-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 2/27/18 3:54 PM, Mark A. Claassen wrote:
> From what I have read, it seems that the AJP connector is not 
> secure, and is meant to be used in a protective environment.
> There are lots of things that imply this, like no SSL settings and
> such, but I cannot find it directly stated anywhere.  I am pretty 
> confident in my read of this, but it is, of course, difficult to 
> say that "all options have been explored and it is not possible".

AJP is definitely a cleartext protocol, and offers no encryption
capabilities. If you want to secure it, you will have to use some
tunneling technology such as a VPN, stunnel, etc.

> First of all, am I correct in my assertion that it cannot be made 
> secure?

Theoretically, it can be made to be secure, but it would require a
great deal of work and honestly, it's probably not worth it. The
protocol is mature and nobody really feels like retrofitting
encryption into it.

> And, if so, I would invite you (or us, the community!) to consider
> modifying the documentation to state this.  Maybe something like:
> 
> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP 
> Connector element represents a Connector component that
> communicates with a web connector via the AJP protocol. [This is an
> unencrypted connector, intended for use in protected enviroments.]
> This is used for cases where you wish to invisibly integrate Tomcat
> into an existing (or new) Apache installation, and you want Apache
> to handle the static content contained in the web application,
> and/or utilize Apache's SSL processing.

That seems reasonable. Care to provide a documentation patch? You'll
get your name into the change log ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8
pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp
4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx
hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx
66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e
kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj
6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7
UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+
YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2
bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt
vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7
YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ=
=FAja
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to