Re: A little trouble with SSL

Fri, 27 Aug 2010 09:46:19 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrea,

Please keep discussions on the mailing list.

On 8/26/2010 5:19 PM, Andrea Freire wrote:
> I pass you my configuration, go ahead

It looks like you have not configured Apache httpd for SSL. Did you want
to have SSL terminate at Apache httpd or at Tomcat?

> <Connector className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler" 
> value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
> <Parameter name="port" value="6443"/>
> <Parameter name="socketFactory" 
> value="org.apache.tomcat.net.SSLSocketFactory"/>
> <Parameter name="keystore" value="/root/.keystore" />
> <Parameter name="keypass" value="my_key_forsecurityreasonsInotputit"/>
> <Parameter name="clientAuth" value="false"/>
> </Connector>

That's a weird <Connector> configuration. Where did you get this example?

I note you're trying to use a keystore in /root/.keystore... it's
generally not a good idea to run Tomcat as root, and it's generally not
a good idea to allow /root to be world-readable. From the above
configuration, I suspect you are running Tomcat as root: seriously
consider running Tomcat as a non-privileged user.

There's a perfectly good SSL connector configuration listed already in
server.xml (though it's commented-out):

>     <!-- Define a SSL HTTP/1.1 Connector on port 8443
>          This connector uses the JSSE configuration, when using APR, the 
>          connector should be using the OpenSSL style configuration
>          described in the APR documentation -->
>     <!-- 
>     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" />
>    --> 

You just need to uncomment this and add the following attributes:

keystoreFile (note that your attribute was "keystore",
              not "keystorefile")
keystorePass

Please see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for
reference.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkx36y0ACgkQ9CaO5/Lv0PBsOACfeKqk+2V7sKVtGytEboZG9ESx
+hkAoJWJwwfElvvst+FCwZj3w3crWYN+
=94gF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to