> I'm sorry, I don't understand the "use one connector for login, and other
> connector for ssl non-client traffic" thing, could you give me an example?
Sure. Following is the template for our server.xml connectors that
use APR. Port 8443 receives normal SSL traffic, and 9443 is used
exclusively for X.509 authentication on login.
<!-- Define a SSL HTTP/1.1 native/APR Connector -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
address="${bind.address}"
port="8443"
scheme="https"
secure="true"
maxHttpHeaderSize="8192"
maxThreads="150"
acceptCount="150"
connectionTimeout="10000"
enableLookups="false"
disableUploadTimeout="true"
SSLEnabled="true"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="HIGH:MEDIUM:-SSLv2"
SSLCertificateFile="${ssl.cert.path}"
SSLCertificateKeyFile="${ssl.key.path}"
${ssl.cert.chain}
compression="on"
compressionMinSize="2048"
compressableMimeType="text/html,text/xml"
/>
<!--
Define a SSL HTTP/1.1 native/APR Connector that requires
client authentication via X.509/cert credential
-->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
address="${bind.address}"
port="9443"
scheme="https"
secure="true"
maxHttpHeaderSize="8192"
maxThreads="150"
acceptCount="150"
connectionTimeout="10000"
enableLookups="false"
disableUploadTimeout="true"
SSLEnabled="true"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="HIGH:MEDIUM:-SSLv2"
SSLCertificateFile="${ssl.cert.path}"
SSLCertificateKeyFile="${ssl.key.path}"
SSLVerifyClient="require"
SSLCACertificateFile="${ssl.client.ca.path}"
${ssl.cert.chain}
compression="on"
compressionMinSize="2048"
compressableMimeType="text/html,text/xml"
/>
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
