Mark,
On 27.02.2018 21:54, Mark A. Claassen wrote:
From what I have read, it seems that the AJP connector is not secure, and is meant to be
used in a protective environment. There are lots of things that imply this, like no SSL
settings and such, but I cannot find it directly stated anywhere. I am pretty confident
in my read of this, but it is, of course, difficult to say that "all options have
been explored and it is not possible".
I would /not/ state that it's /not secure/. But I'm following your later
argument: It's an "unencrypted connector", yes. In order to encrypt it,
it needs to be run through an encrypted tunnel - and doing so is
cumbersome, error prone and unrelated to the unencrypted nature of this
connector.
Why would I /not/ state that it's "not secure"? Because I wouldn't make
/any/ statement about /any/ component's /security/. Security is always
only about being secure /enough/. I'd happily make a statement about
AJP's /encryptedness/ though (if that's a word. I assume it is now).
Also, I wouldn't call https /secure/ per se - it's /typically
encrypted/, but there are several options to make it horribly insecure
(and I'm not talking about the ancient PLAINTEXT cipher suite - name
from memory). Just the fact that the keystores must be readable by the
tomcat user make me delegate TLS-handling to Apache httpd. Any
vulnerability of any webapp might otherwise compromise my private keys.
First of all, am I correct in my assertion that it cannot be made secure?
Nope. Add a VPN. Now it's secure. Might not be secure up to everybody's
standard, but to some it would be secure /enough/.
And, if so, I would invite you (or us, the community!) to consider modifying
the documentation to state this. Maybe something like:
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
The AJP Connector element represents a Connector component that communicates
with a web connector via the AJP protocol. [This is an unencrypted connector,
intended for use in protected enviroments.] This is used for cases where you
wish to invisibly integrate Tomcat into an existing (or new) Apache
installation, and you want Apache to handle the static content contained in the
web application, and/or utilize Apache's SSL processing.
After having said, what I said above: I wouldn't object to your
additional sentence. On the other hand, I'd expect any admin to figure
out missing encryption from the missing key/cert options on their own,
and not just set up a random production server after browsing reference
documentation with whatever config option they happen to find first on
stackoverflow.
Wishful thinking, I know, after seeing so many "chmod -r 777 *".
And yes, I rambled - couldn't resist. While I wouldn't object with your
proposed change, I believe that the world wouldn't be notably better
with it.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
