Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7CA5A19F80 for ; Thu, 7 Apr 2016 13:25:15 +0000 (UTC) Received: (qmail 95074 invoked by uid 500); 7 Apr 2016 13:25:11 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 95006 invoked by uid 500); 7 Apr 2016 13:25:11 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 94995 invoked by uid 99); 7 Apr 2016 13:25:11 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Apr 2016 13:25:11 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 1C6C2C064A for ; Thu, 7 Apr 2016 13:25:11 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.279 X-Spam-Level: * X-Spam-Status: No, score=1.279 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id qP-671Crt9rC for ; Thu, 7 Apr 2016 13:25:04 +0000 (UTC) Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 481C160E80 for ; Thu, 7 Apr 2016 13:25:03 +0000 (UTC) Received: by mail-lf0-f42.google.com with SMTP id g184so56977533lfb.3 for ; Thu, 07 Apr 2016 06:25:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=4HKH6CGmc4dNjqO03cqmGMVETYInFfKPHr8fvq55c4E=; b=JRNpy7MBZghbZKb0w6xLqr/rZQIhNj+DQx1EgmLTi3SDJEijbZ6pEqZGlTmR426lMF Be59jfPKfVrCJqqSUJOlba4iQf2qKMHuGtNCfbKV3PEKezYqcRtbRvmAlJDY/1YzsNGj MGXff+2WkbJoZaUG5dACFRI98q+IpIN66beyMUfZ/18ePgx9Z3GUi2ur1xL5SioGl4hM 1vCMCGho+3pN464S7h0bMNTpETW3FQzUn34MXjhGyZjyePGQ6q5R57Jy1vncpuzkX1An o6G9ABewU12zBW/l5HYeNmM9JuQ0soJQxOAFcVUt46UOx5Tz3gZq4l4ytKM/wuRw0NCg 2NCg== X-Gm-Message-State: AD7BkJI2ZZ+XzCr/3zhAQFcn3AhDxr3I3qebBzLwuhFtW9xqHLEdY70Ash0CUkxGhIRV2/6wDMffcCo78HrTbaeV MIME-Version: 1.0 X-Received: by 10.25.27.200 with SMTP id b191mr1482244lfb.8.1460035490927; Thu, 07 Apr 2016 06:24:50 -0700 (PDT) Received: by 10.25.196.77 with HTTP; Thu, 7 Apr 2016 06:24:50 -0700 (PDT) In-Reply-To: References: Date: Thu, 7 Apr 2016 09:24:50 -0400 Message-ID: Subject: Re: Tomcat 8.5 and TLS From: Coty Sutherland To: Tomcat Users List Content-Type: multipart/alternative; boundary=001a11402c48cbedf3052fe50003 --001a11402c48cbedf3052fe50003 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I'm glad I was able to help, Thad. Good luck! Let me know if you have any other questions regarding the connectors (or anything else, in a separate thread please). On Wed, Apr 6, 2016 at 3:58 PM, Thad Humphries wrote: > On Wed, Apr 6, 2016 at 12:17 PM, Coty Sutherland > wrote: > > > Hi Thad, > > > > Hopefully I can help clear up some confusion here. I'd also suggest > > watching the 8.5 connector video that markt presented here > > for more information on > the > > connector changes introduced by 8.5. I found the bits on the SSL change > > particularly informative as it was my first exposure to how tomcat9 > handles > > TLS, if you're interested in moving to the way that tomcat 9 handles SS= L > > with the upgrade to 8.5. Otherwise, you can use the same Connector tags > > that you had before without change (I think). > > > > In any case, I'll reply to your last inquiries in line below. I'm using > > Tomcat 8.5.0.Beta and OpenJDK 8. > > > > > Are you saying that to make the second work I must remove > > either clientAuth or sslProtocol? (No, I must be mistaken--remove > either/or > > and Tomcat still fails to start). > > > > Yes; you should remove _both_ of them and move that configuration into > the > > SSLHostConfig. You can find the replacements for them in the docs for > > clientAuth and sslProtocol here > > < > > > https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_C= onnector_-_NIO_and_NIO2 > > >; > > I've tested this and it works for me. I believe that the reason behind > this > > (although I am no expert) is that tomcat is taking the old Connector > > configuration that you have in place and creating a default SSLHostConf= ig > > behind the scenes; this action causes a conflict with your defined > > SSLHostConfig hence the exception about the multiple non-unique host > names > > and such. > > > > > "BTW sslProtocol is really useless." does make sense. If so, I think > I'm > > hearing > > that I should not use the sslProtocol=3D"TLS" attribute or the > > element. Is that right? > > > > You don't need the sslProtocol attribute because you're just setting th= e > > default value for TLS. As far as the SSLHostConfig goes, I think that's > up > > to you. For now, tomcat will take your old Connector configuration and > > translate it behind the scenes into what it needs to function. If you d= o > > use the SSLHostConfig tag, then you'll need to move all of the attribut= es > > from the Connector to the SSLHostConfig that belong there; this is > > basically upgrading your connector from the tomcat 8.0 syntax to tomcat > 9's > > syntax. > > > > > This confuses me. The 8.5 server.xml uses in its > > commented examples while the 8.0 server.xml does not. And if SSL* > > attributes are going away, why is now the example? > > > > Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that > > comes from. I think that the example was left there to encourage moveme= nt > > to the tomcat 9 syntax because the older connector syntax will eventual= ly > > be removed. I do notice that the ssl-howto docs still refer to the > tomcat8 > > syntax, so it doesn't seem like there is a unified message regarding > which > > one is the preferred method (they're both still correct and will work > when > > the hosts don't conflict). > > > > > And without SSL*, how do I specify the certificates in an APR connect= or > > like this one (which is the first I got working): > > > > All of the SSL* attributes from the connector were migrated to the > > SSLHostConfig and it's new tags. > > > > Let me know if any of my response was vague and I'll try and clarify. > > > > Thank you, Coty. I think that answered my questions (the video was useful= , > too). > > So, for the record--and I hope I've labeled them correctly--I have gotten > the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77= . > My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5, > both installed with Homebrew. > > > protocol=3D"org.apache.coyote.http11.Http11NioProtocol" > maxThreads=3D"200" SSLEnabled=3D"true" compression=3D"on" > scheme=3D"https" secure=3D"true"> > > > certificateKeystorePassword=3D"changeit" > certificateKeyAlias=3D"tomcat" > type=3D"RSA" /> > > > > > protocol=3D"org.apache.coyote.http11.Http11NioProtocol" > maxThreads=3D"200" SSLEnabled=3D"true" compression=3D"on" > scheme=3D"https" secure=3D"true"> > > > certificateFile=3D"conf/foo.pem" > type=3D"RSA" /> > > > > > protocol=3D"org.apache.coyote.http11.Http11AprProtocol" > maxThreads=3D"200" SSLEnabled=3D"true" compression=3D"on" > scheme=3D"https" secure=3D"true"> > > > certificateFile=3D"conf/foo.pem" > type=3D"RSA" /> > > > > Now to see if this breaks any of my apps. :) > > > > > > On Tue, Apr 5, 2016 at 4:57 PM, Thad Humphries > > > wrote: > > > > > On Tue, Apr 5, 2016 at 4:25 PM, R=C3=A9my Maucherat > wrote: > > > > > > > 2016-04-05 15:11 GMT-05:00 Thad Humphries >: > > > > > > > > > My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTT= PS > > and > > > > > TLS. > > > > > > > > > > Since I eventually must demonstrate the various HTTPS approaches = to > > > > others, > > > > > I have tried both the APR and the NIO implementation, as well as > the > > > > > different layouts in the docs ( > > > > > > > > > > > > > > > > > > > > http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Co= nfiguration_File > > > > > ), > > > > > and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR > is > > > > > working both ways, but not quite NIO. > > > > > > > > > > When I use the following connector for NIO (from the docs), my SS= L > > > works: > > > > > > > > > > > > > > protocol=3D"org.apache.coyote.http11.Http11NioProtocol= " > > > > > port=3D"8443" maxThreads=3D"200" compression=3D"on" > > > > > scheme=3D"https" secure=3D"true" SSLEnabled=3D"true" > > > > > keystoreFile=3D"conf/foo.jks" keystorePass=3D"changeit= " > > > > > clientAuth=3D"false" sslProtocol=3D"TLS"> > > > > > > > className=3D"org.apache.coyote.http2.Http2Protocol" > > > > /> > > > > > > > > > > > > > > > However when I try the approach in the server.xml comments, Tomca= t > > does > > > > not > > > > > start: > > > > > > > > > > > > > > protocol=3D"org.apache.coyote.http11.Http11NioProtocol" > > > > > maxThreads=3D"200" SSLEnabled=3D"true" > > > > > scheme=3D"https" secure=3D"true" clientAuth=3D"fal= se" > > > > > sslProtocol=3D"TLS"> > > > > > > > className=3D"org.apache.coyote.http2.Http2Protocol" > > > > /> > > > > > > > > > > > > > > certificateKeystoreType=3D"JKS" > > > > > certificateKeystorePassword=3D"changeit" > > > > > certificateKeyAlias=3D"tomcat" > > > > > type=3D"RSA" /> > > > > > > > > > > > > > > > > > > > > The error at the top of catalina.out is below. I'm trying to > > understand > > > > > why, both for myself and so that I can explain it to others. The > > > "Caused > > > > > by: java.lang.IllegalArgumentException: Multiple SSLHostConfig > > elements > > > > > were provided for the host name [_default_]. Host names must be > > > unique." > > > > > has me stumped as I have only the one uncommented SSLHostConfig i= n > > > > > server.xml. > > > > > > > > > > (Once I have this second working, I must make a > write-up > > > for > > > > > folks here, a write-up which I hope will be clearer and more dire= ct > > > than > > > > > the docs. I would be happy to offer that write-up to the wiki or > > docs.) > > > > > > > > > > > > > You still have some attributes which should go into SSLHostConfig, = so > > you > > > > have two SNI for the default host (clientAuth and sslProtocol). BTW > > > > sslProtocol is really useless. > > > > > > > > R=C3=A9my > > > > > > > > > > I'm sorry, I'm not following you. Are you saying that to make the > second > > > work I must remove either clientAuth or sslProtocol? (No,= I > > > must be mistaken--remove either/or and Tomcat still fails to start). > > > > > > "BTW sslProtocol is really useless." does make sense. If so, I think > I'm > > > hearing that I should not use the sslProtocol=3D"TLS" attribute or th= e > > > > > > element. Is that right? > > > > > > The 8.5 docs say > > > "As of Tomcat 9, the majority of the SSL configuration attributes in > the > > > Connector are deprecated. If specified, they will be used to configur= e > a > > > SSLHostConfig and Certificate for the sslDefaultHost. Note that if an > > > explicit SSLHostConfig element also exists for the sslDefaultHost the= n > > that > > > will be treated as a configuration error. It is expected that Tomcat = 10 > > > will drop support for the SSL configuration attributes in the > Connector." > > > > > > This confuses me. The 8.5 server.xml uses in its > > commented > > > examples while the 8.0 server.xml does not. And if SSL* attributes ar= e > > > going away, why is now the example? And without SSL*, > how > > > do I specify the certificates in an APR connector like this one (whic= h > is > > > the first I got working): > > > > > > > > protocol=3D"org.apache.coyote.http11.Http11AprProtocol" > > > port=3D"8443" maxThreads=3D"200" compression=3D"on" > > > scheme=3D"https" secure=3D"true" SSLEnabled=3D"true" > > > SSLCertificateFile=3D"conf/foo.pem" > > > SSLCertificateKeyFile=3D"conf/foo-nopp.pem" > > > SSLVerifyClient=3D"none" SSLProtocol=3D"TLSv1+TLSv1.1+TLSv= 1.2"> > > > className=3D"org.apache.coyote.http2.Http2Protocol" > > /> > > > > > > > > > > > > > > > > > > > > > > > 05-Apr-2016 15:32:42.642 SEVERE [main] > > > > > org.apache.tomcat.util.digester.Digester.endElement End event thr= ew > > > > > exception > > > > > java.lang.reflect.InvocationTargetException > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java= :62) > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI= mpl.java:43) > > > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.= java:377) > > > > > at > > > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145) > > > > > at > > > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966= ) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(A= bstractSAXParser.java:609) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.sc= anEndElement(XMLDocumentFragmentScannerImpl.java:1783) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$Fr= agmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDo= cumentScannerImpl.java:606) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.sc= anDocument(XMLDocumentFragmentScannerImpl.java:510) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11= Configuration.java:848) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11= Configuration.java:777) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java= :141) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Abstra= ctSAXParser.java:1213) > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse= (SAXParserImpl.java:643) > > > > > at > org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461) > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:578) > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:629) > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java= :62) > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI= mpl.java:43) > > > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > > > > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > > > > > Caused by: java.lang.IllegalArgumentException: Multiple > SSLHostConfig > > > > > elements were provided for the host name [_default_]. Host names > must > > > be > > > > > unique. > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndp= oint.java:201) > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(Abstract= Http11Protocol.java:398) > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:8= 76) > > > > > ... 26 more > > > > > > > > > > > > > > > -- > > > > > "Hell hath no limits, nor is circumscrib'd In one self-place; but > > where > > > > we > > > > > are is hell, And where hell is, there must we ever be" > --Christopher > > > > > Marlowe, *Doctor Faustus* (v. 121-24) > > > > > > > > > > > > > > > > > > > > > -- > > > "Hell hath no limits, nor is circumscrib'd In one self-place; but whe= re > > we > > > are is hell, And where hell is, there must we ever be" --Christopher > > > Marlowe, *Doctor Faustus* (v. 121-24) > > > > > > > > > > > -- > > Coty Sutherland, RHCSA, RHCE, JBCAA > > Senior Software Engineer @ Red Hat, Inc. > > 100 East Davie Street > > Raleigh, NC 27606 > > > > Email: coty@redhat.com > > IRC Nickname: coty > > Office: 919-890-8303 > > > > > > -- > "Hell hath no limits, nor is circumscrib'd In one self-place; but where w= e > are is hell, And where hell is, there must we ever be" --Christopher > Marlowe, *Doctor Faustus* (v. 121-24) > --=20 Coty Sutherland, RHCSA, RHCE, JBCAA Senior Software Engineer @ Red Hat, Inc. 100 East Davie Street Raleigh, NC 27606 Email: coty@redhat.com IRC Nickname: coty Office: 919-890-8303 --001a11402c48cbedf3052fe50003--