If you are using Tomcat + Apache, the activity between Tomcat and Apache on the connector is not secure. It is not encrypted.
SSL Request -> Apache -> Decrypted by Apache -> Sent to Connector -> Sent to Tomcat on Connector port -> reply back to Apache -> Response encrypted by Apache -> SSL Response to Client As far as Tomcat is concerned, the request isn't secure...all Tomcat sees is a typical request on a connector port. Perhaps there is some code in isSecure() that can differentiate, but I would be surprised if there was. John > -----Original Message----- > From: Randy Secrist [mailto:tomcat@;secristfamily.com] > Sent: Wednesday, October 30, 2002 5:24 PM > To: Tomcat Users List > Subject: Re: Tomcat SSL w/ Apache > > > I played around with the config for a few hours today - didn't get any > results. Having read that about name based hosting before, I > switched to IP > based vhosting... - after poping in a few network cards... > > What happens now is the same as before... > > 1) > I switch to HTTPS - and I get the standard warning about > self signed > certificates... > 2) > I accept it... > 3) > Tomcat get's and compiles the request...showing isSecure > is false...when > it should be true > 4) > And apache feeds me the page via https, and the browser, > and the browser > reports secure transmission. > 5) > I check Apache's logs... (No errors in SSL via apache side..) > Tomcat's logs were garbled until I cleaned up my virtual > host files - > but now they appear to be fine... - no errors. > > Somewhere in there, Tomcat is getting the request - because > it compiles the > JSP directives, and returns false when calling <%=request.isSecure()%> > However as noted above - this happens when using https! If I > do the same > thing on my linux box - it works just fine - (albeit I didn't > compile apache > myself on that thing... - but that shouldn't matter - because SSL does > work - just NOT with Tomcat...) > > Here is the relevant part of my httpd.conf... > - note - NameVirtualHost * is commented out prior to this... - does > _default_:443 - mean it is still trying to use a default > named Vhost, or a > default IP? > > <IfModule mod_ssl.c> > <VirtualHost _default_:443> > DocumentRoot c:/web/Tomcat-4-1/webapps/ROOT > ErrorLog logs/ssl-error_log > TransferLog logs/ssl-access_log > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile conf/ssl/myDomain.cert > SSLCertificateKeyFile conf/ssl/myDomain.key > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > RewriteEngine On > RewriteOptions inherit > </VirtualHost> > </IfModule> > > > ----- Original Message ----- > From: "Robert L Sowders" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]> > Sent: Wednesday, October 30, 2002 12:51 AM > Subject: Re: Tomcat SSL w/ Apache > > > > The configuration you describe for virtual hosts is correct > except that > > for SSL to work correctly in Apache you have to use IP based virtual > > hosting. Name based virtual hosting will give you errors. See > > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > > > > rls > > > > > > > > > > > > "Randy Secrist" <[EMAIL PROTECTED]> > > 10/29/2002 07:58 PM > > Please respond to "Tomcat Users List" > > > > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > cc: > > Subject: Tomcat SSL w/ Apache > > > > > > I have an interesting problem that I don't know much about. I am > > integrating Apache with Tomcat using mod_jk - and I have it mostly > > working. The only real problem I have left - is getting SSL - which > > appears to be working with Apache - to work with Tomcat. > > > > I have both HTTP connector's disabled in Tomcat. The only > connector I > > have up is Coyote's AJP on 8009. (Via tomcat 4.1.12). > > > > When I switch to https and accept my self generated certificate, the > > browser returns the compiled jsp page, without any non > secure warnings... > > - but if I call <%=request.isSecure()%> - it returns FALSE > - even though I > > am using HTTPS. I'm not sure why this could be happening. > > > > In Apache - I have 2 virtual hosts mapped to the same > domain name - on > > different ports - because I couldn't get it to work right > with just one. > > > > mydomain.com:80 > > and > > mydomain.com:443 (with all my SSL directives...) > > > > Could anyone offer advise? > > > > Randy > > > > > > > > -- > > To unsubscribe, e-mail: > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > For additional commands, e-mail: > <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
