Re: SSL connectors

2017-12-06 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

John,

On 12/6/17 7:32 AM, Johan Compagner wrote:
> On 1 December 2017 at 16:44, Mark Thomas  wrote:
> 
>> On 01/12/17 14:57, Chris Cheshire wrote:
>>> I see in the changelog for 8.5.24
>>> 
>>> 60762: Add the ability to make changes to the TLS configuration
>>> of a connector at runtime without having to restart the
>>> Connector. (markt)
>>> 
>>> Does this mean we can now update SSL certificates without
>>> bouncing the connector?
>> 
>> Yes, via one of the following methods on the endpoint:
>> 
>> reloadSslHostConfig(String hostName) reloadSslHostConfigs()
>> 
>> 
>> 
> now it would be nice if tomcat just had a build in file scanner
> that  calls those method for use without doing anything else then
> change the file on disk ;)

This could easily be done using the background processor.

Care to propose a patch?

Be sure to make sure this feature is OPT-IN... it's not okay to
auto-reload a file on the disk if the admin doesn't want that to happen.
..

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlooJkIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiUHRAAgfQf/DyjfF1ocSwW
206zT+eWeKoIE1hYQ+tUsUyFYM+lH3ULKcFjWEMHZ7RNYrRPL6FFAynK9zyaeEoU
QU7ZpSfBI0tlVrKuPboRWFXYib00/tISxEF8yefSCkMsp8L94heTTfj3atiwmWju
fzWVCFzxLX3akZOoQRjjC0Pv5yDivDCF6z/CpYlChGsD2cA/h363X8u8nfW/gCUr
G2O9KlOB0B67uSHWnBMmkSF5f3xHW1bWwq4bfl4LnAafEfO2If9LhURmcb4rAef1
wUt62+aCkvB30HzQPaAV2mct+Ice0M9eAwBIYVZuwBnQWb87CTVd0OQ5MeNmbY6w
bPexKyy5fp37P6gaUMPZeDYpVHi7+XVuNNKHCnFhJclTB45i+yj2BFjNkjtRrPMb
dsO8Sx+Ma0w8xXPcqL9desNsu4yeIY2w7dOLIn5stQrgms5KWOX+xfDlAIQJmgOV
eOBM7BXBv4iErPBzVyCMQrzX0BE9P/Q/+lQonHHQgbWSxIAkDSHx4HPsHIvuY0pH
nzX1mm8gh/BLSCx+8082V+6N6fOQhWBc+Sir2L/0m1KaoojnRKUT167X0LQcnagV
e4aq1csZLed4F/KjiV5QA4b6WMwy3wQjanCUDauxV7YTqXPk9kv9P5FrlpYjv6YD
Nf5ZkjozGyOuTqfICtTqi2sCVBA=
=F0ZN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL connectors

2017-12-06 Thread Johan Compagner 
On 1 December 2017 at 16:44, Mark Thomas  wrote:

> On 01/12/17 14:57, Chris Cheshire wrote:
> > I see in the changelog for 8.5.24
> >
> > 60762: Add the ability to make changes to the TLS configuration of a
> > connector at runtime without having to restart the Connector. (markt)
> >
> > Does this mean we can now update SSL certificates without bouncing the
> > connector?
>
> Yes, via one of the following methods on the endpoint:
>
> reloadSslHostConfig(String hostName)
> reloadSslHostConfigs()
>
>
>
now it would be nice if tomcat just had a build in file scanner that  calls
those method for use without doing anything else then change the file on
disk ;)

Re: SSL connectors

2017-12-06 Thread Mark Thomas 
On 06/12/17 01:06, George S. wrote:
> 
> 
> On 12/1/2017 8:44 AM, Mark Thomas wrote:
>> On 01/12/17 14:57, Chris Cheshire wrote:
>>> I see in the changelog for 8.5.24
>>>
>>> 60762: Add the ability to make changes to the TLS configuration of a
>>> connector at runtime without having to restart the Connector. (markt)
> 
> What strikes me as odd is that SSL Certificates are still coupled to
> connectors. It seems like certificates should be coupled to Hosts since
> that's what SNI does. SNI removes the coupling between an IP and a
> virtual host name.
> 
> Pre-SNI, there was a logical reason to associate a certificate with a
> connector. The fact that you could only have one certificate on one IP,
> made the one-to-one correlation obvious. Now, with SNI, you can have
> many SSL Certificates with one IP. However, Tomcat's continuation of
> associating the SSL Certificate with the Connector, rather than the
> virtual host it's associated with is cumbersome because now when I
> configure a virtual host with an SSL certificate, I not only have to
> configure the host, but also the connector. As a database person, I try
> to follow the rule that the attributes should follow the entity. In this
> case, the attributes (SSLHostConfig) are facts about the virtual host,
> and not about the Connector (entity).
> 
> I'd like to see the Connector iterate over the virtual hosts and pick up
> the SSLHostConfig from there. Perhaps the SSLHostConfig should have an
> optional attribute "ConnectorName" to identify which Connector (assuming
> there are multiple) the SSLHostConfig should bind to for the case of
> multi-homed machines. The "ConnectorName" attribute would be used in
> multi-homed hosts to specify which (of several) connectors the
> SSLHostConfig should bind to.

The relationship between virtual host, SSLHostConfig and Connector is a
complex one. Various options were considered when implementing SNI.

The solution you propose assumes that there is a 1-2-1 mapping between
virtual host and SSLHostConfig. That is not always the case. The use of
wildcard certificates and Subject Alternative Names (SAN) so a
certificate can be used with multiple virtual hosts means that the
mapping can be complex.

The complex mapping, combined with a requirement to provide a smooth
migration path for existing uses led to the current solution.

(Note that we don't currently support multiple aliases for a
SSLHostConfig - that is something that should be fairly easy to add if
required.)

Tweaks to the existing implementation to simplify some use cases are
always possible and - assuming no impact on existing users - likely to
be accepted. The more significant the change, the greater the impact to
existing users and the less likely the change is to be accepted.

> Since I'm on wish lists, I wish that the Host XML snippet could be
> specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name
> via a magic name like _HOST.xml, or the like. I run anywhere from
> 600-2000 virtual hosts on a machine, and my current "work-around" is to
> use the inclusion hack to bring in an external file with the defined
> virtual hosts.

Each virtual host with its own set of web applications?

Automatic inclusion of hosts sounds doable but needs thinking through. I
don't see any immediate gotchas but it is similar to automatic context
deployment and there are a huge number of edge cases in that use case
once you start thinking about it. Automatic inclusion at start-up but no
automatic deployment while running would be a lot simpler to implement.

Mark

> 
> 
>>>
>>> Does this mean we can now update SSL certificates without bouncing the
>>> connector?
>> Yes, via one of the following methods on the endpoint:
>>
>> reloadSslHostConfig(String hostName)
>> reloadSslHostConfigs()
>>
>> If accessing this via JMX, they appear as operations on the ThreadPool
>> objects.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL connectors

2017-12-05 Thread George S. 



On 12/1/2017 8:44 AM, Mark Thomas wrote:

On 01/12/17 14:57, Chris Cheshire wrote:

I see in the changelog for 8.5.24

60762: Add the ability to make changes to the TLS configuration of a
connector at runtime without having to restart the Connector. (markt)


What strikes me as odd is that SSL Certificates are still coupled to 
connectors. It seems like certificates should be coupled to Hosts since 
that's what SNI does. SNI removes the coupling between an IP and a 
virtual host name.


Pre-SNI, there was a logical reason to associate a certificate with a 
connector. The fact that you could only have one certificate on one IP, 
made the one-to-one correlation obvious. Now, with SNI, you can have 
many SSL Certificates with one IP. However, Tomcat's continuation of 
associating the SSL Certificate with the Connector, rather than the 
virtual host it's associated with is cumbersome because now when I 
configure a virtual host with an SSL certificate, I not only have to 
configure the host, but also the connector. As a database person, I try 
to follow the rule that the attributes should follow the entity. In this 
case, the attributes (SSLHostConfig) are facts about the virtual host, 
and not about the Connector (entity).


I'd like to see the Connector iterate over the virtual hosts and pick up 
the SSLHostConfig from there. Perhaps the SSLHostConfig should have an 
optional attribute "ConnectorName" to identify which Connector (assuming 
there are multiple) the SSLHostConfig should bind to for the case of 
multi-homed machines. The "ConnectorName" attribute would be used in 
multi-homed hosts to specify which (of several) connectors the 
SSLHostConfig should bind to.


Since I'm on wish lists, I wish that the Host XML snippet could be 
specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name 
via a magic name like _HOST.xml, or the like. I run anywhere from 
600-2000 virtual hosts on a machine, and my current "work-around" is to 
use the inclusion hack to bring in an external file with the defined 
virtual hosts.





Does this mean we can now update SSL certificates without bouncing the
connector?

Yes, via one of the following methods on the endpoint:

reloadSslHostConfig(String hostName)
reloadSslHostConfigs()

If accessing this via JMX, they appear as operations on the ThreadPool
objects.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: SSL connectors

2017-12-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 12/1/17 10:44 AM, Mark Thomas wrote:
> On 01/12/17 14:57, Chris Cheshire wrote:
>> I see in the changelog for 8.5.24
>> 
>> 60762: Add the ability to make changes to the TLS configuration
>> of a connector at runtime without having to restart the
>> Connector. (markt)
>> 
>> Does this mean we can now update SSL certificates without
>> bouncing the connector?
> 
> Yes, via one of the following methods on the endpoint:
> 
> reloadSslHostConfig(String hostName) reloadSslHostConfigs()
> 
> If accessing this via JMX, they appear as operations on the
> ThreadPool objects.

I'll be very happy to update my "Let's Encrypt" presentation to
reflect the new situation :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhFUdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgNERAAx6sc8sdD6YXKw6uO
KEkka/SHtPmPfxGUl55j/DhhIgColGMg4Vp03BA7OoGSZp2UMQwv/Nxw8y94J4wd
G/DTntqWFsR+fO1sc0t7EQq7is3VhMRMcGA7jE9PYyjuDT8ynnua7UcQxlhx0LCw
cZSM5RTPBjNgbazV/BJDJeNRX268fbflJvwUrDIS2p3ZF3gwgdxjVva3OEt67KBQ
3iRnYvtDPUbmfHFr7EyC7kQaM5N+VCNRT8iMmoIEvY892JwBfBP5fGaSSSFF8kLK
Hdu8R8Er+MuFiLA9QBRLcknpzAWiMMZMV27XdU/Pr3oH7G+zWlbVbDCCxSKVGOQE
+NQNYp2tAVM8KjX0x5w7uExD7uBzTGE1GMzjJYGOzw+se7XSXlTC9Go6d1y9mq4i
M2Td+A6rnRuFyg10VNuu3HZicA23c9Ry2VQu03K2JA9nNYoL6ssujy1J1S5OWHnh
I0qWwcD3qCcay6vVYzGhXYUAhTFAQ/OGLa+G3zpZHo+rMyY5JutPkGjRt1PabqPr
A3YJtO0i431SyWapnc/iCH9BG0+21kzckaSJS9ri5yvOjJk+okoP6PIa1NJNj8lf
IFVQ5oagfTqPuRzcc6U9DxbDd/qTAffn6Nw/9xPE5y9rA72mZDbTcYNjgeu34ft/
NVONR4PwFO4ScBGr1Bd90ov0ky8=
=4pKT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL connectors

2017-12-01 Thread Mark Thomas 
On 01/12/17 14:57, Chris Cheshire wrote:
> I see in the changelog for 8.5.24
> 
> 60762: Add the ability to make changes to the TLS configuration of a
> connector at runtime without having to restart the Connector. (markt)
> 
> Does this mean we can now update SSL certificates without bouncing the
> connector?

Yes, via one of the following methods on the endpoint:

reloadSslHostConfig(String hostName)
reloadSslHostConfigs()

If accessing this via JMX, they appear as operations on the ThreadPool
objects.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL connectors

2017-12-01 Thread Chris Cheshire 
I see in the changelog for 8.5.24

60762: Add the ability to make changes to the TLS configuration of a
connector at runtime without having to restart the Connector. (markt)

Does this mean we can now update SSL certificates without bouncing the
connector?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-11 Thread Nikko Nikko 
Thanks for the detailed answers.
 I should find another solution.

Nikko.

2011/3/9 Ognjen Blagojevic ognjen.d.blagoje...@gmail.com

 Nikko,


 On 9.3.2011 8:26, Nikko Nikko wrote:

  Thanks for the answers!  I have one IP and wildcard certificate which I
 signed using local CA. I want to have different trust stores for client
 certificate authorization. It is a small PoC/demo and I do not have 2
 IP-s.

 The example above is using 2 IP-s and I did not get how to create
 configuration with same Ip and port but different virtual hosts.
 Do you have example or just a hint how to configure it ?


 Then, I believe that the only solution is to use 2 different ports on same
 IP.

 Truststore is bounded to Connector, and Connector is bounded to IP + port
 combination. So, if you must have separate trust stores, then you must have
 separate Connectors, and therefore you must use 2 IP addresses or 2
 different ports (or both).

 -Ognjen


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-11 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nikko,

On 3/9/2011 2:26 AM, Nikko Nikko wrote:
 Thanks for the answers!  I have one IP and wildcard certificate which
 I signed using local CA. I want to have different trust stores for
 client certificate authorization. It is a small PoC/demo and I do not
 have 2 IP-s.

If it's a demo on a single PC, why not just create a second IP address
and use that?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk16PX0ACgkQ9CaO5/Lv0PAyuQCfbv20iJdQzirLGeNO8uSbdBUj
+lwAn0Rnwg5ZscFew4RnoeS5opldO2yo
=HaOk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-09 Thread Ognjen Blagojevic 

Nikko,

On 9.3.2011 8:26, Nikko Nikko wrote:

  Thanks for the answers!  I have one IP and wildcard certificate which I
signed using local CA. I want to have different trust stores for client
certificate authorization. It is a small PoC/demo and I do not have 2 IP-s.

The example above is using 2 IP-s and I did not get how to create
configuration with same Ip and port but different virtual hosts.
Do you have example or just a hint how to configure it ?


Then, I believe that the only solution is to use 2 different ports on 
same IP.


Truststore is bounded to Connector, and Connector is bounded to IP + 
port combination. So, if you must have separate trust stores, then you 
must have separate Connectors, and therefore you must use 2 IP addresses 
or 2 different ports (or both).


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-08 Thread Nikko Nikko 
Hi,



   Is It possible to define 2 SSL connectors for 2 different virtual domain
domains? For example I want to define 2 virtual hosts:  “host1.myhost.com”
and “host2.myhost.com” and want to have different trust store  for each of
them. I want to run them in one and the same Tomcat instance.



Best regards,

 Nikko.

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-08 Thread Borut Hadžialić 
Hi Nikko,

I asume that you really want 2 connectors with 2 different key stores,
not 2 different trust stores.

If you have 2 ip addresses then its easy - define 2 connectors and use
their address attribute to assign each connector one ip address.

If you have only 1 ip address then you might have a problem. The
problem with name based virtual hosts under https/ssl is that ssl
handshake (which involves server sending a certificate for some
domain) happens after tcp/ip connection is established - before the
HOST part of the http request can be read. So if you would have 2
different https virtual domains on same ip:port, the server wouldn't
know which certificate to send just after a tcp/ip connection was
established, because it must decide what certificate to send based on
information which is inside the HTTP request, which can be read only
after establishing a ssl connection. This is a general problem, not
just Tomcat specific.

Maybe if your domains are really similar to host1.myhost.com and
host2.myhost.com you could use a wildcard certificate (*.myhost.com)
or if you are using a self-signed certificate and want just https
encryption and not server verification - then you could use 1 Tomcat
connector.

And btw if you are defining a https connector in tomcat you are using
a key store - a trust store is used when you verify client
certificates when you set clientAuth=true which is rare.


On Tue, Mar 8, 2011 at 1:57 PM, Nikko Nikko nikk@gmail.com wrote:
 Hi,



   Is It possible to define 2 SSL connectors for 2 different virtual domain
 domains? For example I want to define 2 virtual hosts:  “host1.myhost.com”
 and “host2.myhost.com” and want to have different trust store  for each of
 them. I want to run them in one and the same Tomcat instance.



 Best regards,

  Nikko.




-- 
Why?
Because YES!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-08 Thread Ognjen Blagojevic 

On 8.3.2011 13:57, Nikko Nikko wrote:

Is It possible to define 2 SSL connectors for 2 different virtual domain
domains? For example I want to define 2 virtual hosts:  “host1.myhost.com”
and “host2.myhost.com” and want to have different trust store  for each of
them. I want to run them in one and the same Tomcat instance.


Yes, see (almost complete) example here:

  http://www.mail-archive.com/users@tomcat.apache.org/msg61073.html

You just need to add Alias elements with the IPs inside Host elements.

-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-08 Thread Steffen Heil 
Hi

 If you have only 1 ip address then you might have a problem. The problem
 with name based virtual hosts under https/ssl is that ssl handshake (which
 involves server sending a certificate for some
 domain) happens after tcp/ip connection is established - before the HOST
 part of the http request can be read. So if you would have 2 different https
 virtual domains on same ip:port, the server wouldn't know which certificate
 to send just after a tcp/ip connection was established, because it must
 decide what certificate to send based on information which is inside the HTTP
 request, which can be read only after establishing a ssl connection. This is a
 general problem, not just Tomcat specific.

While this is true for the outdated SSL, it is not true for current TLS.
There is an TLS extension around (since 2003) that allows multiple certificates 
on one ip.
That are 8 years by now! (rfc3546, §3.1)

Some https server support it. Sadly java / tomcat don't.

And that IS a tomcat problem. Yet not a bug, but a missing feature.

Regards,
  Steffen



smime.p7s
Description: S/MIME cryptographic signature

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-08 Thread Ognjen Blagojevic 

On 8.3.2011 14:51, Borut Hadžialić wrote:

Maybe if your domains are really similar to host1.myhost.com and
host2.myhost.com you could use a wildcard certificate (*.myhost.com)
or if you are using a self-signed certificate and want just https
encryption and not server verification - then you could use 1 Tomcat
connector.


Other than wildcard certificates one might also use SAN or SNI if there 
is one IP address. They are both briefly explained here [1].


SAN is supported in Java 7 keytool (available as early access), and on 
most browsers.


I am not sure about server-side SNI, but it is not 100% supported on 
browsers [2]. Oddly, Wikipedia article states that Apache Tomcat 
supports SNI, but I cannot find any such reference in the docs.


-Ognjen

[1] http://redmine.lighttpd.net/wiki/1/Docs:SSL#SSL-on-multiple-domains
[2] http://en.wikipedia.org/wiki/Server_Name_Indication#Support

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?

2011-03-08 Thread Nikko Nikko 
Hi,
 Thanks for the answers!  I have one IP and wildcard certificate which I
signed using local CA. I want to have different trust stores for client
certificate authorization. It is a small PoC/demo and I do not have 2 IP-s.

The example above is using 2 IP-s and I did not get how to create
configuration with same Ip and port but different virtual hosts.
Do you have example or just a hint how to configure it ?

Regards,
  Nikko.

2011/3/9 Ognjen Blagojevic ognjen.d.blagoje...@gmail.com

 On 8.3.2011 14:51, Borut Hadžialić wrote:

 Maybe if your domains are really similar to host1.myhost.com and
 host2.myhost.com you could use a wildcard certificate (*.myhost.com)
 or if you are using a self-signed certificate and want just https
 encryption and not server verification - then you could use 1 Tomcat
 connector.


 Other than wildcard certificates one might also use SAN or SNI if there is
 one IP address. They are both briefly explained here [1].

 SAN is supported in Java 7 keytool (available as early access), and on most
 browsers.

 I am not sure about server-side SNI, but it is not 100% supported on
 browsers [2]. Oddly, Wikipedia article states that Apache Tomcat supports
 SNI, but I cannot find any such reference in the docs.

 -Ognjen

 [1] http://redmine.lighttpd.net/wiki/1/Docs:SSL#SSL-on-multiple-domains
 [2] http://en.wikipedia.org/wiki/Server_Name_Indication#Support


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org