tomcat-native orphaned

Sun Jul 26 11:38:37 UTC 2015

On Wed, Jul 22, 2015 at 2:50 AM, Peter Boy <pboy at barkhof.uni-bremen.de> wrote:
>
> I appreciate very much we’ll keep tomcat-native in the Fedora repositories, thanks to Lorenzo. Although, I don’t grasp how Java Keystores could be a replacement.

I thought the biggest use of tomcat-native was to provide high
capacity native HTTPS support in tomcat, rather than requiring a load
balancer or proxy for HTTPS termination. SSL support for modest loads
is available by default with Java keystores in every version of Tomcat
I've dealt with. See
https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.  I've not
seen direct performance comparisions between using Java keystore on a
modern Tomcat, and using tomcat-native. If anyone I'd welcome any
figures, I'm curious now!

I've nothing *against* tomcat-native if it works, but I suspect many
who use it do so simply to keep SSL keys in the same format as Apache
or other tools use them, and are uninterested in the bother of putting
the keys into Java keystore format, or the bother of using a proxy for
SSL termination. They may also be concerned about the potential
performance hit of using keystores. I recently pulled tomcat-native
out of several hosts and switched to using Java keystores, and it
worked perfectly.

There may be some real performance benefits of tomcat-native: it's
difficult to imagine that a Java SSL mechanism can be as fast as a a
heavily optimized, long-supported OpenSSL toolkit. But using a good
proxy also allows tomcat to remain on port 8080 internally without
having to set up local firewall rules to remap port 80 to 8080 for web
traffic, and the termination allows forwarding external, encrypted
port 443 to unencrypted internal port 8080.

For those who haven't dealt with it: tomcat normally runs on port
8080, as an unprivileged user. Supporting port 80 or 443 means either
putting a proxy in front of it, or running port forwarding in iptables
or with authbind. This is partly because, unless you run tomcat as the
root user, it can't directly open port 80 or 443 on a normal Linux
system. And while I've seen people run tomcat as a root user, it's
usually an exceptionally bad idea on any system you'd like to keep
secure. Very few java application developers are paying a great deal
of attention to security.

In fact, is there any compelling security reason not to use an SSL
terminating proxy such as nginx or squid, or a third-party load
balancer? There is one obvious reason: to prevent man-in-the-middle of
the unencrypted traffic between the proxy and the Tomcat, and to be
able to say that the encryption between client and the web service is
end-to-end. And for that, yes, you need something like tomcat-native
or keystore.