On Tue, Apr 5, 2016 at 4:25 PM, Rémy Maucherat <r...@apache.org> wrote:
> 2016-04-05 15:11 GMT-05:00 Thad Humphries <thad.humphr...@gmail.com>: > > > My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and > > TLS. > > > > Since I eventually must demonstrate the various HTTPS approaches to > others, > > I have tried both the APR and the NIO implementation, as well as the > > different <Connector> layouts in the docs ( > > > > > http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File > > ), > > and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is > > working both ways, but not quite NIO. > > > > When I use the following connector for NIO (from the docs), my SSL works: > > > > <Connector > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > port="8443" maxThreads="200" compression="on" > > scheme="https" secure="true" SSLEnabled="true" > > keystoreFile="conf/foo.jks" keystorePass="changeit" > > clientAuth="false" sslProtocol="TLS"> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > > </Connector> > > > > However when I try the approach in the server.xml comments, Tomcat does > not > > start: > > > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="200" SSLEnabled="true" > > scheme="https" secure="true" clientAuth="false" > > sslProtocol="TLS"> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > > <SSLHostConfig honorCipherOrder="false"> > > <Certificate certificateKeystoreFile="conf/foo.jks" > > certificateKeystoreType="JKS" > > certificateKeystorePassword="changeit" > > certificateKeyAlias="tomcat" > > type="RSA" /> > > </SSLHostConfig> > > </Connector> > > > > The error at the top of catalina.out is below. I'm trying to understand > > why, both for myself and so that I can explain it to others. The "Caused > > by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements > > were provided for the host name [_default_]. Host names must be unique." > > has me stumped as I have only the one uncommented SSLHostConfig in > > server.xml. > > > > (Once I have this second <Connector> working, I must make a write-up for > > folks here, a write-up which I hope will be clearer and more direct than > > the docs. I would be happy to offer that write-up to the wiki or docs.) > > > > You still have some attributes which should go into SSLHostConfig, so you > have two SNI for the default host (clientAuth and sslProtocol). BTW > sslProtocol is really useless. > > Rémy > I'm sorry, I'm not following you. Are you saying that to make the second <Connector> work I must remove either clientAuth or sslProtocol? (No, I must be mistaken--remove either/or and Tomcat still fails to start). "BTW sslProtocol is really useless." does make sense. If so, I think I'm hearing that I should not use the sslProtocol="TLS" attribute or the <SSLHostConfig> element. Is that right? The 8.5 docs say "As of Tomcat 9, the majority of the SSL configuration attributes in the Connector are deprecated. If specified, they will be used to configure a SSLHostConfig and Certificate for the sslDefaultHost. Note that if an explicit SSLHostConfig element also exists for the sslDefaultHost then that will be treated as a configuration error. It is expected that Tomcat 10 will drop support for the SSL configuration attributes in the Connector." This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its commented examples while the 8.0 server.xml does not. And if SSL* attributes are going away, why is <SSLHostConfig> now the example? And without SSL*, how do I specify the certificates in an APR connector like this one (which is the first I got working): <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200" compression="on" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="conf/foo.pem" SSLCertificateKeyFile="conf/foo-nopp.pem" SSLVerifyClient="none" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector> > > > > > 05-Apr-2016 15:32:42.642 SEVERE [main] > > org.apache.tomcat.util.digester.Digester.endElement End event threw > > exception > > java.lang.reflect.InvocationTargetException > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > > > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377) > > at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145) > > at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966) > > at > > > > > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609) > > at > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783) > > at > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970) > > at > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) > > at > > > > > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) > > at > > > > > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) > > at > > > > > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) > > at > > > > > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) > > at > > > > > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) > > at > > > > > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643) > > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:578) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:629) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > > Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig > > elements were provided for the host name [_default_]. Host names must be > > unique. > > at > > > > > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201) > > at > > > > > org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398) > > at > > > > > org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876) > > ... 26 more > > > > > > -- > > "Hell hath no limits, nor is circumscrib'd In one self-place; but where > we > > are is hell, And where hell is, there must we ever be" --Christopher > > Marlowe, *Doctor Faustus* (v. 121-24) > > > -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 121-24)