On 14/10/2020 10:38, Maarten van den Broek wrote: > I use tomcat 9.0.33 with windows10 home and amazon corretto jdk1.8.0_212.
<snip/> > Using the first Connector everything is working fine. Debugging the > setKeystorePass method of the class > nl.messagedesign.tomcatlib.EncryptedPassword_Http11Nio2Protocol in the > protocol attribute shows that the encrypted password gets decrypted. > > Using the second connector with the SSLHostConfig element instead of the > deprecated attributes debugging shows that the setKeystorePass method is > not called and I get errors for the incorrect password of the keystore. > > What am I doing wrong in migrating to the configuration with the > SSLHostConfig element? I do wonder a) what risk(s) you are attempting to mitigate with this and b) where that custom connector obtains the necessary pass-phrase to decrypt the supplied value. I am assuming you have extended the existing Http11Nio2Protocol implementation and over-ridden setKeystorePass() as that won't get called when an SSLHostConfig element is explicitly configured. Based on the assumptions above, the following approach should work: - override init() - iterate over the results of findSslHostConfigs() - for each SSLHostConfig instance - call getCertificateKeystorePassword() - decrypt it - call setCertificateKeystorePassword() If you have multiple certificates per host you'll need to iterate over the nested SSLHostConfigCertificate instances rather than use the short-cut methods above that work with the default certificate instance. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org