Confused with SSL configuration and Tomcat

Question

Our application runs in two frameworks. One uses https one does not. I am trying to configure the tomcat connectors to work but when I get it working in one framework it does not work in the other.

I have been told we do not need to 'handle' SSL totally as this is handled by our load balancers. Not sure what these means.

For example: In one framework we'll get permission denied errors and the other will work. If we change things around the opposite occurs but instead of permission errors we get invalid certificate error.

The tomcat documentation on connectors does not describe the options very well. Any idea what we are doing wrong?

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"/>

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="false" maxThreads="150" scheme="https" secure="false" clientAuth="false" sslProtocol="TLS"/>

The above connectors work with the http framework but gives me the "mixed content warning" in IE because some requests are http and some https.

Any help would be greatly appreciated.

Answer 1

If you're behind a load-balancer, such as Apache Httpd with mod_proxy (in reverse mode), the SSL connection will be from the browser to the load-balancer (as "erickson" said). You may indeed check login-config in your web.xml file (to check whether you're using CLIENT-CERT).

Another problem you may encounter is the transport-guarantee element in web.xml:

<security-constraint>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

It seems there is a way to force this with a custom valve when you're sure you're being a secure load-balancer. Here is an article on the subject (translated from French).

The most likely cause for mixed-content is loading images that are not hosted on SSL. You might find that there's a company logo hard-coded with http:// in the template somewhere, or perhaps some Location headers return an http:// URL. The latter can be fixed using a configuration like this Apache Httpd (assuming it's your load-balancer), where you'd need to replace it with the correct address of course:

Header edit Location ^http://www.example.com/test/ https://www.example.com/test/

Many sites (even from big companies) mix content. This is actually a bad thing because:

• The user can't really know which parts of the page are secure and which aren't, without looking at all the requests and perhaps the source of the page.
• Some leak cookies and information from the HTTPS request to the plain HTTP request. If someone catches that cookie over plain HTTP, they could potentially use it over HTTPS, as an impostor. (More particularly when cookies without the secure flag are used.)