On 22/06/2019 22:56, Giuseppe Sacco wrote: > Hello Richard, > > Il giorno sab, 22/06/2019 alle 21.19 +0000, Richard Huntrods ha > scritto: >> Apologies if this is really basic, but I've seen two ways of handling >> https (SSL) for tomcat and don't understand the differences. > [...] >> <Connector port="443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="150" SSLEnabled="true"> >> <SSLHostConfig> >> <Certificate >> certificateFile="/etc/letsencrypt/live/mydomain.com/cert.pem" >> certificateKeyFile="/etc/letsencrypt/live/mydomain.com/privkey.pem" >> certificateChainFile="/etc/letsencrypt/live/mydomain.com/chain.pem" >> /> >> </SSLHostConfig> >> </Connector> >> >> vs. >> >> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" enableLookups="false" scheme="https" >> secure="true" >> keystoreFile="./keys/.keystore" keystorePass="mypass" >> clientAuth="false" sslProtocol="TLS" /> > > If I understand correctly, prior to 8.5, there were two different > syntaxes: one for SSL implemented by JSSE and one for openssl. The new > syntax allow to specify all parameters in one way that both > implementations recognize.
Correct. > Moreover, you may have configurations previously not possibile, i.e., > you may now have many certificates (one RSA, one EC, one DSS) on the > same connector: the right certificate will be picked up dynamically > based on the SSL cipher used. Also correct. To expand on that a little. 8.0.x support the following options for TLS connectors BIO with JSSE NIO with JSSE NI2 with JSSE APR/native with OpenSSL Each connector was limited to a single certificate. SNI was not supported. Using a JSSE based connector required you to use a Java keystore to hold the keys and certs. Use an OpenSSL based connector required you to use PEM files to hold the keys and certs. OpenSSL and JSSE based connectors had different configuration attributes. In 8.0.x you have to use the second of the two configuration formats (the one without the nested elements). There was a significant refactoring of TLS support for 8.5.x and further improvements have been added over time. In 8.5.x onwards the Connector options are: NIO with JSSE or OpenSSL NIO2 with JSSE or OpenSSL APR/Native with OpenSSL Each connector can be configured with 1 or most Hosts (i.e. SNI support). Each host can be configured with multiple certificates. (In theory RSA, DSA or ECC. In practice RSA or ECC.) Multiple cert may increase the range of ciphers available (depends on client capabilities). You can use PEM files or Java keystores with any connector (i.e. they are interchangeable). The configuration attributes for JSSE and OpenSSL have been aligned where possible. The aim is that you should be able to switch between JSSE and OpenSSL by only changing the attribute that controls the TLS implementation. The addition of multiple hosts and certs meant a new configuration style (the one with nested elements) was required. You can use the old style and Tomcat will translate it under the covers to a single connector, with a single host with a single certificate. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org