On 01/12/2016 22:17, Jim Weill wrote: > sslEnabledProtocols is now just protocols for one thing. And you have to > put your certificate stuff in an <SSLHostConfig> sub-section to the > connector now.
That should not be necessary. Tomcat should handle the conversion for you under the hood. I've tested this with a JKS store but not a pkcs12 store. Let me see if there is something extra we need to do in the pkcs12 case. Mark > Here's how ours had to be reconfigured (on 8443 instead > of 443) using NIO and JSSE: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" > SSLEnabled="true" protocols="TLSv1.2"> > <SSLHostConfig> > <Certificate certificateFile="path-to-cert-file" > certificateKeyFile="path-to-cert-keyfile" /> > </SSLHostConfig> > </Connector> > > Hope this helps. The parts that are relevant to your certificate are in > the section here: > https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig > but scroll up slightly to get the instructions on how to use this > subsection. > > jim > > On 12/1/2016 1:26 PM, Bartlett, Todd wrote: >> Thanks for your reply, unfortunately I know very little about Tomcat >> beyond the server.xml config below. >> What are "hooks" and or whats been deprecated related to the below, or >> is there a new example config for using a .pfx Keystorefile? >> >> <Connector port="443" >> protocol="HTTP/1.1" >> SSLEnabled="true" >> maxThreads="150" >> scheme="https" >> secure="true" >> keystoreFile="C:\xxxx.pfx" >> keystorePass="xxxx" >> keystoreType="pkcs12" >> clientAuth="false" >> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." /> >> >> -----Original Message----- >> From: Jim Weill [mailto:moon...@icsi.berkeley.edu] >> Sent: Thursday, December 01, 2016 2:38 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Unable to get SSL working on Tomcat 8.5 >> >> Are you using the 8.5 reference? >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html >> >> When we updated to 8.5, we also found things changed with the >> connector for SSL. The above page is the current guide, and you'll >> notice several of the hooks have been deprecated since 6.0 >> >> jim >> >> On 12/1/2016 11:28 AM, Bartlett, Todd wrote: >>> Thanks for replying, some more information. >>> >>> Tomcat 8.0 works fine with this configuration (Ive tested both >>> installs on same server, same .pfx) (note no other changes anywhere, >>> just a fresh install and modifying the server.xml) We have been using >>> this config since 6.0 through 8.0. >>> >>> Something changed in 8.5, it does not seem to recognize or load the >>> .pfx file anymore. >>> >>> Thanks >>> >>> Todd >>> >>> -----Original Message----- >>> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >>> Sent: Wednesday, November 30, 2016 8:52 PM >>> To: Tomcat Users List <users@tomcat.apache.org> >>> Subject: Re: Unable to get SSL working on Tomcat 8.5 >>> > Todd, > > On 11/29/16 4:41 PM, Bartlett, Todd wrote: >>>>> The below settings work fine on 6.0 version (no other changes Im >>>>> aware >>>>> of) Error received Failed to initialize component >>>>> [Connector[HTTP/1.1-443 > What's the rest of the error message? > >>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >>>>> maxThreads="150" scheme="https" secure="true" >>>>> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx" >>>>> keystoreType="pkcs12" clientAuth="false" >>>>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." /> > Looks okay so far. You need to post more information. > > -chris >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
