Re: SSL connectors
On 12/1/2017 8:44 AM, Mark Thomas wrote: On 01/12/17 14:57, Chris Cheshire wrote: I see in the changelog for 8.5.24 60762: Add the ability to make changes to the TLS configuration of a connector at runtime without having to restart the Connector. (markt) What strikes me as odd is that SSL Certificates are still coupled to connectors. It seems like certificates should be coupled to Hosts since that's what SNI does. SNI removes the coupling between an IP and a virtual host name. Pre-SNI, there was a logical reason to associate a certificate with a connector. The fact that you could only have one certificate on one IP, made the one-to-one correlation obvious. Now, with SNI, you can have many SSL Certificates with one IP. However, Tomcat's continuation of associating the SSL Certificate with the Connector, rather than the virtual host it's associated with is cumbersome because now when I configure a virtual host with an SSL certificate, I not only have to configure the host, but also the connector. As a database person, I try to follow the rule that the attributes should follow the entity. In this case, the attributes (SSLHostConfig) are facts about the virtual host, and not about the Connector (entity). I'd like to see the Connector iterate over the virtual hosts and pick up the SSLHostConfig from there. Perhaps the SSLHostConfig should have an optional attribute "ConnectorName" to identify which Connector (assuming there are multiple) the SSLHostConfig should bind to for the case of multi-homed machines. The "ConnectorName" attribute would be used in multi-homed hosts to specify which (of several) connectors the SSLHostConfig should bind to. Since I'm on wish lists, I wish that the Host XML snippet could be specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name via a magic name like _HOST.xml, or the like. I run anywhere from 600-2000 virtual hosts on a machine, and my current "work-around" is to use the inclusion hack to bring in an external file with the defined virtual hosts. Does this mean we can now update SSL certificates without bouncing the connector? Yes, via one of the following methods on the endpoint: reloadSslHostConfig(String hostName) reloadSslHostConfigs() If accessing this via JMX, they appear as operations on the ThreadPool objects. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
How to get the AbstractEndpoint from Tomcat with tomcat-embed
Now that 8.5.24 is released with new support for runtime SNI/SSLHostConfig changes (thank you Mark!) I am trying to access the AbstractEndpoint from our application to call these 2 new methods: public void addSslHostConfig(SSLHostConfig sslHostConfig, boolean replace) public SSLHostConfig removeSslHostConfig(String hostName) We have an instance of the Tomcat class from which we can do getConnector(), and that Connector can provide us with the ProtocolHandler. With ProtocolHandler we could safely cast to AbstractProtocol but from there the getEndpoint method is protected. Is there a supported way to access the AbstractEndpoint via public methods if I only have the Tomcat/Connector instances available? Or maybe this is possible to do with JMX? If so I would need access to the AbstractEndpoint directly so I can pass it my SSLHostConfig objects. Thanks! Jesse
re: Comments on my first 'SSL for Tomcat' write-up
Chis Schultz and Mark Thomas, I started a new thread as the old one was getting too long and getting off subject. Chris Schultz wrote -
Re: Are Symbol files of Tomcat DLLs publicly available?
On 05/12/17 06:47, Suvendu Sekhar Mondal wrote: > On Tue, Dec 5, 2017 at 1:28 AM, Mark Thomas wrote: >> On 04/12/17 11:12, Suvendu Sekhar Mondal wrote: >>> Hello Everyone, >>> >>> I am investigating a Tomcat crash. Actually, JRE crashed due to >>> "access violation" error. It created a Windows memory dump file. I am >>> trying to analyze it win WinDbg. Problem I am facing is that lots of >>> Symbols (of tomcat7, jvm, java, tcnative-1, nio DLLs) are not >>> available to me. As a result WinDbg is giving me a Stack filled up >>> with DLL names and HEX values. >>> >>> In order to get some of them - mostly JRE related, I have already >>> reached out to Java forum: >>> https://community.oracle.com/thread/4102753. No response so far :(. >>> >>> Can someone please tell me how can I get Symbol files of Tomcat DLLs >>> like tomcat7 and tcnative-1? Are they publicly available? >> >> Exactly which versions do you need? > > Sorry, Mark. I should have provide that information upfront. I am using: > > Tomcat 7.0.55 > JRE version: Java(TM) SE Runtime Environment (8.0_92-b14) (build 1.8.0_92-b14) > OS version: Windows Server 2012 R2 > >> I produced the binaries for the most recent of those and I probably >> still have the necessary files sat on a VM if they are recent(ish). >> >> Mark > > Yeah, I know it's not that recent. Still, if you have it please let me know. Those versions don't help. I need to know the exact version of tomcat7.exe and the tcnative-1.dll. Mark > > We tried to create PDB files for Java specific DLLs from OpenJDK, but > as you can see below, WinDbg rejected it. > > * Symbol Loading Error Summary ** > Module nameError > tomcat7No header information available : > srv*c:\mss*http://msdl.microsoft.com/download/symbols > jvmSignature does not match : > srv*c:\mss*http://msdl.microsoft.com/download/symbols > tcnative-1 No header information available : > srv*c:\mss*http://msdl.microsoft.com/download/symbols > > > Thanks! > Suvendu > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Are Symbol files of Tomcat DLLs publicly available?
2017-12-05 9:47 GMT+03:00 Suvendu Sekhar Mondal : > On Tue, Dec 5, 2017 at 1:28 AM, Mark Thomas wrote: >> On 04/12/17 11:12, Suvendu Sekhar Mondal wrote: >>> Hello Everyone, >>> >>> I am investigating a Tomcat crash. Actually, JRE crashed due to >>> "access violation" error. It created a Windows memory dump file. I am >>> trying to analyze it win WinDbg. Problem I am facing is that lots of >>> Symbols (of tomcat7, jvm, java, tcnative-1, nio DLLs) are not >>> available to me. As a result WinDbg is giving me a Stack filled up >>> with DLL names and HEX values. >>> >>> In order to get some of them - mostly JRE related, I have already >>> reached out to Java forum: >>> https://community.oracle.com/thread/4102753. No response so far :(. >>> >>> Can someone please tell me how can I get Symbol files of Tomcat DLLs >>> like tomcat7 and tcnative-1? Are they publicly available? >> >> Exactly which versions do you need? > > Sorry, Mark. I should have provide that information upfront. I am using: > > Tomcat 7.0.55 > JRE version: Java(TM) SE Runtime Environment (8.0_92-b14) (build 1.8.0_92-b14) > OS version: Windows Server 2012 R2 > Is it worth debugging a version that is more than 3 years old? A lot have been fixed since then. tcnative-1.dll is Tomcat Native library It can be downloaded here: https://tomcat.apache.org/download-native.cgi The tomcat-native-1.2.16-win32-bin.zip file has *.pdb files in it. Tomcat 7.0.55 was shipped with Tomcat Native 1.1.31. Those binaries can be downloaded from an archive website. I do not know whether they contain debug symbols or not. tomcat7.exe, tomcat7w.exe are renamed Prunsrv.exe and Prunmgr.exe from http://commons.apache.org/proper/commons-daemon/procrun.html http://commons.apache.org/proper/commons-daemon/download_daemon.cgi -> Browse native binaries download area... -> windows/ There are no debug symbol files in the current version (commons-daemon-1.1.0-bin-windows.zip). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
