tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Trouble with TLS/SSL and Tomcat 8.5.23
Date Thu, 23 Nov 2017 17:20:33 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Richard,

On 11/23/17 8:28 AM, Richard Tearle wrote:
> Yes I read through that thread, but we don't really like Java key 
> stores, and I don't think the work around would work for us.

Java keystores are ... awful.

> Instead, I did what perhaps I should have done a while ago (on
> version 8.0.x), and built Tomcat Native libraries, deployed, and
> changed the certificate references in the connector to use our .PEM
> files (which the PKCS12 files are built from), and fingers crossed,
> its looking OK at the moment.

So are you using the APR connector, then?

You do have some other options:

1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of
keystores.

2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for
everything, simply because they are so easy to work with.

3. JSSE+OpenSSL with PEM-encoded DER files.

Option #3 will get you the performance of OpenSSL's crypto but without
using the APR connector (which isn't quite as efficient as the
pure-Java NIO connector). Java's crypto seems to be hobbled for some
reason... some kind of mistake in the native-optimization that ends up
falling-back to pure-Java crypto which ... simply isn't fast enough
for real-world workloads).

I think the APR connector is likely to disappear with the next major
release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination
is becoming more mature and offers better performance and scalability.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8
pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T
hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i
tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6
IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk
DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg
l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC
EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS
lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0
3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I
jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP
t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM=
=bf9o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message