tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Date Mon, 07 Oct 2019 15:36:43 GMT
On Mon, Oct 7, 2019 at 4:39 PM Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove APR connector
>
> Justification:
>
> The APR connector was once used to provide superior I/O when compared
> to the only other available I/O mechanism available in Java: blocking
> I/O. Specifically, the APR connector allowed Tomcat to wait for
> keepalive requests on a connection to in a non-blocking fashion which
> was not possible with Java BIO-based connectors.
>
> The introduction of NIO into Java back in Java 1.4 (!!) changed
> things, and NIO support was added to Tomcat in 6.0. Now that it has
>

But it really didn't work then.


> had time to mature, the NIO connector is superior to the APR connector
> in several ways:
>
> 1. NIO connector allows non-blocking TLS handshakes
> 2. NIO connector uses less (Tomcat-owned) native code
>
> The first item improves performance and availability and the second
> item improves stability (and thus availability).
>

I agree the OpenSSL native code used alone inside an OpenSSLContext is much
easier to make crash proof than the network code as a whole in the APR
connector.


>
> The last advantage which (until recently) made the APR connector still
> very useful was the ability to use the OpenSSL cryptographic library
> for all cryptographic operations which is measurably
> higher-performance than those typically provided by the JVM.
>
> This last advantage no longer exists since we have a JSSE provider
> available for OpenSSL using libtcnative.
>
> Notes:
>
> This proposal does not recommend the removal of libtcnative. Only the
> removal of the APR connector, the APR lifecycle listener, and the
> associated native code required to support those components.
>

The APR lifecycle listener is not part of the APR connector, it initializes
the libraries and sets config defaults based on that.

Anyway, +1 to attempt the APR connector removal.

Rémy


>
> - -chris
>
>
> [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
> at
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bTg8ACgkQHPApP6U8
> pFghUhAAwXEdrarxE5sgqMbZxswlOrRTQSIGZuh2t9KV8pJG+M8NrRbPMZxL3IX/
> UkJA9JGxFGA20D9kn0Xx2eX276tKtW/ZyVhg9vvlKqm8+n+vXLuN/sj15sPw1f64
> rCqj/GA+iMPP1AtBwc3E2bxBUI7WYGjgMutobwWOfHrlrw6/D4aNyO/t8XXlh9UT
> ZcP9Nq0ed4G4I+zx+R//FmEa0Ky2ARUtiyuBhnA+yEFm0XT/iMpgGnl5DHpJ5nOv
> U9YiTOU/bMXP1ABgCYoPgHPnYADKoEepdhD8x7CZTyUpR4vTr7DXxAABvapwynBo
> sPb+CFjlQilS8zxNYbGZbCu/mpux88jKYvOrrf5Jjb8YzxAGmmy00VyzuyzApdLs
> T9eYJazcej8u0he26U+QJi+HCQ+KpdSeMP/kQuw2BorvdD5BkPA22MvqoeIdU1Xs
> IzS6+69/MwjkTSL3YOlxp/E7HuG/gegGYBgVphVVJVAYh5lyBcY9o5diTIwdbejU
> yK+3WBbkK9dp8nM0GmKoaUqhLP/XvACG5FohW6P+EHLTjlCy7dPbr7s409coQb/1
> JQqur4GABbM47MXSDaXHisXLSLY3RpF6Uo0Fb2AC2AuuAihjNpQ0GmeuLHhoPI7W
> CycCLjMqLystoj8pNR1pil1FOgI1zOPilylpMX0mV5VuDhPxuFw=
> =MZ7V
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Mime
View raw message