tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Coty Sutherland <csuth...@redhat.com>
Subject Re: Tomcat 8.5 and TLS
Date Thu, 07 Apr 2016 13:24:50 GMT
I'm glad I was able to help, Thad. Good luck! Let me know if you have any
other questions regarding the connectors (or anything else, in a separate
thread please).

On Wed, Apr 6, 2016 at 3:58 PM, Thad Humphries <thad.humphries@gmail.com>
wrote:

> On Wed, Apr 6, 2016 at 12:17 PM, Coty Sutherland <csutherl@redhat.com>
> wrote:
>
> > Hi Thad,
> >
> > Hopefully I can help clear up some confusion here. I'd also suggest
> > watching the 8.5 connector video that markt presented here
> > <https://www.youtube.com/watch?v=LBSWixIwMmU> for more information on
> the
> > connector changes introduced by 8.5. I found the bits on the SSL change
> > particularly informative as it was my first exposure to how tomcat9
> handles
> > TLS, if you're interested in moving to the way that tomcat 9 handles SSL
> > with the upgrade to 8.5. Otherwise, you can use the same Connector tags
> > that you had before without change (I think).
> >
> > In any case, I'll reply to your last inquiries in line below. I'm using
> > Tomcat 8.5.0.Beta and OpenJDK 8.
> >
> > > Are you saying that to make the second <Connector> work I must remove
> > either clientAuth or sslProtocol? (No, I must be mistaken--remove
> either/or
> > and Tomcat still fails to start).
> >
> > Yes; you should remove _both_ of them and move that configuration into
> the
> > SSLHostConfig. You can find the replacements for them in the docs for
> > clientAuth and sslProtocol here
> > <
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
> > >;
> > I've tested this and it works for me. I believe that the reason behind
> this
> > (although I am no expert) is that tomcat is taking the old Connector
> > configuration that you have in place and creating a default SSLHostConfig
> > behind the scenes; this action causes a conflict with your defined
> > SSLHostConfig hence the exception about the multiple non-unique host
> names
> > and such.
> >
> > > "BTW sslProtocol is really useless." does make sense. If so, I think
> I'm
> > hearing
> > that I should not use the sslProtocol="TLS" attribute or the
> > <SSLHostConfig> element. Is that right?
> >
> > You don't need the sslProtocol attribute because you're just setting the
> > default value for TLS. As far as the SSLHostConfig goes, I think that's
> up
> > to you. For now, tomcat will take your old Connector configuration and
> > translate it behind the scenes into what it needs to function. If you do
> > use the SSLHostConfig tag, then you'll need to move all of the attributes
> > from the Connector to the SSLHostConfig that belong there; this is
> > basically upgrading your connector from the tomcat 8.0 syntax to tomcat
> 9's
> > syntax.
> >
> > > This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
> > commented examples while the 8.0 server.xml does not. And if SSL*
> > attributes are going away, why is <SSLHostConfig> now the example?
> >
> > Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
> > comes from. I think that the example was left there to encourage movement
> > to the tomcat 9 syntax because the older connector syntax will eventually
> > be removed. I do notice that the ssl-howto docs still refer to the
> tomcat8
> > syntax, so it doesn't seem like there is a unified message regarding
> which
> > one is the preferred method (they're both still correct and will work
> when
> > the hosts don't conflict).
> >
> > > And without SSL*, how do I specify the certificates in an APR connector
> > like this one (which is the first I got working):
> >
> > All of the SSL* attributes from the connector were migrated to the
> > SSLHostConfig and it's new tags.
> >
> > Let me know if any of my response was vague and I'll try and clarify.
> >
>
> Thank you, Coty. I think that answered my questions (the video was useful,
> too).
>
> So, for the record--and I hope I've labeled them correctly--I have gotten
> the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77.
> My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5,
> both installed with Homebrew.
>
>   <!-- NIO connector with JSSE -->
>   <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>              maxThreads="200" SSLEnabled="true" compression="on"
>              scheme="https" secure="true">
>     <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>     <SSLHostConfig honorCipherOrder="false">
>       <Certificate certificateKeystoreFile="conf/foo.jks"
>                    certificateKeystorePassword="changeit"
>                    certificateKeyAlias="tomcat"
>                    type="RSA" />
>     </SSLHostConfig>
>   </Connector>
>
>   <!-- NIO connector with OpenSSL -->
>   <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>              maxThreads="200" SSLEnabled="true" compression="on"
>              scheme="https" secure="true">
>     <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>     <SSLHostConfig honorCipherOrder="false">
>       <Certificate certificateKeyFile="conf/foo-nopp.pem"
>                    certificateFile="conf/foo.pem"
>                    type="RSA" />
>     </SSLHostConfig>
>   </Connector>
>
>   <!-- APR/Tomcat native connector with OpenSSL -->
>   <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>              maxThreads="200" SSLEnabled="true" compression="on"
>              scheme="https" secure="true">
>     <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>     <SSLHostConfig honorCipherOrder="false" >
>       <Certificate certificateKeyFile="conf/foo-nopp.pem"
>                    certificateFile="conf/foo.pem"
>                    type="RSA" />
>     </SSLHostConfig>
>   </Connector>
>
> Now to see if this breaks any of my apps. :)
>
>
> >
> > On Tue, Apr 5, 2016 at 4:57 PM, Thad Humphries <thad.humphries@gmail.com
> >
> > wrote:
> >
> > > On Tue, Apr 5, 2016 at 4:25 PM, Rémy Maucherat <remm@apache.org>
> wrote:
> > >
> > > > 2016-04-05 15:11 GMT-05:00 Thad Humphries <thad.humphries@gmail.com
> >:
> > > >
> > > > > My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS
> > and
> > > > > TLS.
> > > > >
> > > > > Since I eventually must demonstrate the various HTTPS approaches
to
> > > > others,
> > > > > I have tried both the APR and the NIO implementation, as well as
> the
> > > > > different <Connector> layouts in the docs (
> > > > >
> > > > >
> > > >
> > >
> >
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> > > > > ),
> > > > > and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR
> is
> > > > > working both ways, but not quite NIO.
> > > > >
> > > > > When I use the following connector for NIO (from the docs), my SSL
> > > works:
> > > > >
> > > > >     <Connector
> > > > >            protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > > >            port="8443" maxThreads="200" compression="on"
> > > > >            scheme="https" secure="true" SSLEnabled="true"
> > > > >            keystoreFile="conf/foo.jks" keystorePass="changeit"
> > > > >            clientAuth="false" sslProtocol="TLS">
> > > > >       <UpgradeProtocol
> > > className="org.apache.coyote.http2.Http2Protocol"
> > > > />
> > > > >     </Connector>
> > > > >
> > > > > However when I try the approach in the server.xml comments, Tomcat
> > does
> > > > not
> > > > > start:
> > > > >
> > > > >     <Connector port="8443"
> > > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > > >                maxThreads="200" SSLEnabled="true"
> > > > >                scheme="https" secure="true" clientAuth="false"
> > > > >                sslProtocol="TLS">
> > > > >       <UpgradeProtocol
> > > className="org.apache.coyote.http2.Http2Protocol"
> > > > />
> > > > >       <SSLHostConfig honorCipherOrder="false">
> > > > >         <Certificate certificateKeystoreFile="conf/foo.jks"
> > > > >                      certificateKeystoreType="JKS"
> > > > >                      certificateKeystorePassword="changeit"
> > > > >                      certificateKeyAlias="tomcat"
> > > > >                      type="RSA" />
> > > > >       </SSLHostConfig>
> > > > >     </Connector>
> > > > >
> > > > > The error at the top of catalina.out is below. I'm trying to
> > understand
> > > > > why, both for myself and so that I can explain it to others. The
> > > "Caused
> > > > > by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
> > elements
> > > > > were provided for the host name [_default_]. Host names must be
> > > unique."
> > > > > has me stumped as I have only the one uncommented SSLHostConfig in
> > > > > server.xml.
> > > > >
> > > > > (Once I have this second <Connector> working, I must make a
> write-up
> > > for
> > > > > folks here, a write-up which I hope will be clearer and more direct
> > > than
> > > > > the docs. I would be happy to offer that write-up to the wiki or
> > docs.)
> > > > >
> > > >
> > > > You still have some attributes which should go into SSLHostConfig, so
> > you
> > > > have two SNI for the default host (clientAuth and sslProtocol). BTW
> > > > sslProtocol is really useless.
> > > >
> > > > Rémy
> > > >
> > >
> > > I'm sorry, I'm not following you. Are you saying that to make the
> second
> > > <Connector> work I must remove either clientAuth or sslProtocol? (No,
I
> > > must be mistaken--remove either/or and Tomcat still fails to start).
> > >
> > > "BTW sslProtocol is really useless." does make sense. If so, I think
> I'm
> > > hearing that I should not use the sslProtocol="TLS" attribute or the
> > > <SSLHostConfig>
> > > element. Is that right?
> > >
> > > The 8.5 docs say
> > > "As of Tomcat 9, the majority of the SSL configuration attributes in
> the
> > > Connector are deprecated. If specified, they will be used to configure
> a
> > > SSLHostConfig and Certificate for the sslDefaultHost. Note that if an
> > > explicit SSLHostConfig element also exists for the sslDefaultHost then
> > that
> > > will be treated as a configuration error. It is expected that Tomcat 10
> > > will drop support for the SSL configuration attributes in the
> Connector."
> > >
> > > This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
> > commented
> > > examples while the 8.0 server.xml does not. And if SSL* attributes are
> > > going away, why is <SSLHostConfig> now the example? And without SSL*,
> how
> > > do I specify the certificates in an APR connector like this one (which
> is
> > > the first I got working):
> > >
> > >     <Connector
> > >            protocol="org.apache.coyote.http11.Http11AprProtocol"
> > >            port="8443" maxThreads="200" compression="on"
> > >            scheme="https" secure="true" SSLEnabled="true"
> > >            SSLCertificateFile="conf/foo.pem"
> > >            SSLCertificateKeyFile="conf/foo-nopp.pem"
> > >            SSLVerifyClient="none" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2">
> > >       <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol"
> > />
> > >     </Connector>
> > >
> > >
> > > >
> > > > >
> > > > > 05-Apr-2016 15:32:42.642 SEVERE [main]
> > > > > org.apache.tomcat.util.digester.Digester.endElement End event threw
> > > > > exception
> > > > >  java.lang.reflect.InvocationTargetException
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
> > > > > at
> > > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> > > > > at
> > > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
> > > > > at
> org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
> > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
> > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> > > > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> > > > > Caused by: java.lang.IllegalArgumentException: Multiple
> SSLHostConfig
> > > > > elements were provided for the host name [_default_]. Host names
> must
> > > be
> > > > > unique.
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
> > > > > at
> > > > >
> > > > >
> > > >
> > >
> >
> org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
> > > > > ... 26 more
> > > > >
> > > > >
> > > > > --
> > > > > "Hell hath no limits, nor is circumscrib'd In one self-place; but
> > where
> > > > we
> > > > > are is hell, And where hell is, there must we ever be"
> --Christopher
> > > > > Marlowe, *Doctor Faustus* (v. 121-24)
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > "Hell hath no limits, nor is circumscrib'd In one self-place; but where
> > we
> > > are is hell, And where hell is, there must we ever be" --Christopher
> > > Marlowe, *Doctor Faustus* (v. 121-24)
> > >
> >
> >
> >
> > --
> > Coty Sutherland, RHCSA, RHCE, JBCAA
> > Senior Software Engineer @ Red Hat, Inc.
> > 100 East Davie Street
> > Raleigh, NC 27606
> >
> > Email: coty@redhat.com
> > IRC Nickname: coty
> > Office: 919-890-8303
> >
>
>
>
> --
> "Hell hath no limits, nor is circumscrib'd In one self-place; but where we
> are is hell, And where hell is, there must we ever be" --Christopher
> Marlowe, *Doctor Faustus* (v. 121-24)
>



-- 
Coty Sutherland, RHCSA, RHCE, JBCAA
Senior Software Engineer @ Red Hat, Inc.
100 East Davie Street
Raleigh, NC 27606

Email: coty@redhat.com
IRC Nickname: coty
Office: 919-890-8303

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message