and accepting the certificate !?! SOmehow I > > doubt that, > > I think it is telling me fips. > > Are there any tools to tes whether the transmission is in clear text ? > > TIA :-) > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]