On Wed, Jul 22, 2015 at 2:50 AM, Peter Boy <pboy@xxxxxxxxxxxxxxxxxxxxx> wrote: > > I appreciate very much we’ll keep tomcat-native in the Fedora repositories, thanks to Lorenzo. Although, I don’t grasp how Java Keystores could be a replacement. I thought the biggest use of tomcat-native was to provide high capacity native HTTPS support in tomcat, rather than requiring a load balancer or proxy for HTTPS termination. SSL support for modest loads is available by default with Java keystores in every version of Tomcat I've dealt with. See https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. I've not seen direct performance comparisions between using Java keystore on a modern Tomcat, and using tomcat-native. If anyone I'd welcome any figures, I'm curious now! I've nothing *against* tomcat-native if it works, but I suspect many who use it do so simply to keep SSL keys in the same format as Apache or other tools use them, and are uninterested in the bother of putting the keys into Java keystore format, or the bother of using a proxy for SSL termination. They may also be concerned about the potential performance hit of using keystores. I recently pulled tomcat-native out of several hosts and switched to using Java keystores, and it worked perfectly. There may be some real performance benefits of tomcat-native: it's difficult to imagine that a Java SSL mechanism can be as fast as a a heavily optimized, long-supported OpenSSL toolkit. But using a good proxy also allows tomcat to remain on port 8080 internally without having to set up local firewall rules to remap port 80 to 8080 for web traffic, and the termination allows forwarding external, encrypted port 443 to unencrypted internal port 8080. For those who haven't dealt with it: tomcat normally runs on port 8080, as an unprivileged user. Supporting port 80 or 443 means either putting a proxy in front of it, or running port forwarding in iptables or with authbind. This is partly because, unless you run tomcat as the root user, it can't directly open port 80 or 443 on a normal Linux system. And while I've seen people run tomcat as a root user, it's usually an exceptionally bad idea on any system you'd like to keep secure. Very few java application developers are paying a great deal of attention to security. In fact, is there any compelling security reason not to use an SSL terminating proxy such as nginx or squid, or a third-party load balancer? There is one obvious reason: to prevent man-in-the-middle of the unencrypted traffic between the proxy and the Tomcat, and to be able to say that the encryption between client and the web service is end-to-end. And for that, yes, you need something like tomcat-native or keystore. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct