Return-Path: <users-return-263260-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 5F155200D45
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 23 Nov 2017 18:20:38 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 5CD15160BFE; Thu, 23 Nov 2017 17:20:38 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id A33D3160BED
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 23 Nov 2017 18:20:37 +0100 (CET)
Received: (qmail 30227 invoked by uid 500); 23 Nov 2017 17:20:36 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 30216 invoked by uid 99); 23 Nov 2017 17:20:36 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Nov 2017 17:20:36 +0000
Received: from Christophers-MacBook-Pro.local (pool-108-45-29-103.washdc.fios.verizon.net [108.45.29.103])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 469841A0055
	for <users@tomcat.apache.org>; Thu, 23 Nov 2017 17:20:34 +0000 (UTC)
Subject: Re: Trouble with TLS/SSL and Tomcat 8.5.23
To: users@tomcat.apache.org
References: <CAJDZKG38wK8WBbdtr1zFqP0KCdNJJ97cj3K5WTsADdHfPyFi1g@mail.gmail.com>
 <f02d4eb6-69be-5668-b961-9ad5956cadb1@christopherschultz.net>
 <CAJDZKG1u=mB7T9Bi4P25jZ16BdzF5gUHum-Eb+2-fhcsfnNV5g@mail.gmail.com>
From: Christopher Schultz <chris@christopherschultz.net>
Message-ID: <c072cd86-8dab-e18c-0980-953f8f483c0d@christopherschultz.net>
Date: Thu, 23 Nov 2017 12:20:33 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAJDZKG1u=mB7T9Bi4P25jZ16BdzF5gUHum-Eb+2-fhcsfnNV5g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
archived-at: Thu, 23 Nov 2017 17:20:38 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Richard,

On 11/23/17 8:28 AM, Richard Tearle wrote:
> Yes I read through that thread, but we don't really like Java key 
> stores, and I don't think the work around would work for us.

Java keystores are ... awful.

> Instead, I did what perhaps I should have done a while ago (on
> version 8.0.x), and built Tomcat Native libraries, deployed, and
> changed the certificate references in the connector to use our .PEM
> files (which the PKCS12 files are built from), and fingers crossed,
> its looking OK at the moment.

So are you using the APR connector, then?

You do have some other options:

1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of
keystores.

2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for
everything, simply because they are so easy to work with.

3. JSSE+OpenSSL with PEM-encoded DER files.

Option #3 will get you the performance of OpenSSL's crypto but without
using the APR connector (which isn't quite as efficient as the
pure-Java NIO connector). Java's crypto seems to be hobbled for some
reason... some kind of mistake in the native-optimization that ends up
falling-back to pure-Java crypto which ... simply isn't fast enough
for real-world workloads).

I think the APR connector is likely to disappear with the next major
release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination
is becoming more mature and offers better performance and scalability.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8
pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T
hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i
tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6
IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk
DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg
l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC
EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS
lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0
3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I
jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP
t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM=
=bf9o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org