Mark,

On 27.02.2018 21:54, Mark A. Claassen wrote:
 From what I have read, it seems that the AJP connector is not secure, and is meant to be 
used in a protective environment.  There are lots of things that imply this, like no SSL 
settings and such, but I cannot find it directly stated anywhere.  I am pretty confident 
in my read of this, but it is, of course, difficult to say that "all options have 
been explored and it is not possible".

I would /not/ state that it's /not secure/. But I'm following your later argument: It's an "unencrypted connector", yes. In order to encrypt it, it needs to be run through an encrypted tunnel - and doing so is cumbersome, error prone and unrelated to the unencrypted nature of this connector.

Why would I /not/ state that it's "not secure"? Because I wouldn't make /any/ statement about /any/ component's /security/. Security is always only about being secure /enough/. I'd happily make a statement about AJP's /encryptedness/ though (if that's a word. I assume it is now).

Also, I wouldn't call https /secure/ per se - it's /typically encrypted/, but there are several options to make it horribly insecure (and I'm not talking about the ancient PLAINTEXT cipher suite - name from memory). Just the fact that the keystores must be readable by the tomcat user make me delegate TLS-handling to Apache httpd. Any vulnerability of any webapp might otherwise compromise my private keys.

First of all, am I correct in my assertion that it cannot be made secure?

Nope. Add a VPN. Now it's secure. Might not be secure up to everybody's standard, but to some it would be secure /enough/.

And, if so, I would invite you (or us, the community!) to consider modifying 
the documentation to state this.  Maybe something like:

https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
The AJP Connector element represents a Connector component that communicates 
with a web connector via the AJP protocol. [This is an unencrypted connector, 
intended for use in protected enviroments.]  This is used for cases where you 
wish to invisibly integrate Tomcat into an existing (or new) Apache 
installation, and you want Apache to handle the static content contained in the 
web application, and/or utilize Apache's SSL processing.

After having said, what I said above: I wouldn't object to your additional sentence. On the other hand, I'd expect any admin to figure out missing encryption from the missing key/cert options on their own, and not just set up a random production server after browsing reference documentation with whatever config option they happen to find first on stackoverflow.

Wishful thinking, I know, after seeing so many "chmod -r 777 *".

And yes, I rambled - couldn't resist. While I wouldn't object with your proposed change, I believe that the world wouldn't be notably better with it.

Olaf


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to