-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Richard,
On 11/23/17 8:28 AM, Richard Tearle wrote: > Yes I read through that thread, but we don't really like Java key > stores, and I don't think the work around would work for us. Java keystores are ... awful. > Instead, I did what perhaps I should have done a while ago (on > version 8.0.x), and built Tomcat Native libraries, deployed, and > changed the certificate references in the connector to use our .PEM > files (which the PKCS12 files are built from), and fingers crossed, > its looking OK at the moment. So are you using the APR connector, then? You do have some other options: 1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of keystores. 2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for everything, simply because they are so easy to work with. 3. JSSE+OpenSSL with PEM-encoded DER files. Option #3 will get you the performance of OpenSSL's crypto but without using the APR connector (which isn't quite as efficient as the pure-Java NIO connector). Java's crypto seems to be hobbled for some reason... some kind of mistake in the native-optimization that ends up falling-back to pure-Java crypto which ... simply isn't fast enough for real-world workloads). I think the APR connector is likely to disappear with the next major release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination is becoming more mature and offers better performance and scalability. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8 pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6 IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0 3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM= =bf9o -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org