Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: My web application to use SSL (JSSE - RSA)
Date: Fri, 10 Jun 2011 13:46:08 -0700
Message-Id: 
 <DA5AD9AE279C184191757FEAB757DB8A0BBE0323@0461-its-exmb01.us.saic.com>
In-Reply-To: <4DF28081.8030302@pidster.com>
Thread-Topic: My web application to use SSL (JSSE - RSA)
Thread-Index: AcwnrkrnxnaYPSA1SwCoN/5q2bDmWAAAHoSQ
References: <BANLkTi=J9Ac02PYNkMOjzoeZ7s5MrEz8hQ@mail.gmail.com>
	<99C8B2929B39C24493377AC7A121E21FAE722D0F9E@USEA-EXCH8.na.uis.unisys.com>
	<BANLkTimj3NRC-7JcAGc0Y5uWN778-v2YPw@mail.gmail.com>
	<4DF0F46B.5010406@christopherschultz.net>
 <BANLkTimsLTk7QUTK4A5tnHNLBVCb-xZHyQ@mail.gmail.com>
 <4DF27792.60308@christopherschultz.net>
 <FFA18C2E-B92A-4008-A4A7-E0439E6FE567@rampageinc.com>
 <4DF28081.8030302@pidster.com>
From: "Adamus, Steven J." <STEVEN.J.ADAMUS@saic.com>
To: "Tomcat Users List" <users@tomcat.apache.org>

We switched from JSSE to the APR and OpenSSL about 6 months.  We
converted all existing keys and certs to the format required by OpenSSL.
It was not hard.  Some people say it can't be done, but they're wrong.
After 6 months with openSSL, I say it's easier to use than JSSE.  We use
not only server-side certs, we also require client certificate
authentication and perform certificate revocation checking.=20

-----Original Message-----
From: users-return-225336-STEVEN.J.ADAMUS=3Dsaic.com@tomcat.apache.org
[mailto:users-return-225336-STEVEN.J.ADAMUS=3Dsaic.com@tomcat.apache.org]=

On Behalf Of Pid
Sent: Friday, June 10, 2011 1:37 PM
To: Tomcat Users List
Subject: Re: My web application to use SSL (JSSE - RSA)

On 10/06/2011 21:29, Patrick Flaherty wrote:
> Hi,
>=20
> Is APR/native Connector dramatically faster then Java Nio Blocking=20
> Connector or is it marginal ?

APR+SSL is a little faster, if I remember correctly, Chris?

> I'd love faster SSL but all my keys and certs are java based
(keytool).
> Will APR ever support Java SSL ?

No.

> I find Java keytool to be reasonably easy to use. Is OpenSSL as easy=20
> to use ?

Yes.


p

> Thanks for any input.
>=20
> Pat
>=20
> On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:
>=20
> Charles,
>=20
> On 6/10/2011 9:25 AM, Charles Van Damme wrote:
>>>> 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener=20
>>>> init
>>>> INFO: The APR based Apache Tomcat Native library which allows=20
>>>> optimal performance in production environments was not found on the
>>>> java.library.path: [...]
>=20
> FWIW, that's just an INFO message, but if you are going to be using=20
> SSL, you might want to go ahead and install the APR library: your=20
> performance will improve measurably. Note that <Connector>=20
> configuration for an APR connector using SSL is completely different=20
> if you choose to go this route.
>=20
> If you are not going to be using APR, you can disable the APR=20
> lifecycle listener because you aren't using it.
>=20
>>>> java.security.NoSuchAlgorithmException: RSA SSLContext not=20
>>>> available
>=20
> As Pid points out, it's pretty obvious that "RSA" is not a valid=20
> algorithm in this situation:
>=20
>>>>     at
sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
>>>>     at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
>>>>     at
>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(
>>>> JSSESocketFactory.java:490)
>>>>
>=20
> So, it's an SSL configuration problem. Let's look at your SSL
> <Connector>:
>=20
>>>>     <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector=20
>>>> on port
>>>> 443 -->
>>>>     <Connector
protocol=3D"org.apache.coyote.http11.Http11NioProtocol"
>>>> port=3D"443"
>>>>                maxThreads=3D"150" scheme=3D"https" secure=3D"true"
>>>> SSLEnabled=3D"true"
>>>>                keystoreFile=3D"C:/Documents and
Settings/Papa/.keystore"
>>>> keystorePass=3D"changeit"
>>>>                clientAuth=3D"false" sslProtocol=3D"RSA" />
>=20
> SO, you have sslProtocol=3D"RSA"... seems like a good place to look. =
If=20
> you check the <Connector> documentation, you can see that there are=20
> only a few recognized protocols you can choose.
>=20
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>=20
> Note that "protocol" refers to the protocol used for SSL, not for any=20
> specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat

> documentation does not list all the available protocols, nor should
it:
> the protocols available to you are determined by JVM support.
>=20
> The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to=20
> documentation for "standard names" (which takes you through several=20
> hops
> to) here:
> http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta
> ndardNames.html#SSLContext
>=20
>=20
> Those are the valid ssl protocol names you can choose.
>=20
> If you want use only ciphers that use the RSA algorithm (which is=20
> really limiting, IMO), you can look up their names here (after=20
> scrolling a bit
> downward):
>=20
> http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta
> ndardNames.html#jssenames
>=20
>=20
> Just look for stuff like SSL_DH_DSS_blah_blah_blah.
>=20
> Of course, support for a certain algorithm might not be available in=20
> your environment. It's best to find out what your JVM supports and use

> that.
>=20
> I wrote a short bit of code a while back to determine the supported=20
> algorithms and the default cipher suite for an SSLSocketFactory. I'll=20
> try to dig it up and post it.
>=20
>>>>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>     <Connector port=3D"8009" protocol=3D"AJP/1.3" =
redirectPort=3D"8443"=20
>>>> />
>=20
> If you aren't using AJP, then disable the extra connector.
>=20
>>>> Hoping you are not overwhelmed. Anything else ?
>=20
> You had other errors in the log file. After you get SSL working=20
> properly, stop Tomcat, delete all your logs and re-launch it. Anything

> that looks like an error should be investigated and fixed.
>=20
> Feel free to come back to the list for help on those additional
issues:
> just remember start a new thread if you do.
>=20
> -chris
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
>>

> Patrick Flaherty      =20

> Rampage Systems Inc.      =20
> 411 Waverley Oaks Rd.      =20
> Suite 138
> Waltham, MA. 02452-8405
> 781-891-9400 x239  =20


> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org