Hey all, I am sending this email as an FYI, and all feedback is appreciated.
I am working on upgrading the version of tomcat used by Traffic Router from 6.0.33 to 8.5.15. Along with the upgrade I am switching out our TLS implementation from JSSE (java default) to OpenSSL. After a discussion at ApacheCon with one of the leads of the Tomcat project and a follow up on the Tomcat mailing list [1], it looks like we should get about a 35% increase in performance for TLS handshakes. I have not done load testing yet, so what our improvement actually will be is still TBD. In order to support OpenSSL there are few new dependencies you will see in Traffic Router. The first is tcnative [2]; tcnative is what gives us OpenSSL support in tomcat/Traffic Router. Without tcnative, tomcat can only use the JSSE provider for TLS. The second is Bouncy Castle [3]; OpenSSL only supports private keys in pkcs8 format while Traffic Ops creates private keys that are in pkcs1 format. Bouncy Castle gives us a java security Provider (BouncyCastleProvider) which can easily convert from PKCS1 to PKCS8. I did quite a bit of research and could not figure out how to easily do this natively, and I did not think it was a good idea to try to convert everything to pkcs8 at this time so BouncyCastle seemed like a good compromise. I am planning on making sure tcnative gets installed as part of the Traffic Router deployment, but if you are planning on running Traffic Router locally for development purposes, there will be some new steps to get it to work correctly. I will do my best to thoroughly document these steps as part of my PR. The Bouncy Castle provider will be loaded dynamically by maven. As mentioned earlier, I am mostly sending this email as an FYI so that you are aware that there are changes being made to Traffic Router which will have affect on a future deployment. I hope to have these changes completed in the next week or two, with a PR to follow. If you are interested in trying out the code, doing some initial testing, or just seeing what changes have been made, the code can be found here [4] and changes here [5]. Be forewarned, though, that this is still very much a work in progress. Any feedback is appreciated and questions are always welcomed. Thanks, Dave [1] https://lists.apache.org/thread.html/0f7c6d74cc496968fe869958a29adb19723215f6c135efd4a5fa935b@%3Cusers.tomcat.apache.org%3E [2] http://tomcat.apache.org/native-doc/ [3] https://www.bouncycastle.org/java.html [4] https://github.com/dneuman64/incubator-trafficcontrol/tree/tr-upgrade-tomcat [5] https://github.com/apache/incubator-trafficcontrol/compare/master...dneuman64:tr-upgrade-tomcat?expand=1
