On 22/06/2019 22:56, Giuseppe Sacco wrote:
> Hello Richard,
> 
> Il giorno sab, 22/06/2019 alle 21.19 +0000, Richard Huntrods ha
> scritto:
>> Apologies if this is really basic, but I've seen two ways of handling
>> https (SSL) for tomcat and don't understand the differences.
> [...]
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true">
>>    <SSLHostConfig>
>>      <Certificate
>> certificateFile="/etc/letsencrypt/live/mydomain.com/cert.pem"
>> certificateKeyFile="/etc/letsencrypt/live/mydomain.com/privkey.pem"
>> certificateChainFile="/etc/letsencrypt/live/mydomain.com/chain.pem"
>> />
>>    </SSLHostConfig>
>> </Connector>
>>
>> vs.
>>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>    maxThreads="150" enableLookups="false" scheme="https"
>> secure="true"
>>    keystoreFile="./keys/.keystore" keystorePass="mypass"
>>    clientAuth="false" sslProtocol="TLS" />
> 
> If I understand correctly, prior to 8.5, there were two different
> syntaxes: one for SSL implemented by JSSE and one for openssl. The new
> syntax allow to specify all parameters in one way that both
> implementations recognize.

Correct.

> Moreover, you may have configurations previously not possibile, i.e.,
> you may now have many certificates (one RSA, one EC, one DSS) on the
> same connector: the right certificate will be picked up dynamically
> based on the SSL cipher used.

Also correct.

To expand on that a little.

8.0.x support the following options for TLS connectors

BIO with JSSE
NIO with JSSE
NI2 with JSSE
APR/native with OpenSSL

Each connector was limited to a single certificate. SNI was not supported.

Using a JSSE based connector required you to use a Java keystore to hold
the keys and certs.

Use an OpenSSL based connector required you to use PEM files to hold the
keys and certs.

OpenSSL and JSSE based connectors had different configuration attributes.

In 8.0.x you have to use the second of the two configuration formats
(the one without the nested elements).


There was a significant refactoring of TLS support for 8.5.x and further
improvements have been added over time.

In 8.5.x onwards the Connector options are:

NIO with JSSE or OpenSSL
NIO2 with JSSE or OpenSSL
APR/Native with OpenSSL

Each connector can be configured with 1 or most Hosts (i.e. SNI support).

Each host can be configured with multiple certificates. (In theory RSA,
DSA or ECC. In practice RSA or ECC.) Multiple cert may increase the
range of ciphers available (depends on client capabilities).

You can use PEM files or Java keystores with any connector (i.e. they
are interchangeable).

The configuration attributes for JSSE and OpenSSL have been aligned
where possible.

The aim is that you should be able to switch between JSSE and OpenSSL by
only changing the attribute that controls the TLS implementation.

The addition of multiple hosts and certs meant a new configuration style
(the one with nested elements) was required. You can use the old style
and Tomcat will translate it under the covers to a single connector,
with a single host with a single certificate.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to