-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Richard,
On 11/23/17 8:28 AM, Richard Tearle wrote:
> Yes I read through that thread, but we don't really like Java key
> stores, and I don't think the work around would work for us.
Java keystores are ... awful.
> Instead, I did what perhaps I should have done a while ago (on
> version 8.0.x), and built Tomcat Native libraries, deployed, and
> changed the certificate references in the connector to use our .PEM
> files (which the PKCS12 files are built from), and fingers crossed,
> its looking OK at the moment.
So are you using the APR connector, then?
You do have some other options:
1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of
keystores.
2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for
everything, simply because they are so easy to work with.
3. JSSE+OpenSSL with PEM-encoded DER files.
Option #3 will get you the performance of OpenSSL's crypto but without
using the APR connector (which isn't quite as efficient as the
pure-Java NIO connector). Java's crypto seems to be hobbled for some
reason... some kind of mistake in the native-optimization that ends up
falling-back to pure-Java crypto which ... simply isn't fast enough
for real-world workloads).
I think the APR connector is likely to disappear with the next major
release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination
is becoming more mature and offers better performance and scalability.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8
pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T
hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i
tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6
IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk
DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg
l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC
EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS
lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0
3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I
jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP
t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM=
=bf9o
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|