Re: SSL connectors

2017-12-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 12/1/17 10:44 AM, Mark Thomas wrote:
> On 01/12/17 14:57, Chris Cheshire wrote:
>> I see in the changelog for 8.5.24
>> 
>> 60762: Add the ability to make changes to the TLS configuration
>> of a connector at runtime without having to restart the
>> Connector. (markt)
>> 
>> Does this mean we can now update SSL certificates without
>> bouncing the connector?
> 
> Yes, via one of the following methods on the endpoint:
> 
> reloadSslHostConfig(String hostName) reloadSslHostConfigs()
> 
> If accessing this via JMX, they appear as operations on the
> ThreadPool objects.

I'll be very happy to update my "Let's Encrypt" presentation to
reflect the new situation :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhFUdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgNERAAx6sc8sdD6YXKw6uO
KEkka/SHtPmPfxGUl55j/DhhIgColGMg4Vp03BA7OoGSZp2UMQwv/Nxw8y94J4wd
G/DTntqWFsR+fO1sc0t7EQq7is3VhMRMcGA7jE9PYyjuDT8ynnua7UcQxlhx0LCw
cZSM5RTPBjNgbazV/BJDJeNRX268fbflJvwUrDIS2p3ZF3gwgdxjVva3OEt67KBQ
3iRnYvtDPUbmfHFr7EyC7kQaM5N+VCNRT8iMmoIEvY892JwBfBP5fGaSSSFF8kLK
Hdu8R8Er+MuFiLA9QBRLcknpzAWiMMZMV27XdU/Pr3oH7G+zWlbVbDCCxSKVGOQE
+NQNYp2tAVM8KjX0x5w7uExD7uBzTGE1GMzjJYGOzw+se7XSXlTC9Go6d1y9mq4i
M2Td+A6rnRuFyg10VNuu3HZicA23c9Ry2VQu03K2JA9nNYoL6ssujy1J1S5OWHnh
I0qWwcD3qCcay6vVYzGhXYUAhTFAQ/OGLa+G3zpZHo+rMyY5JutPkGjRt1PabqPr
A3YJtO0i431SyWapnc/iCH9BG0+21kzckaSJS9ri5yvOjJk+okoP6PIa1NJNj8lf
IFVQ5oagfTqPuRzcc6U9DxbDd/qTAffn6Nw/9xPE5y9rA72mZDbTcYNjgeu34ft/
NVONR4PwFO4ScBGr1Bd90ov0ky8=
=4pKT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Trying to understand How Tomcat uses Keystore for SSL

2017-12-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Don,

On 12/1/17 3:14 AM, Don Flinn wrote:
> I'll be happy to accept your challenge to try to write some
> documentation for the site from a newbee's point of view.  It will
> be on the slow side as my 'day job' will interfere somewhat.  It
> also will require some correction of errors.

No problem at all. Just reach-out to the group if you need any
hand-holding.

- -chris
> On Wed, Nov 29, 2017 at 9:37 AM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Don,
> 
> On 11/28/17 4:55 PM, Don Flinn wrote:
>> In fact, I think you are using PEM-encoded DER files and
>> not a packaged keystore, even though your
>> SSLHostConfig's keystoreType is set to "PKCS12".
 
 Yes, I am using PEM files.  Got to read more on DER files.
> 
> PEM is an encoding, while DER is really the file format. It's like 
> saying "is this file text/plain or UTF-8?"
> 
> This is a great read for almost anyone who cares about x509
> certificates :
> 
> https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-
ce
>
> 
r-vs-pem-certificates-and-how-to-convert-them
> 
 So do I just drop the keystoreType="PKCS12"  from the
 connector?
> Theoretically, yes. The keystoreType is only used when there is a 
> keystore and not "certificate files", etc.
> 
> If there's anything inaccurate on the Tomcat site
 
 No, I was talking about other sites, not the Tomcat site.
 I've been reading all over the internet for that which seems
 related. My statement was a caution to not believe everything
 you read. 'Trust but verify'
> 
> Mark has given a number of presentations on TLS and they are very 
> accessible. Have a look at the slides (and some audio/video) on
> the "presentations" page on the Tomcat site. Each of them has a
> varying level of "introductoryness", but I think the more recent
> ones like "Introduction to Tomcat and TLS" from TomcatCon in Miami
> are probably the best ones to see for beginners.
> 
 Your e-mail has been very helpful, not only to me, but I
 believe to others.  With respect to the Tomcat site, I think
 a lot of what you wrote would be very helpful there.  For
 example, the Tomcat write up on SSL describes how to do self
 signed certificates and fleetingly mentions that if you have
 a certificate from a CA that you could use e.g. openssl and
 then refers the reader to their java documentation and
 openssl documentation.  Not too helpful to the 
 security/Tomcat novice.
> 
> Agreed. Would you care to write some new documentation and/or
> prepare a patch for the site? IT's usually best when beginners
> write for their own audience. I, for example, understand it
> backwards and forwards so when I write I have a skewed perspective.
> Writing as a beginner can re-focus the narrative for a different
> audience.
> 
> If you need any help grabbing the site from svn, etc. please just
> ask.
> 
 Thanks for your patience and help.
> 
> You are more important than the software. No, really: 
> https://blogs.apache.org/foundation/entry/asf_15_community_over_code
>
>  -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhBIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXxAApjseUCOZqro7Hutg
qXYaLdy6KD4ws4A5abYWnCMHvgO2oJxfxXAxnM5YNDgVgPR3r579ZF/zjLBsdYbx
kANY/4bMNse3LkJCkrwy1PclAyWDAMHVLIcc4iKEHL0dsCyGp7qIXHfx4eKv3Jnb
h4wsaoCi7QVk2TUOecOKKEiWRQ2tV1B6W4pAhCACAd0OSG/vYqdxVP2xzPE4AFe9
vaIi5VwHNU+o/yYMhc5Qy5b+rHs7d1xNS0hr1jiJ4amzNfKUaUTjVAl1U9u9mZb7
FI3sOIuEvtmXoBEfjWgohFC9XW2lS/EiQKptPT0HzLPUDfNXWi9QD9Ii1OI3sTMH
mw57kST/uz68S4MEiP4os/Cr4O0gnXSzc2uHQQHdqvsOBHbNnBAO9doL07lLzc8B
nktNwbl7G4aAp463gL6H8wk+pRQTUXTnm/oxTtROTF/TYaoYTpcsLdBB0PvMFV0N
lpasDBNvIu+4AR6kv8/i1oqjhcAfL3Y8c8H7Av2nF7/HPOwqhbs15CV9DJLPxoKx
rZh+MwSoAepx19fsWn+i4rYwUHjjka/BSbumTlkQYGlIhOkpSCjnX6l4tgneTOUG
aX82hHfzROxAqHj8DxXtJ3axZJ4kPewQIIJbJqk685YsRrCj0DR4QdAZsx/ntpY3
pDS0b1ShEv1e9EdMTlojrYMTy78=
=+sZ1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: unable to set the "secure="true" flag on server.xml

2017-12-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 11/30/17 3:51 PM, Coty Sutherland wrote:
> On Thu, Nov 30, 2017 at 1:39 PM, Christopher Schultz 
>  wrote: Naga,
> 
> On 11/30/17 12:29 PM, Naga Ramesh wrote:
 Thanks Chris..
 
 See the below output and here not showing the secure.
 
 < HTTP/1.1 200 OK < Set-Cookie: 
 JSESSIONID=D14ACAB7CADB83FAD5C11296C75A09DB; Path=/; HttpOnly
 < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < 
 X-XSS-Protection: 1; mode=block < Content-Type: 
 text/html;charset=ISO-8859-1 < Content-Length: 5472 < Date:
 Thu, 30 Nov 2017 17:26:37 GMT < Server:
> 
> HTTP response headers don't say anything about "secure" anyway.

Agreed. I'm trying to get the OP to tell us what the desired behavior
is, AND what the experienced behavior is instead.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohg68dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiKRQ//cIHsFTqPtENcTW1J
GevSMuh3LCjTTFs+3GJhmJ2FM+DL3C6+KosoFRRrr6NWhch9/Wxt4gdKO+7qimVV
0Q5TUXn7yypZzkrrWmqNrOODdDabe9nGg9L3eslyKOy3mjJHYyPn/bIbGbZmU866
wn1ltAozt7pwsLOI3RT1wK+1ZgKs+fAUHBdup7zV/G0E2wtXyFU2RzYUAF7UmSY6
5282/oIhBgDsLkcXHDjGAMiasgLNEKMBLmP+6f57MsIlKToFMP+tHWKF/28sqx2P
NYC61d0nmSLyHPZ/YarepkSqN9EyYakrzQzJDWjMyNk2KILF55ZHAWuv9oP7aFBm
/p0OkqWLhtV+a4ay2p9l2qKagObh57hZFzobgdUmId0SCqfgGdSxDmevK37pUJ/R
GOoRUS/7vMfiXV8z+b0sdVgAjrHZ71wgiJqqaCdEmYZDTp+Z8kk1xvkPGzB+DMuQ
DZJfZ0IEXaDV+GREFUW8nrTrcifmmF5TjtZlBHJuG0MoJsUBkSo8C1vFuSR2GDBO
Axe4BV6hUAuFJDpcnsUEU2lh5DjJ59hVRplqDgNFFG5EuroNDr+M5wujSsue3Lot
veGATKRmBiW7lq77qCVCtXuU4fPMCpiiE3rOrMaJHvdgB9Dj1BbnO8QKs93gboNf
r2z1QYMAmWBsibnjLpnWulio508=
=NypD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL connectors

2017-12-01 Thread Mark Thomas 
On 01/12/17 14:57, Chris Cheshire wrote:
> I see in the changelog for 8.5.24
> 
> 60762: Add the ability to make changes to the TLS configuration of a
> connector at runtime without having to restart the Connector. (markt)
> 
> Does this mean we can now update SSL certificates without bouncing the
> connector?

Yes, via one of the following methods on the endpoint:

reloadSslHostConfig(String hostName)
reloadSslHostConfigs()

If accessing this via JMX, they appear as operations on the ThreadPool
objects.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 9.0.2 available

2017-12-01 Thread Mark Thomas 
On 01/12/17 15:16, Chris Cheshire wrote:
> Interesting take on 'beta', in all my years writing software I haven't
> seen that used before.
> 
> I ask because I saw it has recently gone from milestones, to release
> candidates to beta with different point versions. I didn't know if I
> had missed something in between :)

Every announced release is an official release.

Prior to a release announcement there will be a vote on the release
candidate. If the release vote passes, the release candidate becomes the
release. If the release vote fails, that version number is not used and
we move on to the next one.

In terms of the designations we use, they have evolved a little over
time but they have been stable during the life of 9.0.x. They are:

- Milestone - Specification JARs not complete
- Alpha - Specification JARs complete, other stuff (including the
  implementation of the specification) not complete
- Beta  - Feature complete, not production ready
- Stable- Production ready

For 9.0.x we were stuck on milestone releases for almost two years
because of the general delays in progressing Java EE 8 (of which Servlet
4.0 is a part). We couldn't consider the specification API
implementation complete until the specification was declared final.

We skipped alpha releases for 9.0.x because Tomcat 9's Servlet 4.0
implementation was already complete when Servlet 4.0 was declared final.

Hence we are currently on beta releases. How long we stay on beta before
declaring a release stable will depend on the feedback we can from users
regarding stability. At the moment things look pretty good and my guess
is that the first stable release will be some time in Q1 2018.

Mark


> 
> 
> On Fri, Dec 1, 2017 at 10:11 AM, Olaf Kock  wrote:
>>
>> On 01.12.2017 15:54, Chris Cheshire wrote:
>>>
>>> Has 9 had an official release yet, or is it still almost there?
>>>
>>> On Fri, Dec 1, 2017 at 9:05 AM, Mark Thomas  wrote:

 The Apache Tomcat team announces the immediate availability of Apache
 Tomcat 9.0.2 (beta).
>>
>>
>> 9.0.2 (beta)
>>
>> beta = before estimated time (of) arrival
>>
>> I guess this is an official beta release. Does that count? ;)
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 9.0.2 available

2017-12-01 Thread Chris Cheshire 
Interesting take on 'beta', in all my years writing software I haven't
seen that used before.

I ask because I saw it has recently gone from milestones, to release
candidates to beta with different point versions. I didn't know if I
had missed something in between :)


On Fri, Dec 1, 2017 at 10:11 AM, Olaf Kock  wrote:
>
> On 01.12.2017 15:54, Chris Cheshire wrote:
>>
>> Has 9 had an official release yet, or is it still almost there?
>>
>> On Fri, Dec 1, 2017 at 9:05 AM, Mark Thomas  wrote:
>>>
>>> The Apache Tomcat team announces the immediate availability of Apache
>>> Tomcat 9.0.2 (beta).
>
>
> 9.0.2 (beta)
>
> beta = before estimated time (of) arrival
>
> I guess this is an official beta release. Does that count? ;)
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 9.0.2 available

2017-12-01 Thread Olaf Kock 


On 01.12.2017 15:54, Chris Cheshire wrote:

Has 9 had an official release yet, or is it still almost there?

On Fri, Dec 1, 2017 at 9:05 AM, Mark Thomas  wrote:

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.2 (beta).


9.0.2 (beta)

beta = before estimated time (of) arrival

I guess this is an official beta release. Does that count? ;)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL connectors

2017-12-01 Thread Chris Cheshire 
I see in the changelog for 8.5.24

60762: Add the ability to make changes to the TLS configuration of a
connector at runtime without having to restart the Connector. (markt)

Does this mean we can now update SSL certificates without bouncing the
connector?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 9.0.2 available

2017-12-01 Thread Chris Cheshire 
Has 9 had an official release yet, or is it still almost there?

On Fri, Dec 1, 2017 at 9:05 AM, Mark Thomas  wrote:
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 9.0.2 (beta).
>
> Apache Tomcat 9 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language, Java
> WebSocket and JASPIC technologies.
>
> Apache Tomcat 9.0.2 is a bugfix release. The notable changes compared to
> 9.0.1 include:
>
> - Java 9 is fully supported
>
> - Fixed a number of HTTP/2 issues
>
> - Fixed numerous JASPIC issues with patches from Lazar
>
> - Update the packaged version of the Tomcat Native Library to
>   1.2.16 to pick up the latest Windows binaries built with
>   APR 1.6.3 and OpenSSL 1.0.2m
>
>
> Please refer to the change log for the complete list of changes:
> http://tomcat.apache.org/tomcat-9.0-doc/changelog.html
>
> Downloads:
> http://tomcat.apache.org/download-90.cgi
>
> Migration guides from Apache Tomcat 7.x and 8.x:
> http://tomcat.apache.org/migration.html
>
> Enjoy!
>
> - The Apache Tomcat team
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 8.5.24 available

2017-12-01 Thread Mark Thomas 
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.24.

Tomcat 8.x users should normally be using 8.5.x releases in preference
to 8.0.x releases.

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
Containers technologies.

Apache Tomcat 8.5.x is intended to replace 8.0.x and includes new
features pulled forward from the 9.0.x branch. The notable changes since
8.5.23 include:

- Java 9 is fully supported

- Fixed a number of HTTP/2 issues

- Fixed numerous JASPIC issues with patches from Lazar

- Update the packaged version of the Tomcat Native Library to
  1.2.16 to pick up the latest Windows binaries built with
  APR 1.6.3 and OpenSSL 1.0.2m


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 7.x and 8.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat Native 1.2.16 released

2017-12-01 Thread Mark Thomas 
Apologies for the delayed announcement.

The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.16 stable.

The key features of this release are:
- Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2m.
- Improved parsing of OCSP extensions

Note that users should now be using 1.2.x in preference to 1.1.x.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/native-doc/miscellaneous/changelog.html

Downloads:
http://tomcat.apache.org/download-native.cgi

The Apache Tomcat Native Library provides portable API for features
not found in contemporary JDK's. It uses Apache Portable Runtime as
operating system abstraction layer and OpenSSL for SSL networking and
allows optimal performance in production environments.



Thank you,
-- 
The Apache Tomcat Team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.2 available

2017-12-01 Thread Mark Thomas 
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.2 (beta).

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.2 is a bugfix release. The notable changes compared to
9.0.1 include:

- Java 9 is fully supported

- Fixed a number of HTTP/2 issues

- Fixed numerous JASPIC issues with patches from Lazar

- Update the packaged version of the Tomcat Native Library to
  1.2.16 to pick up the latest Windows binaries built with
  APR 1.6.3 and OpenSSL 1.0.2m


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Trying to understand How Tomcat uses Keystore for SSL

2017-12-01 Thread Don Flinn 
Chris

I'll be happy to accept your challenge to try to write some documentation
for the site from a newbee's point of view.  It will be on the slow side as
my 'day job' will interfere somewhat.  It also will require some correction
of errors.

Don

On Wed, Nov 29, 2017 at 9:37 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Don,
>
> On 11/28/17 4:55 PM, Don Flinn wrote:
> >>> In fact, I think you are using PEM-encoded DER files and not a
> >>> packaged keystore, even though your SSLHostConfig's
> >>> keystoreType is set to "PKCS12".
> >
> > Yes, I am using PEM files.  Got to read more on DER files.
>
> PEM is an encoding, while DER is really the file format. It's like
> saying "is this file text/plain or UTF-8?"
>
> This is a great read for almost anyone who cares about x509 certificates
> :
>
> https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-ce
> r-vs-pem-certificates-and-how-to-convert-them
>
> > So do I just drop the keystoreType="PKCS12"  from the connector?
> Theoretically, yes. The keystoreType is only used when there is a
> keystore and not "certificate files", etc.
>
> >> If there's anything inaccurate on the Tomcat site
> >
> > No, I was talking about other sites, not the Tomcat site.  I've
> > been reading all over the internet for that which seems related.
> > My statement was a caution to not believe everything you read.
> > 'Trust but verify'
>
> Mark has given a number of presentations on TLS and they are very
> accessible. Have a look at the slides (and some audio/video) on the
> "presentations" page on the Tomcat site. Each of them has a varying
> level of "introductoryness", but I think the more recent ones like
> "Introduction to Tomcat and TLS" from TomcatCon in Miami are probably
> the best ones to see for beginners.
>
> > Your e-mail has been very helpful, not only to me, but I believe
> > to others.  With respect to the Tomcat site, I think a lot of what
> > you wrote would be very helpful there.  For example, the Tomcat
> > write up on SSL describes how to do self signed certificates and
> > fleetingly mentions that if you have a certificate from a CA that
> > you could use e.g. openssl and then refers the reader to their java
> > documentation and openssl documentation.  Not too helpful to the
> > security/Tomcat novice.
>
> Agreed. Would you care to write some new documentation and/or prepare
> a patch for the site? IT's usually best when beginners write for their
> own audience. I, for example, understand it backwards and forwards so
> when I write I have a skewed perspective. Writing as a beginner can
> re-focus the narrative for a different audience.
>
> If you need any help grabbing the site from svn, etc. please just ask.
>
> > Thanks for your patience and help.
>
> You are more important than the software. No, really:
> https://blogs.apache.org/foundation/entry/asf_15_community_over_code
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloexiYdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiY1Q//SLRGAzEuc2QzyvK9
> svCG+s0HKA1QY+ubtdmoy+czFtm1b857uQ6L0Zo8KCp+edzYvTyd7iupGjPngEqr
> 5B9qRV3bcu3jsvMUcXEFe779MjjKsSX+m0jF8/9A1RtOvtEqqemlC6Q5AVuSZZUf
> usSrTjXV2XyVlEtv0J5Rw+hMtLUpRwppg1LKAX5ZflHdhA1Zdq+TH6NSbLQlPr1z
> WRzpLuOfSpt6Cnx2Kfqcwgop0EqCyPFcIqC3o2V+ONDQh4Z7FOdUNn70O03ympDg
> fRMZbo8o0mX6RyjSk0nDFEfXLv2lafPoOrE5OUMvnuN4bZ472Jpq3nDtl0ZwYSIy
> IcjXnfw+NUNTcIkJVz0K009/K/U8U4O4NBm5IBW4uFa2yapx717pB8H/Fmr6LvEr
> FuIZG6wODc7YtN3kqbHR8J/3N1n3q6SM3CXyyjfazN0Kur0e4FOIE5WagzZTwQSm
> K7LJsuIu84sVEShPcTB2CvTsaawJQj7clCM+eZngejuvuxSiwiC0u0zWKfoPDD8Z
> bbXY69RJ0F1iKw7rgj+tr1KOxoNaDyHV8ys7CKinuG32hb37qzntygLrGZ0ZPOQZ
> pUTuSsm1Zn/Zd/3oLWIhXJ9UZA5OfwhYYt6YwaTo4JYLhB1IsiVl9qqdzo2CQLIY
> UHuG7kdiTBEig/ej+/RBOLZSI0k=
> =6iU6
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>