Re: SSL connectors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 12/6/17 7:32 AM, Johan Compagner wrote: > On 1 December 2017 at 16:44, Mark Thomas wrote: > >> On 01/12/17 14:57, Chris Cheshire wrote: >>> I see in the changelog for 8.5.24 >>> >>> 60762: Add the ability to make changes to the TLS configuration >>> of a connector at runtime without having to restart the >>> Connector. (markt) >>> >>> Does this mean we can now update SSL certificates without >>> bouncing the connector? >> >> Yes, via one of the following methods on the endpoint: >> >> reloadSslHostConfig(String hostName) reloadSslHostConfigs() >> >> >> > now it would be nice if tomcat just had a build in file scanner > that calls those method for use without doing anything else then > change the file on disk ;) This could easily be done using the background processor. Care to propose a patch? Be sure to make sure this feature is OPT-IN... it's not okay to auto-reload a file on the disk if the admin doesn't want that to happen. .. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlooJkIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiUHRAAgfQf/DyjfF1ocSwW 206zT+eWeKoIE1hYQ+tUsUyFYM+lH3ULKcFjWEMHZ7RNYrRPL6FFAynK9zyaeEoU QU7ZpSfBI0tlVrKuPboRWFXYib00/tISxEF8yefSCkMsp8L94heTTfj3atiwmWju fzWVCFzxLX3akZOoQRjjC0Pv5yDivDCF6z/CpYlChGsD2cA/h363X8u8nfW/gCUr G2O9KlOB0B67uSHWnBMmkSF5f3xHW1bWwq4bfl4LnAafEfO2If9LhURmcb4rAef1 wUt62+aCkvB30HzQPaAV2mct+Ice0M9eAwBIYVZuwBnQWb87CTVd0OQ5MeNmbY6w bPexKyy5fp37P6gaUMPZeDYpVHi7+XVuNNKHCnFhJclTB45i+yj2BFjNkjtRrPMb dsO8Sx+Ma0w8xXPcqL9desNsu4yeIY2w7dOLIn5stQrgms5KWOX+xfDlAIQJmgOV eOBM7BXBv4iErPBzVyCMQrzX0BE9P/Q/+lQonHHQgbWSxIAkDSHx4HPsHIvuY0pH nzX1mm8gh/BLSCx+8082V+6N6fOQhWBc+Sir2L/0m1KaoojnRKUT167X0LQcnagV e4aq1csZLed4F/KjiV5QA4b6WMwy3wQjanCUDauxV7YTqXPk9kv9P5FrlpYjv6YD Nf5ZkjozGyOuTqfICtTqi2sCVBA= =F0ZN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connectors
On 1 December 2017 at 16:44, Mark Thomas wrote: > On 01/12/17 14:57, Chris Cheshire wrote: > > I see in the changelog for 8.5.24 > > > > 60762: Add the ability to make changes to the TLS configuration of a > > connector at runtime without having to restart the Connector. (markt) > > > > Does this mean we can now update SSL certificates without bouncing the > > connector? > > Yes, via one of the following methods on the endpoint: > > reloadSslHostConfig(String hostName) > reloadSslHostConfigs() > > > now it would be nice if tomcat just had a build in file scanner that calls those method for use without doing anything else then change the file on disk ;)
Re: SSL connectors
On 06/12/17 01:06, George S. wrote: > > > On 12/1/2017 8:44 AM, Mark Thomas wrote: >> On 01/12/17 14:57, Chris Cheshire wrote: >>> I see in the changelog for 8.5.24 >>> >>> 60762: Add the ability to make changes to the TLS configuration of a >>> connector at runtime without having to restart the Connector. (markt) > > What strikes me as odd is that SSL Certificates are still coupled to > connectors. It seems like certificates should be coupled to Hosts since > that's what SNI does. SNI removes the coupling between an IP and a > virtual host name. > > Pre-SNI, there was a logical reason to associate a certificate with a > connector. The fact that you could only have one certificate on one IP, > made the one-to-one correlation obvious. Now, with SNI, you can have > many SSL Certificates with one IP. However, Tomcat's continuation of > associating the SSL Certificate with the Connector, rather than the > virtual host it's associated with is cumbersome because now when I > configure a virtual host with an SSL certificate, I not only have to > configure the host, but also the connector. As a database person, I try > to follow the rule that the attributes should follow the entity. In this > case, the attributes (SSLHostConfig) are facts about the virtual host, > and not about the Connector (entity). > > I'd like to see the Connector iterate over the virtual hosts and pick up > the SSLHostConfig from there. Perhaps the SSLHostConfig should have an > optional attribute "ConnectorName" to identify which Connector (assuming > there are multiple) the SSLHostConfig should bind to for the case of > multi-homed machines. The "ConnectorName" attribute would be used in > multi-homed hosts to specify which (of several) connectors the > SSLHostConfig should bind to. The relationship between virtual host, SSLHostConfig and Connector is a complex one. Various options were considered when implementing SNI. The solution you propose assumes that there is a 1-2-1 mapping between virtual host and SSLHostConfig. That is not always the case. The use of wildcard certificates and Subject Alternative Names (SAN) so a certificate can be used with multiple virtual hosts means that the mapping can be complex. The complex mapping, combined with a requirement to provide a smooth migration path for existing uses led to the current solution. (Note that we don't currently support multiple aliases for a SSLHostConfig - that is something that should be fairly easy to add if required.) Tweaks to the existing implementation to simplify some use cases are always possible and - assuming no impact on existing users - likely to be accepted. The more significant the change, the greater the impact to existing users and the less likely the change is to be accepted. > Since I'm on wish lists, I wish that the Host XML snippet could be > specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name > via a magic name like _HOST.xml, or the like. I run anywhere from > 600-2000 virtual hosts on a machine, and my current "work-around" is to > use the inclusion hack to bring in an external file with the defined > virtual hosts. Each virtual host with its own set of web applications? Automatic inclusion of hosts sounds doable but needs thinking through. I don't see any immediate gotchas but it is similar to automatic context deployment and there are a huge number of edge cases in that use case once you start thinking about it. Automatic inclusion at start-up but no automatic deployment while running would be a lot simpler to implement. Mark > > >>> >>> Does this mean we can now update SSL certificates without bouncing the >>> connector? >> Yes, via one of the following methods on the endpoint: >> >> reloadSslHostConfig(String hostName) >> reloadSslHostConfigs() >> >> If accessing this via JMX, they appear as operations on the ThreadPool >> objects. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connectors
On 12/1/2017 8:44 AM, Mark Thomas wrote: On 01/12/17 14:57, Chris Cheshire wrote: I see in the changelog for 8.5.24 60762: Add the ability to make changes to the TLS configuration of a connector at runtime without having to restart the Connector. (markt) What strikes me as odd is that SSL Certificates are still coupled to connectors. It seems like certificates should be coupled to Hosts since that's what SNI does. SNI removes the coupling between an IP and a virtual host name. Pre-SNI, there was a logical reason to associate a certificate with a connector. The fact that you could only have one certificate on one IP, made the one-to-one correlation obvious. Now, with SNI, you can have many SSL Certificates with one IP. However, Tomcat's continuation of associating the SSL Certificate with the Connector, rather than the virtual host it's associated with is cumbersome because now when I configure a virtual host with an SSL certificate, I not only have to configure the host, but also the connector. As a database person, I try to follow the rule that the attributes should follow the entity. In this case, the attributes (SSLHostConfig) are facts about the virtual host, and not about the Connector (entity). I'd like to see the Connector iterate over the virtual hosts and pick up the SSLHostConfig from there. Perhaps the SSLHostConfig should have an optional attribute "ConnectorName" to identify which Connector (assuming there are multiple) the SSLHostConfig should bind to for the case of multi-homed machines. The "ConnectorName" attribute would be used in multi-homed hosts to specify which (of several) connectors the SSLHostConfig should bind to. Since I'm on wish lists, I wish that the Host XML snippet could be specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name via a magic name like _HOST.xml, or the like. I run anywhere from 600-2000 virtual hosts on a machine, and my current "work-around" is to use the inclusion hack to bring in an external file with the defined virtual hosts. Does this mean we can now update SSL certificates without bouncing the connector? Yes, via one of the following methods on the endpoint: reloadSslHostConfig(String hostName) reloadSslHostConfigs() If accessing this via JMX, they appear as operations on the ThreadPool objects. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George S. *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: SSL connectors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 12/1/17 10:44 AM, Mark Thomas wrote: > On 01/12/17 14:57, Chris Cheshire wrote: >> I see in the changelog for 8.5.24 >> >> 60762: Add the ability to make changes to the TLS configuration >> of a connector at runtime without having to restart the >> Connector. (markt) >> >> Does this mean we can now update SSL certificates without >> bouncing the connector? > > Yes, via one of the following methods on the endpoint: > > reloadSslHostConfig(String hostName) reloadSslHostConfigs() > > If accessing this via JMX, they appear as operations on the > ThreadPool objects. I'll be very happy to update my "Let's Encrypt" presentation to reflect the new situation :) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhFUdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgNERAAx6sc8sdD6YXKw6uO KEkka/SHtPmPfxGUl55j/DhhIgColGMg4Vp03BA7OoGSZp2UMQwv/Nxw8y94J4wd G/DTntqWFsR+fO1sc0t7EQq7is3VhMRMcGA7jE9PYyjuDT8ynnua7UcQxlhx0LCw cZSM5RTPBjNgbazV/BJDJeNRX268fbflJvwUrDIS2p3ZF3gwgdxjVva3OEt67KBQ 3iRnYvtDPUbmfHFr7EyC7kQaM5N+VCNRT8iMmoIEvY892JwBfBP5fGaSSSFF8kLK Hdu8R8Er+MuFiLA9QBRLcknpzAWiMMZMV27XdU/Pr3oH7G+zWlbVbDCCxSKVGOQE +NQNYp2tAVM8KjX0x5w7uExD7uBzTGE1GMzjJYGOzw+se7XSXlTC9Go6d1y9mq4i M2Td+A6rnRuFyg10VNuu3HZicA23c9Ry2VQu03K2JA9nNYoL6ssujy1J1S5OWHnh I0qWwcD3qCcay6vVYzGhXYUAhTFAQ/OGLa+G3zpZHo+rMyY5JutPkGjRt1PabqPr A3YJtO0i431SyWapnc/iCH9BG0+21kzckaSJS9ri5yvOjJk+okoP6PIa1NJNj8lf IFVQ5oagfTqPuRzcc6U9DxbDd/qTAffn6Nw/9xPE5y9rA72mZDbTcYNjgeu34ft/ NVONR4PwFO4ScBGr1Bd90ov0ky8= =4pKT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connectors
On 01/12/17 14:57, Chris Cheshire wrote: > I see in the changelog for 8.5.24 > > 60762: Add the ability to make changes to the TLS configuration of a > connector at runtime without having to restart the Connector. (markt) > > Does this mean we can now update SSL certificates without bouncing the > connector? Yes, via one of the following methods on the endpoint: reloadSslHostConfig(String hostName) reloadSslHostConfigs() If accessing this via JMX, they appear as operations on the ThreadPool objects. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL connectors
I see in the changelog for 8.5.24 60762: Add the ability to make changes to the TLS configuration of a connector at runtime without having to restart the Connector. (markt) Does this mean we can now update SSL certificates without bouncing the connector? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nikko, On 3/9/2011 2:26 AM, Nikko Nikko wrote: > Thanks for the answers! I have one IP and wildcard certificate which > I signed using local CA. I want to have different trust stores for > client certificate authorization. It is a small PoC/demo and I do not > have 2 IP-s. If it's a demo on a single PC, why not just create a second IP address and use that? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk16PX0ACgkQ9CaO5/Lv0PAyuQCfbv20iJdQzirLGeNO8uSbdBUj +lwAn0Rnwg5ZscFew4RnoeS5opldO2yo =HaOk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Thanks for the detailed answers. I should find another solution. Nikko. 2011/3/9 Ognjen Blagojevic > Nikko, > > > On 9.3.2011 8:26, Nikko Nikko wrote: > >> Thanks for the answers! I have one IP and wildcard certificate which I >> signed using local CA. I want to have different trust stores for client >> certificate authorization. It is a small PoC/demo and I do not have 2 >> IP-s. >> >> The example above is using 2 IP-s and I did not get how to create >> configuration with same Ip and port but different virtual hosts. >> Do you have example or just a hint how to configure it ? >> > > Then, I believe that the only solution is to use 2 different ports on same > IP. > > Truststore is bounded to Connector, and Connector is bounded to IP + port > combination. So, if you must have separate trust stores, then you must have > separate Connectors, and therefore you must use 2 IP addresses or 2 > different ports (or both). > > -Ognjen > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Nikko, On 9.3.2011 8:26, Nikko Nikko wrote: Thanks for the answers! I have one IP and wildcard certificate which I signed using local CA. I want to have different trust stores for client certificate authorization. It is a small PoC/demo and I do not have 2 IP-s. The example above is using 2 IP-s and I did not get how to create configuration with same Ip and port but different virtual hosts. Do you have example or just a hint how to configure it ? Then, I believe that the only solution is to use 2 different ports on same IP. Truststore is bounded to Connector, and Connector is bounded to IP + port combination. So, if you must have separate trust stores, then you must have separate Connectors, and therefore you must use 2 IP addresses or 2 different ports (or both). -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Hi, Thanks for the answers! I have one IP and wildcard certificate which I signed using local CA. I want to have different trust stores for client certificate authorization. It is a small PoC/demo and I do not have 2 IP-s. The example above is using 2 IP-s and I did not get how to create configuration with same Ip and port but different virtual hosts. Do you have example or just a hint how to configure it ? Regards, Nikko. 2011/3/9 Ognjen Blagojevic > On 8.3.2011 14:51, Borut Hadžialić wrote: > >> Maybe if your domains are really similar to host1.myhost.com and >> host2.myhost.com you could use a wildcard certificate (*.myhost.com) >> or if you are using a self-signed certificate and want just https >> encryption and not server verification - then you could use 1 Tomcat >> connector. >> > > Other than wildcard certificates one might also use SAN or SNI if there is > one IP address. They are both briefly explained here [1]. > > SAN is supported in Java 7 keytool (available as early access), and on most > browsers. > > I am not sure about server-side SNI, but it is not 100% supported on > browsers [2]. Oddly, Wikipedia article states that Apache Tomcat supports > SNI, but I cannot find any such reference in the docs. > > -Ognjen > > [1] http://redmine.lighttpd.net/wiki/1/Docs:SSL#SSL-on-multiple-domains > [2] http://en.wikipedia.org/wiki/Server_Name_Indication#Support > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
On 8.3.2011 14:51, Borut Hadžialić wrote: Maybe if your domains are really similar to host1.myhost.com and host2.myhost.com you could use a wildcard certificate (*.myhost.com) or if you are using a self-signed certificate and want just https encryption and not server verification - then you could use 1 Tomcat connector. Other than wildcard certificates one might also use SAN or SNI if there is one IP address. They are both briefly explained here [1]. SAN is supported in Java 7 keytool (available as early access), and on most browsers. I am not sure about server-side SNI, but it is not 100% supported on browsers [2]. Oddly, Wikipedia article states that Apache Tomcat supports SNI, but I cannot find any such reference in the docs. -Ognjen [1] http://redmine.lighttpd.net/wiki/1/Docs:SSL#SSL-on-multiple-domains [2] http://en.wikipedia.org/wiki/Server_Name_Indication#Support - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Hi > If you have only 1 ip address then you might have a problem. The problem > with name based virtual hosts under https/ssl is that ssl handshake (which > involves server sending a certificate for some > domain) happens after tcp/ip connection is established - before the HOST > part of the http request can be read. So if you would have 2 different https > virtual domains on same ip:port, the server wouldn't know which certificate > to send just after a tcp/ip connection was established, because it must > decide what certificate to send based on information which is inside the HTTP > request, which can be read only after establishing a ssl connection. This is a > general problem, not just Tomcat specific. While this is true for the outdated SSL, it is not true for "current" TLS. There is an TLS extension around (since 2003) that allows multiple certificates on one ip. That are 8 years by now! (rfc3546, §3.1) Some https server support it. Sadly java / tomcat don't. And that IS a tomcat problem. Yet not a bug, but a missing feature. Regards, Steffen smime.p7s Description: S/MIME cryptographic signature
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
On 8.3.2011 13:57, Nikko Nikko wrote: Is It possible to define 2 SSL connectors for 2 different virtual domain domains? For example I want to define 2 virtual hosts: “host1.myhost.com” and “host2.myhost.com” and want to have different trust store for each of them. I want to run them in one and the same Tomcat instance. Yes, see (almost complete) example here: http://www.mail-archive.com/users@tomcat.apache.org/msg61073.html You just need to add elements with the IPs inside elements. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Hi Nikko, I asume that you really want 2 connectors with 2 different key stores, not 2 different trust stores. If you have 2 ip addresses then its easy - define 2 connectors and use their address attribute to assign each connector one ip address. If you have only 1 ip address then you might have a problem. The problem with name based virtual hosts under https/ssl is that ssl handshake (which involves server sending a certificate for some domain) happens after tcp/ip connection is established - before the HOST part of the http request can be read. So if you would have 2 different https virtual domains on same ip:port, the server wouldn't know which certificate to send just after a tcp/ip connection was established, because it must decide what certificate to send based on information which is inside the HTTP request, which can be read only after establishing a ssl connection. This is a general problem, not just Tomcat specific. Maybe if your domains are really similar to host1.myhost.com and host2.myhost.com you could use a wildcard certificate (*.myhost.com) or if you are using a self-signed certificate and want just https encryption and not server verification - then you could use 1 Tomcat connector. And btw if you are defining a https connector in tomcat you are using a key store - a trust store is used when you verify client certificates when you set clientAuth="true" which is rare. On Tue, Mar 8, 2011 at 1:57 PM, Nikko Nikko wrote: > Hi, > > > > Is It possible to define 2 SSL connectors for 2 different virtual domain > domains? For example I want to define 2 virtual hosts: “host1.myhost.com” > and “host2.myhost.com” and want to have different trust store for each of > them. I want to run them in one and the same Tomcat instance. > > > > Best regards, > > Nikko. > -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Is it possible to configure 2 SSL connectors on one Tomcat instance?
Hi, Is It possible to define 2 SSL connectors for 2 different virtual domain domains? For example I want to define 2 virtual hosts: “host1.myhost.com” and “host2.myhost.com” and want to have different trust store for each of them. I want to run them in one and the same Tomcat instance. Best regards, Nikko.