Is this possibe? mod_jk <==SSL==> AJP/1.3
- From: dfelicia <donf.lists (at) runbox.com>
- Date: Thu, 7 Dec 2006 11:46:36 -0800 (PST)
Can traffic between mod_jk and Tomcat's AJP connector be encrypted (without
using ssh/stunnel)?
I see SSL mentioned in the doc for AJP, but it's clear as mud:
http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html
So, in Apache, I am using SSL and mod_jk. I set these parameters per the
mod_jk doc:
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT
In Tomcat's server.xml, I have define an AJP/1.3 connector like so:
<Connector port="8202" protocol="AJP/1.3" URIEncoding="UTF-8"
scheme="https" secure="true" clientAuth="false">
(mod_jk worker uses this connection)
It works whether I set scheme and secure or not. Is the communication
encrypted? (If so, I'd wonder how since Tomcat knows nothing of my CA's
public key or my keystore.)
What am I missing?
--
View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users (at) tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
For additional commands, e-mail: users-help (at) tomcat.apache.org