tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giuseppe Sacco <giuse...@eppesuigoccas.homedns.org>
Subject Re: Connector difference explanation request - two ways of getting SSL in server.xml
Date Sat, 22 Jun 2019 21:56:19 GMT
Hello Richard,

Il giorno sab, 22/06/2019 alle 21.19 +0000, Richard Huntrods ha
scritto:
> Apologies if this is really basic, but I've seen two ways of handling
> https (SSL) for tomcat and don't understand the differences.
[...]
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true">
>    <SSLHostConfig>
>      <Certificate
> certificateFile="/etc/letsencrypt/live/mydomain.com/cert.pem"
> certificateKeyFile="/etc/letsencrypt/live/mydomain.com/privkey.pem"
> certificateChainFile="/etc/letsencrypt/live/mydomain.com/chain.pem"
> />
>    </SSLHostConfig>
> </Connector>
> 
> vs.
> 
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>    maxThreads="150" enableLookups="false" scheme="https"
> secure="true"
>    keystoreFile="./keys/.keystore" keystorePass="mypass"
>    clientAuth="false" sslProtocol="TLS" />

If I understand correctly, prior to 8.5, there were two different
syntaxes: one for SSL implemented by JSSE and one for openssl. The new
syntax allow to specify all parameters in one way that both
implementations recognize.

Moreover, you may have configurations previously not possibile, i.e.,
you may now have many certificates (one RSA, one EC, one DSS) on the
same connector: the right certificate will be picked up dynamically
based on the SSL cipher used.

Bye,
Giuseppe


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message