Confused with SSL configuration and Tomcat

Our application runs in two frameworks. One uses https one does not. I am trying to configure the tomcat connectors to work but when I get it working in one framework it does not work in the other.

I have been told we do not need to 'handle' SSL totally as this is handled by our load balancer开发者_运维问答s. Not sure what these means.

For example: In one framework we'll get permission denied errors and the other will work. If we change things around the opposite occurs but instead of permission errors we get invalid certificate error.

The tomcat documentation on connectors does not describe the options very well. Any idea what we are doing wrong?

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"/>

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="false" maxThreads="150" scheme="https" secure="false" clientAuth="false" sslProtocol="TLS"/>

The above connectors work with the http framework but gives me the "mixed content warning" in IE because some requests are http and some https.

Any help would be greatly appreciated.

If you have a connector listening on port 443, it should have SSL enabled, because that is the HTTPS port and browsers will send an SSL ClientHello message as soon as they connect—the server won't understand this unless it is SSL-enabled.

It could be that your load-balancer is terminating SSL connections, and forwarding the requests to Tomcat over plain HTTP. In that case, you don't need a connector on port 443.

However, it sounds like one of your applications might be using client certificates to perform authentication. Look the login-config elements in your web.xml files. What authentication methods are in use?

If you require client certificates, but SSL is terminated at the load balancer, authentication cannot work, because the client certificate never reaches Tomcat.

If you're behind a load-balancer, such as Apache Httpd with mod_proxy (in reverse mode), the SSL connection will be from the browser to the load-balancer (as "erickson" said). You may indeed check login-config in your web.xml file (to check whether you're using CLIENT-CERT).

Another problem you may encounter is the transport-guarantee element in web.xml:

<security-constraint>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

It seems there is a way to force this with a custom valve when you're sure you're being a secure load-balancer. Here is an article on the subject (translated from French).

The most likely cause for mixed-content is loading images that are not hosted on SSL. You might find that there's a company logo hard-coded with http:// in the template somewhere, or perhaps some Location headers return an http:// URL. The latter can be fixed using a configuration like this Apache Httpd (assuming it's your load-balancer), where you'd need to replace it with the correct address of course:

Header edit Location ^http://www.example.com/test/ https://www.example.com/test/

Many sites (even from big companies) mix content. This is actually a bad thing because:

• The user can't really know which parts of the page are secure and which aren't, without looking at all the requests and perhaps the source of the page.
• Some leak cookies and information from the HTTPS request to the plain HTTP request. If someone catches that cookie over plain HTTP, they could potentially use it over HTTPS, as an impostor. (More particularly when cookies without the secure flag are used.)