tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Flinn <fl...@alum.mit.edu>
Subject Re: Trying to understand How Tomcat uses Keystore for SSL
Date Mon, 04 Dec 2017 01:49:27 GMT
Chris,

Attached is a first cut at setting up SSL for Tomcat.  It is in MicroSoft
Word. Hopefully people have that. If not I'll send it in another format
that is acceptable.

I tried to achieve a balance between completeness and brevity by only going
deep enough to give the reader enough information to understand what is
needed to use SSL/TLS with Tomcat.  When it got down to keystore I
effectively just repeated what was on the Tomcat SSL website.  A weak point
in the writeup (among many others) is getting Tomcat to listen on port 80
for letsencrpy.

If this might be useful please comment and correct.

Don

On Fri, Dec 1, 2017 at 11:32 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Don,
>
> On 12/1/17 3:14 AM, Don Flinn wrote:
> > I'll be happy to accept your challenge to try to write some
> > documentation for the site from a newbee's point of view.  It will
> > be on the slow side as my 'day job' will interfere somewhat.  It
> > also will require some correction of errors.
>
> No problem at all. Just reach-out to the group if you need any
> hand-holding.
>
> - -chris
> > On Wed, Nov 29, 2017 at 9:37 AM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Don,
> >
> > On 11/28/17 4:55 PM, Don Flinn wrote:
> >>>>>> In fact, I think you are using PEM-encoded DER files and
> >>>>>> not a packaged keystore, even though your
> >>>>>> SSLHostConfig's keystoreType is set to "PKCS12".
> >>>>
> >>>> Yes, I am using PEM files.  Got to read more on DER files.
> >
> > PEM is an encoding, while DER is really the file format. It's like
> > saying "is this file text/plain or UTF-8?"
> >
> > This is a great read for almost anyone who cares about x509
> > certificates :
> >
> > https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-
> ce
> >
> >
> r-vs-pem-certificates-and-how-to-convert-them
> >
> >>>> So do I just drop the keystoreType="PKCS12"  from the
> >>>> connector?
> > Theoretically, yes. The keystoreType is only used when there is a
> > keystore and not "certificate files", etc.
> >
> >>>>> If there's anything inaccurate on the Tomcat site
> >>>>
> >>>> No, I was talking about other sites, not the Tomcat site.
> >>>> I've been reading all over the internet for that which seems
> >>>> related. My statement was a caution to not believe everything
> >>>> you read. 'Trust but verify'
> >
> > Mark has given a number of presentations on TLS and they are very
> > accessible. Have a look at the slides (and some audio/video) on
> > the "presentations" page on the Tomcat site. Each of them has a
> > varying level of "introductoryness", but I think the more recent
> > ones like "Introduction to Tomcat and TLS" from TomcatCon in Miami
> > are probably the best ones to see for beginners.
> >
> >>>> Your e-mail has been very helpful, not only to me, but I
> >>>> believe to others.  With respect to the Tomcat site, I think
> >>>> a lot of what you wrote would be very helpful there.  For
> >>>> example, the Tomcat write up on SSL describes how to do self
> >>>> signed certificates and fleetingly mentions that if you have
> >>>> a certificate from a CA that you could use e.g. openssl and
> >>>> then refers the reader to their java documentation and
> >>>> openssl documentation.  Not too helpful to the
> >>>> security/Tomcat novice.
> >
> > Agreed. Would you care to write some new documentation and/or
> > prepare a patch for the site? IT's usually best when beginners
> > write for their own audience. I, for example, understand it
> > backwards and forwards so when I write I have a skewed perspective.
> > Writing as a beginner can re-focus the narrative for a different
> > audience.
> >
> > If you need any help grabbing the site from svn, etc. please just
> > ask.
> >
> >>>> Thanks for your patience and help.
> >
> > You are more important than the software. No, really:
> > https://blogs.apache.org/foundation/entry/asf_15_community_over_code
> >
> >  -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhBIdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXxAApjseUCOZqro7Hutg
> qXYaLdy6KD4ws4A5abYWnCMHvgO2oJxfxXAxnM5YNDgVgPR3r579ZF/zjLBsdYbx
> kANY/4bMNse3LkJCkrwy1PclAyWDAMHVLIcc4iKEHL0dsCyGp7qIXHfx4eKv3Jnb
> h4wsaoCi7QVk2TUOecOKKEiWRQ2tV1B6W4pAhCACAd0OSG/vYqdxVP2xzPE4AFe9
> vaIi5VwHNU+o/yYMhc5Qy5b+rHs7d1xNS0hr1jiJ4amzNfKUaUTjVAl1U9u9mZb7
> FI3sOIuEvtmXoBEfjWgohFC9XW2lS/EiQKptPT0HzLPUDfNXWi9QD9Ii1OI3sTMH
> mw57kST/uz68S4MEiP4os/Cr4O0gnXSzc2uHQQHdqvsOBHbNnBAO9doL07lLzc8B
> nktNwbl7G4aAp463gL6H8wk+pRQTUXTnm/oxTtROTF/TYaoYTpcsLdBB0PvMFV0N
> lpasDBNvIu+4AR6kv8/i1oqjhcAfL3Y8c8H7Av2nF7/HPOwqhbs15CV9DJLPxoKx
> rZh+MwSoAepx19fsWn+i4rYwUHjjka/BSbumTlkQYGlIhOkpSCjnX6l4tgneTOUG
> aX82hHfzROxAqHj8DxXtJ3axZJ4kPewQIIJbJqk685YsRrCj0DR4QdAZsx/ntpY3
> pDS0b1ShEv1e9EdMTlojrYMTy78=
> =+sZ1
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
View raw message