We switched from JSSE to the APR and OpenSSL about 6 months. We converted all existing keys and certs to the format required by OpenSSL. It was not hard. Some people say it can't be done, but they're wrong. After 6 months with openSSL, I say it's easier to use than JSSE. We use not only server-side certs, we also require client certificate authentication and perform certificate revocation checking.
-----Original Message----- From: users-return-225336-STEVEN.J.ADAMUS=saic....@tomcat.apache.org [mailto:users-return-225336-STEVEN.J.ADAMUS=saic....@tomcat.apache.org] On Behalf Of Pid Sent: Friday, June 10, 2011 1:37 PM To: Tomcat Users List Subject: Re: My web application to use SSL (JSSE - RSA) On 10/06/2011 21:29, Patrick Flaherty wrote: > Hi, > > Is APR/native Connector dramatically faster then Java Nio Blocking > Connector or is it marginal ? APR+SSL is a little faster, if I remember correctly, Chris? > I'd love faster SSL but all my keys and certs are java based (keytool). > Will APR ever support Java SSL ? No. > I find Java keytool to be reasonably easy to use. Is OpenSSL as easy > to use ? Yes. p > Thanks for any input. > > Pat > > On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote: > > Charles, > > On 6/10/2011 9:25 AM, Charles Van Damme wrote: >>>> 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener >>>> init >>>> INFO: The APR based Apache Tomcat Native library which allows >>>> optimal performance in production environments was not found on the >>>> java.library.path: [...] > > FWIW, that's just an INFO message, but if you are going to be using > SSL, you might want to go ahead and install the APR library: your > performance will improve measurably. Note that <Connector> > configuration for an APR connector using SSL is completely different > if you choose to go this route. > > If you are not going to be using APR, you can disable the APR > lifecycle listener because you aren't using it. > >>>> java.security.NoSuchAlgorithmException: RSA SSLContext not >>>> available > > As Pid points out, it's pretty obvious that "RSA" is not a valid > algorithm in this situation: > >>>> at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) >>>> at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) >>>> at >>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext( >>>> JSSESocketFactory.java:490) >>>> > > So, it's an SSL configuration problem. Let's look at your SSL > <Connector>: > >>>> <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector >>>> on port >>>> 443 --> >>>> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" >>>> port="443" >>>> maxThreads="150" scheme="https" secure="true" >>>> SSLEnabled="true" >>>> keystoreFile="C:/Documents and Settings/Papa/.keystore" >>>> keystorePass="changeit" >>>> clientAuth="false" sslProtocol="RSA" /> > > SO, you have sslProtocol="RSA"... seems like a good place to look. If > you check the <Connector> documentation, you can see that there are > only a few recognized protocols you can choose. > > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support > > Note that "protocol" refers to the protocol used for SSL, not for any > specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat > documentation does not list all the available protocols, nor should it: > the protocols available to you are determined by JVM support. > > The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to > documentation for "standard names" (which takes you through several > hops > to) here: > http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta > ndardNames.html#SSLContext > > > Those are the valid ssl protocol names you can choose. > > If you want use only ciphers that use the RSA algorithm (which is > really limiting, IMO), you can look up their names here (after > scrolling a bit > downward): > > http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta > ndardNames.html#jssenames > > > Just look for stuff like SSL_DH_DSS_blah_blah_blah. > > Of course, support for a certain algorithm might not be available in > your environment. It's best to find out what your JVM supports and use > that. > > I wrote a short bit of code a while back to determine the supported > algorithms and the default cipher suite for an SSLSocketFactory. I'll > try to dig it up and post it. > >>>> <!-- Define an AJP 1.3 Connector on port 8009 --> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >>>> /> > > If you aren't using AJP, then disable the extra connector. > >>>> Hoping you are not overwhelmed. Anything else ? > > You had other errors in the log file. After you get SSL working > properly, stop Tomcat, delete all your logs and re-launch it. Anything > that looks like an error should be investigated and fixed. > > Feel free to come back to the list for help on those additional issues: > just remember start a new thread if you do. > > -chris >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >> > Patrick Flaherty > Rampage Systems Inc. > 411 Waverley Oaks Rd. > Suite 138 > Waltham, MA. 02452-8405 > 781-891-9400 x239 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
