|
Home > Archive > IIS Server Security > November 2005 > IIS SSL Encryption handshake information
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS SSL Encryption handshake information
|
|
| John McClain 2005-11-22, 5:56 pm |
| We have a servlet that is served by Tomcat. IIS is employed to redirect ot
Tomcat via AJP. IIS is also SSL enabled as our data is sensistive.
I am setting IIS to use SSL encryption on the default website. I have a
redirector that forwards request to Tomcat
I wish to call a jsp in Tomcat and pass SSL encrypted data. BUT, to start
the SSL handshake off, I am making a jsp request with the data I wish to be
SSL encrypted.
My question is
If I call a jsp from a browser and pass it some parameters that need to be
sent encrypted, do the parameters get SSL encrypted BEFORE they are sent, or
are they sent clear text, then the SSL Handshake, then all other data sent
is encrypted?
| |
| David Wang [Msft] 2005-11-22, 8:52 pm |
| If you make the following request from the browser:
POST https://www.yourserver.com/redirect...sitiveinfo=data
Then both the FORM entity body as well as sensitiveinfo=data will be
encrypted on the initial request. The server will need to complete the SSL
handshake to even retrieve any of that data from the request. This is how
SSL works.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"John McClain" <jm42163jm@yahoo.com> wrote in message
news:OJReb067FHA.3224@TK2MSFTNGP09.phx.gbl...
We have a servlet that is served by Tomcat. IIS is employed to redirect ot
Tomcat via AJP. IIS is also SSL enabled as our data is sensistive.
I am setting IIS to use SSL encryption on the default website. I have a
redirector that forwards request to Tomcat
I wish to call a jsp in Tomcat and pass SSL encrypted data. BUT, to start
the SSL handshake off, I am making a jsp request with the data I wish to be
SSL encrypted.
My question is
If I call a jsp from a browser and pass it some parameters that need to be
sent encrypted, do the parameters get SSL encrypted BEFORE they are sent, or
are they sent clear text, then the SSL Handshake, then all other data sent
is encrypted?
|
|
|
|
|