Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter, On 1/13/20 10:48 AM, Peter Rader wrote: >> Peter, >> >> Can you find what you are looking for here? >> >> >> >> ? > > No! There is no such node or any similar content. And there simply > can not be such a node because all the connector-xml-nodes are > self-closing as you might have already noticed. AFAIK I should not > create this SSLHostConfig because it is created automatically > somehow according to the deprecated xml-node "keyAlias" (see: > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_ - -_Connector_-_NIO_and_NIO2_(deprecated) > )! I'm sorry I wasn't being clear: I was suggesting that you look at the SSLHostConfig documentation and convert your configuration into one which DOES contain an SSLHostConfig element. You are correct, you should not need to create such a node but if it solves your problem and side-steps a potential bug in Tomcat then adding it ... well, solves your problem. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4cxK8ACgkQHPApP6U8 pFgerQ/7BqKo1IbQQ12fPnF7nEJkML2WQLDtJrzcBu+pJeIy9T8oShv30IZmnoGT JJ3u5DD0d8/aUJSQHK62VxSxAaUC/ZdGqJmkyf0kZNZ4xrmc8okuk9tDPbxpLmx8 d9qJ2e/b11EmLEHJWY92aIQKWfGS+tAcKkyoow4qQ4LT/0EfTur/nSgN2U8lAj+r 8NWNhGzjg3M7p8ZCCLVFgVNyCU2Imw3NDmrPSrtPehvq0t8+01DmfGrQm6r6Ogzo XNf8hl+EPSfH+dV6OlpP4fa+jqPeWlc338CsG8DPvMyC+MW8ILPU9qLQmc3qhHRr cRIoWChx0mS3ia+7C+ijVZdvj0dDn9WHDUi5qr1LjiEoHubBt0P0u16F1HNv1C7/ WaJSSoYctPzmbe4RvLoQzmlpvmC8iQ7GCcNbSLPhh+bWXiqI1G7y26H5F5jT4cr5 5SYWOm3Nm/wA5WKG+nn7El9xxX86wQ19zNS9gYE+CI69OHInxxNklHKBqafDDgrt yhvnhZS1LOIPIo8T87JjOLYPZGG+43JE0RnG/og1hllpWV+laJQz4VpDxQuog3FB 0/OCU/qc9yP6rHwSo6VFdIdspU7zRgjYA9Jgv83IM0hWYgspMhYelD5JqyN8E4Mf N4cl+mhta41cjI+oje8CJaVbU3xn62Ki8HvOEVj7YGrGN9M1apU= =tdIJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
On 13/01/2020 14:20, Peter Rader wrote: >>> I recently moved from T8 to T9 to use PKI. >> >> Exact versions? > > T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64 > T9 = 9.0.30.0 on amazon-corretto-8.232.09.1-linux-x64 > >> >>> My keystore contains multiple CAs. >>> >>> I had to modify the ssl-connector from >>> org.apache.coyote.http11.Http11Protocol >>> to >>> org.apache.coyote.http11.Http11NioProtocol >> >> Full Connector configurations (with sensitive data masked)? > > TC8= > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > secure="true" SSLEnabled="true" keystoreFile="" keystorePass="X" > sslProtocol="TLS" clientAuth="want" truststoreFile="" > truststorePass="X" /> > > TC9= > protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" > secure="true" SSLEnabled="true" keystoreFile="" keystorePass="X" > sslProtocol="TLS" clientAuth="want" truststoreFile="" > truststorePass="X" /> This is not possible. The first configuration is for the BIO connector. This connector was not present in 8.5.x. Might you have been using 8.0.x? keyAlias should still work in 9.0.x. It might be case-sensitive. Do you have the Tomcat Native library installed and configured? The extra plumbing we have added to allow users to swap seamlessly between JSSE and OpenSSL has created a few bugs. If you can re-create the issue with a set of test keys and certificates that you can share with the developers, we can take a closer look. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
> Peter, > > Can you find what you are looking for here? > > > > > ? No! There is no such node or any similar content. And there simply can not be such a node because all the connector-xml-nodes are self-closing as you might have already noticed. AFAIK I should not create this SSLHostConfig because it is created automatically somehow according to the deprecated xml-node "keyAlias" (see: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2_(deprecated) )! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter, On 1/13/20 9:20 AM, Peter Rader wrote: >>> I recently moved from T8 to T9 to use PKI. >> >> Exact versions? > > T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64 T9 = 9.0.30.0 > on amazon-corretto-8.232.09.1-linux-x64 > >> >>> My keystore contains multiple CAs. >>> >>> I had to modify the ssl-connector from >>> org.apache.coyote.http11.Http11Protocol to >>> org.apache.coyote.http11.Http11NioProtocol >> >> Full Connector configurations (with sensitive data masked)? > > TC8= protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > secure="true" SSLEnabled="true" keystoreFile="" > keystorePass="X" sslProtocol="TLS" clientAuth="want" > truststoreFile="" truststorePass="X" /> > > TC9= protocol="org.apache.coyote.http11.Http11NioProtocol" > scheme="https" secure="true" SSLEnabled="true" keystoreFile="" > keystorePass="X" sslProtocol="TLS" clientAuth="want" > truststoreFile="" truststorePass="X" /> > > Masks: - XXX keystore CA - keystore or truststore - X > password for keystore/truststore Can you find what you are looking for here? ? http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S SLHostConfig - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4chpgACgkQHPApP6U8 pFh7KxAAuUrtbKTF2C6TulfX33GJXUO8DButpRGWbbJW0tmoBf3dqUJgnxNBml7v B5dKzjobTrZrBXNjTjT6hYr2uzOCg7y+0RwnG+7yqVR++9AAPpYBUltdLw6sX/TQ homQqwB6eckqj8/i/gjkbzHns2iGgv79/1PqgW6DUz6KINwi4JZHEG7ouDp61Rjr 8iW8q0/zix5VJsWpHL5z6rui2Wu4OPwvZ+Ae7vpHCXqr/QpXzekD1umgFrlEeLff /WliL3LaumX0xoryluVtY2HhkV2VztKfZoyGOVXmMQUbr74Fzi3BL3ruuAgyMMYi YsqXAYurduMHyyae7nZCFnvvaVOyyeIgMHVURCc51AeGMuCSifaXgwVVu55miEXB WRDN+zEi9mCpV74txJMrWqFtJRm6oq6/SM2DcgKpOKTrAy2riwY+IthDQL+PEmal PuvcjKa+anJ7UmAB2B/OE/trwJTjTgmWMPLhzJLO8I4/v1fN3Tq/wEgiJuIWkdFu Rv8aPR7dv+eud392twBL4ig687sPDCeARXDf3yruU4pW5lC9gTT28H5RdRkSDyEN ddUdEWC61qXvOIfGO1fJUQjwTneWT6FCTGUpfYQiA5PWSoG+FCbDvUObPO8Gdi+N e46I4ewADKZRXY7Sy9VJVFsHMQWsYWCjieL0rey/zZFrkqs9Tyo= =ygQr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
> > I recently moved from T8 to T9 to use PKI. > > Exact versions? T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64 T9 = 9.0.30.0 on amazon-corretto-8.232.09.1-linux-x64 > > > My keystore contains multiple CAs. > > > > I had to modify the ssl-connector from > > org.apache.coyote.http11.Http11Protocol > > to > > org.apache.coyote.http11.Http11NioProtocol > > Full Connector configurations (with sensitive data masked)? TC8= TC9= Masks: - XXX keystore CA - keystore or truststore - X password for keystore/truststore > > Mark Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
