Jon,
I extracted a part of my test-server.xml. This for the JSSE Implementation.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="off"
scheme="https"
server="Apache Tomcat"
secure="true"
defaultSSLHostConfigName="name1.mydomain.com" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
compression="on" />
<SSLHostConfig
hostName="name2.mydomain.com"
honorCipherOrder="true"
protocols="TLSv1.2+TLSv1.3"
ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/name2.p12"
certificateKeystorePassword="changeit"
certificateKeyAlias="name2"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig
hostName="name1.mydomain.com"
honorCipherOrder="true"
protocols="TLSv1.2+TLSv1.3"
ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate
certificateKeystoreFile="${catalina.base}/conf/ssl/name1_ecc.p12"
certificateKeystorePassword="changeit"
certificateKeyAlias="name1_ecc"
type="EC" />
<Certificate
certificateKeystoreFile="${catalina.base}/conf/ssl/name1_rsa.p12"
certificateKeystorePassword="changeit"
certificateKeyAlias="name1"
type="RSA" />
</SSLHostConfig>
</Connector>
If you have separate crt and key files in pem-format the Certificate-section
looks like this:
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/name2.key"
certificateFile="${catalina.base}/conf/ssl/name2.crt"
certificateChainFile="${catalina.base}/conf/ssl/chain.pem"
type="RSA" />
We could start from there - I have no "old style" config to match against.
Peter
> Am 11.08.2022 um 23:10 schrieb jonmcalexan...@wellsfargo.com.invalid
> <jonmcalexan...@wellsfargo.com.INVALID>:
>
> Peter,
>
> Yes, that WOULD be a good thing. That and some examples of implementing the
> new COOL stuff like configure TLS virtual hosting with SNI, would be very
> helpful.
>
>
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
>
>
>> -----Original Message-----
>> From: Peter Kreuser <l...@kreuser.name>
>> Sent: Thursday, August 11, 2022 4:00 PM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Simple SSL question
>>
>>
>> Jon and Chris,
>>
>>
>>> Am 11.08.2022 um 19:33 schrieb Christopher Schultz
>> <ch...@christopherschultz.net>:
>>>
>>> Jon,
>>>
>>>> On 8/11/22 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
>>>> I was just wondering if there was a vanity name for the "new" structure is
>> all, to differentiate in documentation.
>>>
>>> *shrug*
>>>
>>> "New"?
>>>
>>> That kind of loses its lustre after a while. Today, that's just "the way
>>> you do
>> it". So the "new" way is The Way and the old way is ... the Old Way.
>>>
>>> Use SSLHostConfig. I'm sure you'll sleep better at night after you've
>> switched.
>>>
>>> -chris
>>>
>>>>> -----Original Message-----
>>>>> From: Christopher Schultz <ch...@christopherschultz.net>
>>>>> Sent: Thursday, August 11, 2022 11:29 AM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: Simple SSL question
>>>>>
>>>>> Jon,
>>>>>
>>>>> On 8/11/22 11:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
>>>>>> Is there a "name" for the new connector style? The old is known as
>>>>>> the Coyote Connector.
>>>>> Coyote is just the name of the connector itself, for whatever reason.
>>>>> Both the new and old-style configuration is using the same connector
>>>>> underneath. When you configure everything on the <Connector>,
>> Tomcat
>>>>> still creates an SSLHostConfig object under the covers and fills it
>>>>> with that same data.
>>>>>
>>>>> Why should you bother migrating? Two reasons:
>>>>>
>>>>> 1. The new configuration is easier to read IMO. It separates the TLS
>>>>> host/key/certificate and all that associated stuff from the more
>>>>> basic socket- type stuff for the <Connector>
>>>>>
>>>>> 2. It allows for more options such as proper name-based
>>>>> virtual-hosting with TLS. It also allows multiple types of keys and
>>>>> certificates to be used. For example, you can configure both RSA and EC
>> certificates for a single host.
>>>>> That's just not possible with the one-attribute-to-rule-them-all
>>>>> configuration where everything is on the <Connector> element.
>>>>>
>>
>> I have tried all the fancy new cert options and they are cool.
>>
>> And I do agree that it's more readable.
>>
>> What would be useful would be one sample how to transfer a simple "old"
>> config to SSLHostConfig.
>> That would take away the fear to get going. In another thread I said, that it
>> may be a lot of work to migrate a lot of tomcat instances. But I guess most
>> people would only need a single SSLHostConfig to add to their one
>> connector...
>>
>> Peter
>>>>> -chris
>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Mark Thomas <ma...@apache.org>
>>>>>>> Sent: Wednesday, August 10, 2022 2:43 PM
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: Simple SSL question
>>>>>>>
>>>>>>> On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID
>> wrote:
>>>>>>>> Ok, I'm asking a rather simple, stupid (in my opinion) question,
>>>>>>>> but here
>>>>>>> goes:
>>>>>>>>
>>>>>>>> What is the best practice form of connector for SSL. Is it the
>>>>>>>> old-school
>>>>>>> coyote connector or the connector with the <SSLHostConfig...>
>> section?
>>>>>>>
>>>>>>> <SSLHostConfig...>
>>>>>>>
>>>>>>> The old style isn't supported in Tomcat 10.0.x onwards.
>>>>>>>
>>>>>>>> Are the two interchangeable, or does the SSLHostConfig one rely
>>>>>>>> on
>>>>>>> openssl and won't work without it? The documentation is confusing
>>>>>>> me on a hump day afternoon.
>>>>>>>
>>>>>>> They are interchangeable. However, if you want to configure TLS
>>>>>>> virtual hosting with SNI you'll need to use SSLHostConfig.
>>>>>>>
>>>>>>> Both approaches can be used with JSSE and OpenSSL based TLS
>>>>>>> implementations.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior
>>>>>>>> Infrastructure Engineer Asst. Vice President He/His
>>>>>>>>
>>>>>>>> Middleware Product Engineering
>>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>>>>
>>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>>>>> MAC: F4469-010
>>>>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
>>>>>>>> This message may contain confidential and/or privileged
>> information.
>>>>>>>> If you
>>>>>>> are not the addressee or authorized to receive this for the
>>>>>>> addressee, you must not use, copy, disclose, or take any action
>>>>>>> based on this message or any information herein. If you have
>>>>>>> received this message in error, please advise the sender
>>>>>>> immediately by reply e-mail and delete this message. Thank you for
>> your cooperation.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------
>>>>>>> --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
