-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Olaf,
On 2/27/18 4:33 PM, Olaf Kock wrote: > On 27.02.2018 21:54, Mark A. Claassen wrote: >> From what I have read, it seems that the AJP connector is not >> secure, and is meant to be used in a protective environment. >> There are lots of things that imply this, like no SSL settings >> and such, but I cannot find it directly stated anywhere. I am >> pretty confident in my read of this, but it is, of course, >> difficult to say that "all options have been explored and it is >> not possible". > > I would /not/ state that it's /not secure/. But I'm following your > later argument: It's an "unencrypted connector", yes. In order to > encrypt it, it needs to be run through an encrypted tunnel - and > doing so is cumbersome, error prone and unrelated to the > unencrypted nature of this connector. We use stunnel in production to tunnel AJP from AWS-based web servers and our back-end co-located app servers. We haven't had any problems with that set up vis-a-vis connection failures or anything like that. We haven't even had any issues with running out of file-handles for stunnel. So, yes, it's another component to configure and babysit, but I wouldn't call it "cumbersome"... merely "more than you might expect" when HTTPS through mod_proxy_http is an alternative. > And yes, I rambled - couldn't resist. While I wouldn't object with > your proposed change, I believe that the world wouldn't be notably > better with it. I disagree: I can imagine many administrators (or developers, who often do make these decisions) overlooking the fact that AJP is a plaintext protocol. It's definitely worth mentioning that fact, and that it should only be used over trusted channels where anyone observing the traffic is an acceptable risk. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqV2UkACgkQHPApP6U8 pFgLlw/9E6wzpmvNREE/FDL987ywmYtUVSCivIsMulGw9kA8VFgJ5fOTOOmoVThy QoS9s5YUr7Xu5Gb1MmmoXmicCBj6Q4otN/FeCQA8z/EUJaW2XW4+UtHS9AVT9yRO 1bUzMuDnAtwRv10+JCepY2JUkkIKWKMhpdc725epX3EGwAxo6883YaHOKT1KN9Lh Wu7FX3UK+xljWrIBmvBSaB6tu1xSjOwPW5Jshbr5JkrL7+WZpuww77f0n7ZEa8ij IWFvPGyJYDdCTt2niBmcFanG7tRhBIHtnG52oOuu1qMACAfjwLboEpCbFXaea2p0 tlBXqVWLZnupRYan0/H5HO1djz/o4E65B3NTuMAZd+Kig9vrWEme97jC0ycN7MUI gXpbMa2bNGvjsJjqDcorfFmmwgiQg+hlQbXUbutS6EPhYX+PRBVyphdlizhCaltw acKq23RgT4KG0bugoUOFDPd0vvZzOIR3EAfM+L+lhVWqTTgyN6IlSFhAMFaygXUB hMKwZVstZCLEp5NHusAPQv87rfd3zoU8UzROTpR6ujeSc99JadHgBw54hOxWKGMd 9ory3a4WWNMY8lf7jjXEG6RC2HyQzYWEJ9naj5z4O4BCXmG3QIeaPkYKDpCiviQA l9X3n6q2X47Us8DhoSMXrZhX5Rc/8FbBHWQKr2PJbbRvC4KFmZQ= =8x/9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
