tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Flaherty <pflah...@rampageinc.com>
Subject Re: My web application to use SSL (JSSE - RSA)
Date Fri, 10 Jun 2011 20:29:40 GMT
Hi,

Is APR/native Connector dramatically faster then Java Nio Blocking  
Connector or is it marginal ?

I'd love faster SSL but all my keys and certs are java based  
(keytool). Will APR ever support Java SSL ?

I find Java keytool to be reasonably easy to use. Is OpenSSL as easy  
to use ?

Thanks for any input.

Pat

On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Charles,
>
> On 6/10/2011 9:25 AM, Charles Van Damme wrote:
>> 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener  
>> init
>> INFO: The APR based Apache Tomcat Native library which allows optimal
>> performance in production environments was not found on the
>> java.library.path: [...]
>
> FWIW, that's just an INFO message, but if you are going to be using  
> SSL,
> you might want to go ahead and install the APR library: your  
> performance
> will improve measurably. Note that <Connector> configuration for an  
> APR
> connector using SSL is completely different if you choose to go  
> this route.
>
> If you are not going to be using APR, you can disable the APR  
> lifecycle
> listener because you aren't using it.
>
>> java.security.NoSuchAlgorithmException: RSA SSLContext not available
>
> As Pid points out, it's pretty obvious that "RSA" is not a valid
> algorithm in this situation:
>
>>     at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
>>     at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
>>     at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext 
>> (JSSESocketFactory.java:490)
>
> So, it's an SSL configuration problem. Let's look at your SSL  
> <Connector>:
>
>>     <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector  
>> on port
>> 443 -->
>>     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>> port="443"
>>                maxThreads="150" scheme="https" secure="true"
>> SSLEnabled="true"
>>                keystoreFile="C:/Documents and Settings/ 
>> Papa/.keystore"
>> keystorePass="changeit"
>>                clientAuth="false" sslProtocol="RSA" />
>
> SO, you have sslProtocol="RSA"... seems like a good place to look. If
> you check the <Connector> documentation, you can see that there are  
> only
> a few recognized protocols you can choose.
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>
> Note that "protocol" refers to the protocol used for SSL, not for any
> specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat
> documentation does not list all the available protocols, nor should  
> it:
> the protocols available to you are determined by JVM support.
>
> The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to
> documentation for "standard names" (which takes you through several  
> hops
> to) here:
> http://download.oracle.com/javase/6/docs/technotes/guides/security/ 
> StandardNames.html#SSLContext
>
> Those are the valid ssl protocol names you can choose.
>
> If you want use only ciphers that use the RSA algorithm (which is  
> really
> limiting, IMO), you can look up their names here (after scrolling a  
> bit
> downward):
>
> http://download.oracle.com/javase/6/docs/technotes/guides/security/ 
> StandardNames.html#jssenames
>
> Just look for stuff like SSL_DH_DSS_blah_blah_blah.
>
> Of course, support for a certain algorithm might not be available in
> your environment. It's best to find out what your JVM supports and  
> use that.
>
> I wrote a short bit of code a while back to determine the supported
> algorithms and the default cipher suite for an SSLSocketFactory. I'll
> try to dig it up and post it.
>
>>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> If you aren't using AJP, then disable the extra connector.
>
>> Hoping you are not overwhelmed. Anything else ?
>
> You had other errors in the log file. After you get SSL working
> properly, stop Tomcat, delete all your logs and re-launch it. Anything
> that looks like an error should be investigated and fixed.
>
> Feel free to come back to the list for help on those additional  
> issues:
> just remember start a new thread if you do.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt
> rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0
> =fu8H
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Patrick Flaherty		
	
Rampage Systems Inc.		
411 Waverley Oaks Rd.		
Suite 138
Waltham, MA. 02452-8405
781-891-9400 x239	







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message