subject:"Configuring TLS JSSE vs OpenSSL"

Re: Configuring TLS JSSE vs OpenSSL

2022-01-19 Thread Ivano Luberti


Christopher,

Il 19/01/2022 20:32, Christopher Schultz ha scritto:

Ivano,

On 1/19/22 10:58, Ivano Luberti wrote:

Mark, Christopher


Il 19/01/2022 15:31, Christopher Schultz ha scritto:

Mark,

On 1/19/22 05:00, Mark Thomas wrote:

On 18/01/2022 23:16, Christopher Schultz wrote:

All,

There are a bunch of parameters in SSLHostConfig which are 
documented[1] to be "OpenSSL Only" and "JSSE only". I thought we 
made it so either configuration could be used with either 
underlying crypto engine. Is that not true? Or is it only true if 
you are using JSSE with OpenSSL as the JSSE-provider??


You can configure TLS using JSSE style configuration or OpenSSL 
style configuration. That configuration style choice is independent 
of implementation.


So you can have any of:
- JSSE style config with NIO(2)+JSSE
- JSSE style config with NIO(2)+OpenSSL
- JSSE style config with APR/Native
- OpenSSL style config with NIO(2)+JSSE
- OpenSSL style config with NIO(2)+OpenSSL
- OpenSSL style config with APR/Native

What you can't do is mix JSSE configuration with OpenSSL 
configuration. You have to pick a single configuration style.


To slightly complicate things, some configuration settings work 
with JSSE or OpenSSL. What that means if you use a "JSSE only" 
setting then you can't also use an "OpenSSL only" setting (and vice 
versa).


Thanks.

How can we adjust the documentation to make it clear that you can 
choose either style of configuration, but that you have to be 
consistent?


Maybe two separate sections of the documentation with an 
introduction saying "there are two styles of config: pick one" and 
then remove the "JSSE Only" or "OpenSSL Only" notes on each?


-chris


I was greatly misled by that documentation when I had to study and 
apply it, so I agree it should be modified.


But it would make even more sense to me, if is only a matter of 
style, that one of the two styles is removed: we are talking about 
configuration not poetry: I cannot see any usefulness in having more 
than one way to express the same configuration


We can't remove configuration elements from a release in the way you 
describe. Perhaps in 10.1 as it's still in alpha-phase.


I understand your point and the rest of the reasoning.

But at least documentation should describe the situation as you do in 
this mail, so to better orienting the reader



--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 
2003 n. 196

per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa 



dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

Re: Configuring TLS JSSE vs OpenSSL

2022-01-19 Thread Christopher Schultz


Ivano,

On 1/19/22 10:58, Ivano Luberti wrote:

Mark, Christopher


Il 19/01/2022 15:31, Christopher Schultz ha scritto:

Mark,

On 1/19/22 05:00, Mark Thomas wrote:

On 18/01/2022 23:16, Christopher Schultz wrote:

All,

There are a bunch of parameters in SSLHostConfig which are 
documented[1] to be "OpenSSL Only" and "JSSE only". I thought we 
made it so either configuration could be used with either underlying 
crypto engine. Is that not true? Or is it only true if you are using 
JSSE with OpenSSL as the JSSE-provider??


You can configure TLS using JSSE style configuration or OpenSSL style 
configuration. That configuration style choice is independent of 
implementation.


So you can have any of:
- JSSE style config with NIO(2)+JSSE
- JSSE style config with NIO(2)+OpenSSL
- JSSE style config with APR/Native
- OpenSSL style config with NIO(2)+JSSE
- OpenSSL style config with NIO(2)+OpenSSL
- OpenSSL style config with APR/Native

What you can't do is mix JSSE configuration with OpenSSL 
configuration. You have to pick a single configuration style.


To slightly complicate things, some configuration settings work with 
JSSE or OpenSSL. What that means if you use a "JSSE only" setting 
then you can't also use an "OpenSSL only" setting (and vice versa).


Thanks.

How can we adjust the documentation to make it clear that you can 
choose either style of configuration, but that you have to be consistent?


Maybe two separate sections of the documentation with an introduction 
saying "there are two styles of config: pick one" and then remove the 
"JSSE Only" or "OpenSSL Only" notes on each?


-chris


I was greatly misled by that documentation when I had to study and apply 
it, so I agree it should be modified.


But it would make even more sense to me, if is only a matter of style, 
that one of the two styles is removed: we are talking about 
configuration not poetry: I cannot see any usefulness in having more 
than one way to express the same configuration


We can't remove configuration elements from a release in the way you 
describe. Perhaps in 10.1 as it's still in alpha-phase.


All of this evolved to the present over a long period of time, and it 
used to be that only one set of configuration options would work for 
either APR+OpenSSL or BIO/NIO+JSSE. That's now changed and we are more 
flexible but there are a few things that would require some care to remove:


certificateFile/certificateKeyFile/etc vs certificateKeystore/etc

There are things in a keystore that don't make sense for the other type 
of configuration. Like "alias". PEM files don't have aliases.


But we have to take care to merge / remove things in a way that makes 
the most sense. For example, would it be okay to use a Java keystore 
(e.g. PKCS12 file) for the certificateFile and/or certificateKeyFile? 
We'd have to put extra logic in Tomcat to determine what type of file 
you are trying to open.


I'm just saying it's not 100% clear what to do in all cases.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring TLS JSSE vs OpenSSL

2022-01-19 Thread Ivano Luberti


Mark, Christopher


Il 19/01/2022 15:31, Christopher Schultz ha scritto:

Mark,

On 1/19/22 05:00, Mark Thomas wrote:

On 18/01/2022 23:16, Christopher Schultz wrote:

All,

There are a bunch of parameters in SSLHostConfig which are 
documented[1] to be "OpenSSL Only" and "JSSE only". I thought we 
made it so either configuration could be used with either underlying 
crypto engine. Is that not true? Or is it only true if you are using 
JSSE with OpenSSL as the JSSE-provider??


You can configure TLS using JSSE style configuration or OpenSSL style 
configuration. That configuration style choice is independent of 
implementation.


So you can have any of:
- JSSE style config with NIO(2)+JSSE
- JSSE style config with NIO(2)+OpenSSL
- JSSE style config with APR/Native
- OpenSSL style config with NIO(2)+JSSE
- OpenSSL style config with NIO(2)+OpenSSL
- OpenSSL style config with APR/Native

What you can't do is mix JSSE configuration with OpenSSL 
configuration. You have to pick a single configuration style.


To slightly complicate things, some configuration settings work with 
JSSE or OpenSSL. What that means if you use a "JSSE only" setting 
then you can't also use an "OpenSSL only" setting (and vice versa).


Thanks.

How can we adjust the documentation to make it clear that you can 
choose either style of configuration, but that you have to be consistent?


Maybe two separate sections of the documentation with an introduction 
saying "there are two styles of config: pick one" and then remove the 
"JSSE Only" or "OpenSSL Only" notes on each?


-chris


I was greatly misled by that documentation when I had to study and apply 
it, so I agree it should be modified.


But it would make even more sense to me, if is only a matter of style, 
that one of the two styles is removed: we are talking about 
configuration not poetry: I cannot see any usefulness in having more 
than one way to express the same configuration


My 2c

Best regards





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring TLS JSSE vs OpenSSL

2022-01-19 Thread Christopher Schultz


Mark,

On 1/19/22 05:00, Mark Thomas wrote:

On 18/01/2022 23:16, Christopher Schultz wrote:

All,

There are a bunch of parameters in SSLHostConfig which are 
documented[1] to be "OpenSSL Only" and "JSSE only". I thought we made 
it so either configuration could be used with either underlying crypto 
engine. Is that not true? Or is it only true if you are using JSSE 
with OpenSSL as the JSSE-provider??


You can configure TLS using JSSE style configuration or OpenSSL style 
configuration. That configuration style choice is independent of 
implementation.


So you can have any of:
- JSSE style config with NIO(2)+JSSE
- JSSE style config with NIO(2)+OpenSSL
- JSSE style config with APR/Native
- OpenSSL style config with NIO(2)+JSSE
- OpenSSL style config with NIO(2)+OpenSSL
- OpenSSL style config with APR/Native

What you can't do is mix JSSE configuration with OpenSSL configuration. 
You have to pick a single configuration style.


To slightly complicate things, some configuration settings work with 
JSSE or OpenSSL. What that means if you use a "JSSE only" setting then 
you can't also use an "OpenSSL only" setting (and vice versa).


Thanks.

How can we adjust the documentation to make it clear that you can choose 
either style of configuration, but that you have to be consistent?


Maybe two separate sections of the documentation with an introduction 
saying "there are two styles of config: pick one" and then remove the 
"JSSE Only" or "OpenSSL Only" notes on each?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring TLS JSSE vs OpenSSL

2022-01-19 Thread Mark Thomas


On 18/01/2022 23:16, Christopher Schultz wrote:

All,

There are a bunch of parameters in SSLHostConfig which are documented[1] 
to be "OpenSSL Only" and "JSSE only". I thought we made it so either 
configuration could be used with either underlying crypto engine. Is 
that not true? Or is it only true if you are using JSSE with OpenSSL as 
the JSSE-provider??


You can configure TLS using JSSE style configuration or OpenSSL style 
configuration. That configuration style choice is independent of 
implementation.


So you can have any of:
- JSSE style config with NIO(2)+JSSE
- JSSE style config with NIO(2)+OpenSSL
- JSSE style config with APR/Native
- OpenSSL style config with NIO(2)+JSSE
- OpenSSL style config with NIO(2)+OpenSSL
- OpenSSL style config with APR/Native

What you can't do is mix JSSE configuration with OpenSSL configuration. 
You have to pick a single configuration style.


To slightly complicate things, some configuration settings work with 
JSSE or OpenSSL. What that means if you use a "JSSE only" setting then 
you can't also use an "OpenSSL only" setting (and vice versa).


HTH,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Configuring TLS JSSE vs OpenSSL

2022-01-18 Thread Christopher Schultz


All,

There are a bunch of parameters in SSLHostConfig which are documented[1] 
to be "OpenSSL Only" and "JSSE only". I thought we made it so either 
configuration could be used with either underlying crypto engine. Is 
that not true? Or is it only true if you are using JSSE with OpenSSL as 
the JSSE-provider??


Thanks,
-chris

[1] 
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring TLS JSSE vs OpenSSL

Re: Configuring TLS JSSE vs OpenSSL

Re: Configuring TLS JSSE vs OpenSSL

Re: Configuring TLS JSSE vs OpenSSL

Re: Configuring TLS JSSE vs OpenSSL

Configuring TLS JSSE vs OpenSSL

6 matches

Site Navigation

Mail list logo

Footer information