Re: Tomcat 8.5 and TLS

2016-04-07 Thread Coty Sutherland 
I'm glad I was able to help, Thad. Good luck! Let me know if you have any
other questions regarding the connectors (or anything else, in a separate
thread please).

On Wed, Apr 6, 2016 at 3:58 PM, Thad Humphries 
wrote:

> On Wed, Apr 6, 2016 at 12:17 PM, Coty Sutherland 
> wrote:
>
> > Hi Thad,
> >
> > Hopefully I can help clear up some confusion here. I'd also suggest
> > watching the 8.5 connector video that markt presented here
> >  for more information on
> the
> > connector changes introduced by 8.5. I found the bits on the SSL change
> > particularly informative as it was my first exposure to how tomcat9
> handles
> > TLS, if you're interested in moving to the way that tomcat 9 handles SSL
> > with the upgrade to 8.5. Otherwise, you can use the same Connector tags
> > that you had before without change (I think).
> >
> > In any case, I'll reply to your last inquiries in line below. I'm using
> > Tomcat 8.5.0.Beta and OpenJDK 8.
> >
> > > Are you saying that to make the second  work I must remove
> > either clientAuth or sslProtocol? (No, I must be mistaken--remove
> either/or
> > and Tomcat still fails to start).
> >
> > Yes; you should remove _both_ of them and move that configuration into
> the
> > SSLHostConfig. You can find the replacements for them in the docs for
> > clientAuth and sslProtocol here
> > <
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
> > >;
> > I've tested this and it works for me. I believe that the reason behind
> this
> > (although I am no expert) is that tomcat is taking the old Connector
> > configuration that you have in place and creating a default SSLHostConfig
> > behind the scenes; this action causes a conflict with your defined
> > SSLHostConfig hence the exception about the multiple non-unique host
> names
> > and such.
> >
> > > "BTW sslProtocol is really useless." does make sense. If so, I think
> I'm
> > hearing
> > that I should not use the sslProtocol="TLS" attribute or the
> >  element. Is that right?
> >
> > You don't need the sslProtocol attribute because you're just setting the
> > default value for TLS. As far as the SSLHostConfig goes, I think that's
> up
> > to you. For now, tomcat will take your old Connector configuration and
> > translate it behind the scenes into what it needs to function. If you do
> > use the SSLHostConfig tag, then you'll need to move all of the attributes
> > from the Connector to the SSLHostConfig that belong there; this is
> > basically upgrading your connector from the tomcat 8.0 syntax to tomcat
> 9's
> > syntax.
> >
> > > This confuses me. The 8.5 server.xml uses  in its
> > commented examples while the 8.0 server.xml does not. And if SSL*
> > attributes are going away, why is  now the example?
> >
> > Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
> > comes from. I think that the example was left there to encourage movement
> > to the tomcat 9 syntax because the older connector syntax will eventually
> > be removed. I do notice that the ssl-howto docs still refer to the
> tomcat8
> > syntax, so it doesn't seem like there is a unified message regarding
> which
> > one is the preferred method (they're both still correct and will work
> when
> > the hosts don't conflict).
> >
> > > And without SSL*, how do I specify the certificates in an APR connector
> > like this one (which is the first I got working):
> >
> > All of the SSL* attributes from the connector were migrated to the
> > SSLHostConfig and it's new tags.
> >
> > Let me know if any of my response was vague and I'll try and clarify.
> >
>
> Thank you, Coty. I think that answered my questions (the video was useful,
> too).
>
> So, for the record--and I hope I've labeled them correctly--I have gotten
> the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77.
> My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5,
> both installed with Homebrew.
>
>   
>protocol="org.apache.coyote.http11.Http11NioProtocol"
>  maxThreads="200" SSLEnabled="true" compression="on"
>  scheme="https" secure="true">
> 
> 
>   certificateKeystorePassword="changeit"
>certificateKeyAlias="tomcat"
>type="RSA" />
> 
>   
>
>   
>protocol="org.apache.coyote.http11.Http11NioProtocol"
>  maxThreads="200" SSLEnabled="true" compression="on"
>  scheme="https" secure="true">
> 
> 
>   certificateFile="conf/foo.pem"
>type="RSA" />
> 
>   
>
>   
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>  maxThreads="200" SSLEnabled="true" compression="on"
>  scheme="https" secure="true">
> 
> 
>   certificateFile="conf/foo.pem"
>type="RSA"

Re: Tomcat 8.5 and TLS

2016-04-06 Thread Thad Humphries 
On Wed, Apr 6, 2016 at 12:17 PM, Coty Sutherland 
wrote:

> Hi Thad,
>
> Hopefully I can help clear up some confusion here. I'd also suggest
> watching the 8.5 connector video that markt presented here
>  for more information on the
> connector changes introduced by 8.5. I found the bits on the SSL change
> particularly informative as it was my first exposure to how tomcat9 handles
> TLS, if you're interested in moving to the way that tomcat 9 handles SSL
> with the upgrade to 8.5. Otherwise, you can use the same Connector tags
> that you had before without change (I think).
>
> In any case, I'll reply to your last inquiries in line below. I'm using
> Tomcat 8.5.0.Beta and OpenJDK 8.
>
> > Are you saying that to make the second  work I must remove
> either clientAuth or sslProtocol? (No, I must be mistaken--remove either/or
> and Tomcat still fails to start).
>
> Yes; you should remove _both_ of them and move that configuration into the
> SSLHostConfig. You can find the replacements for them in the docs for
> clientAuth and sslProtocol here
> <
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
> >;
> I've tested this and it works for me. I believe that the reason behind this
> (although I am no expert) is that tomcat is taking the old Connector
> configuration that you have in place and creating a default SSLHostConfig
> behind the scenes; this action causes a conflict with your defined
> SSLHostConfig hence the exception about the multiple non-unique host names
> and such.
>
> > "BTW sslProtocol is really useless." does make sense. If so, I think I'm
> hearing
> that I should not use the sslProtocol="TLS" attribute or the
>  element. Is that right?
>
> You don't need the sslProtocol attribute because you're just setting the
> default value for TLS. As far as the SSLHostConfig goes, I think that's up
> to you. For now, tomcat will take your old Connector configuration and
> translate it behind the scenes into what it needs to function. If you do
> use the SSLHostConfig tag, then you'll need to move all of the attributes
> from the Connector to the SSLHostConfig that belong there; this is
> basically upgrading your connector from the tomcat 8.0 syntax to tomcat 9's
> syntax.
>
> > This confuses me. The 8.5 server.xml uses  in its
> commented examples while the 8.0 server.xml does not. And if SSL*
> attributes are going away, why is  now the example?
>
> Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
> comes from. I think that the example was left there to encourage movement
> to the tomcat 9 syntax because the older connector syntax will eventually
> be removed. I do notice that the ssl-howto docs still refer to the tomcat8
> syntax, so it doesn't seem like there is a unified message regarding which
> one is the preferred method (they're both still correct and will work when
> the hosts don't conflict).
>
> > And without SSL*, how do I specify the certificates in an APR connector
> like this one (which is the first I got working):
>
> All of the SSL* attributes from the connector were migrated to the
> SSLHostConfig and it's new tags.
>
> Let me know if any of my response was vague and I'll try and clarify.
>

Thank you, Coty. I think that answered my questions (the video was useful,
too).

So, for the record--and I hope I've labeled them correctly--I have gotten
the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77.
My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5,
both installed with Homebrew.

  
  


  

  

  
  


  

  

  
  


  

  

Now to see if this breaks any of my apps. :)


>
> On Tue, Apr 5, 2016 at 4:57 PM, Thad Humphries 
> wrote:
>
> > On Tue, Apr 5, 2016 at 4:25 PM, Rémy Maucherat  wrote:
> >
> > > 2016-04-05 15:11 GMT-05:00 Thad Humphries :
> > >
> > > > My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS
> and
> > > > TLS.
> > > >
> > > > Since I eventually must demonstrate the various HTTPS approaches to
> > > others,
> > > > I have tried both the APR and the NIO implementation, as well as the
> > > > different  layouts in the docs (
> > > >
> > > >
> > >
> >
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> > > > ),
> > > > and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
> > > > working both ways, but not quite NIO.
> > > >
> > > > When I use the following connector for NIO (from the docs), my SSL
> > works:
> > > >
> > > >  > > >protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > >port="8443" maxThreads="200" compression="on"
> > > >scheme="https" secure="true" SSLEnabled="true"
> > > >keystoreFile="conf/foo.jks" keystorePass="changeit"
> > > >

Re: Tomcat 8.5 and TLS

2016-04-06 Thread Coty Sutherland 
Hi Thad,

Hopefully I can help clear up some confusion here. I'd also suggest
watching the 8.5 connector video that markt presented here
 for more information on the
connector changes introduced by 8.5. I found the bits on the SSL change
particularly informative as it was my first exposure to how tomcat9 handles
TLS, if you're interested in moving to the way that tomcat 9 handles SSL
with the upgrade to 8.5. Otherwise, you can use the same Connector tags
that you had before without change (I think).

In any case, I'll reply to your last inquiries in line below. I'm using
Tomcat 8.5.0.Beta and OpenJDK 8.

> Are you saying that to make the second  work I must remove
either clientAuth or sslProtocol? (No, I must be mistaken--remove either/or
and Tomcat still fails to start).

Yes; you should remove _both_ of them and move that configuration into the
SSLHostConfig. You can find the replacements for them in the docs for
clientAuth and sslProtocol here
;
I've tested this and it works for me. I believe that the reason behind this
(although I am no expert) is that tomcat is taking the old Connector
configuration that you have in place and creating a default SSLHostConfig
behind the scenes; this action causes a conflict with your defined
SSLHostConfig hence the exception about the multiple non-unique host names
and such.

> "BTW sslProtocol is really useless." does make sense. If so, I think I'm 
> hearing
that I should not use the sslProtocol="TLS" attribute or the
 element. Is that right?

You don't need the sslProtocol attribute because you're just setting the
default value for TLS. As far as the SSLHostConfig goes, I think that's up
to you. For now, tomcat will take your old Connector configuration and
translate it behind the scenes into what it needs to function. If you do
use the SSLHostConfig tag, then you'll need to move all of the attributes
from the Connector to the SSLHostConfig that belong there; this is
basically upgrading your connector from the tomcat 8.0 syntax to tomcat 9's
syntax.

> This confuses me. The 8.5 server.xml uses  in its
commented examples while the 8.0 server.xml does not. And if SSL*
attributes are going away, why is  now the example?

Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
comes from. I think that the example was left there to encourage movement
to the tomcat 9 syntax because the older connector syntax will eventually
be removed. I do notice that the ssl-howto docs still refer to the tomcat8
syntax, so it doesn't seem like there is a unified message regarding which
one is the preferred method (they're both still correct and will work when
the hosts don't conflict).

> And without SSL*, how do I specify the certificates in an APR connector
like this one (which is the first I got working):

All of the SSL* attributes from the connector were migrated to the
SSLHostConfig and it's new tags.

Let me know if any of my response was vague and I'll try and clarify.

On Tue, Apr 5, 2016 at 4:57 PM, Thad Humphries 
wrote:

> On Tue, Apr 5, 2016 at 4:25 PM, Rémy Maucherat  wrote:
>
> > 2016-04-05 15:11 GMT-05:00 Thad Humphries :
> >
> > > My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and
> > > TLS.
> > >
> > > Since I eventually must demonstrate the various HTTPS approaches to
> > others,
> > > I have tried both the APR and the NIO implementation, as well as the
> > > different  layouts in the docs (
> > >
> > >
> >
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> > > ),
> > > and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
> > > working both ways, but not quite NIO.
> > >
> > > When I use the following connector for NIO (from the docs), my SSL
> works:
> > >
> > >  > >protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >port="8443" maxThreads="200" compression="on"
> > >scheme="https" secure="true" SSLEnabled="true"
> > >keystoreFile="conf/foo.jks" keystorePass="changeit"
> > >clientAuth="false" sslProtocol="TLS">
> > >className="org.apache.coyote.http2.Http2Protocol"
> > />
> > > 
> > >
> > > However when I try the approach in the server.xml comments, Tomcat does
> > not
> > > start:
> > >
> > >  > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >maxThreads="200" SSLEnabled="true"
> > >scheme="https" secure="true" clientAuth="false"
> > >sslProtocol="TLS">
> > >className="org.apache.coyote.http2.Http2Protocol"
> > />
> > >   
> > >  > >  certificateKeystoreType="JKS"
> > >  certificateKeystorePassword="changeit"
> > >

Re: Tomcat 8.5 and TLS

2016-04-06 Thread Igor Cicimov 
On Wed, Apr 6, 2016 at 6:11 AM, Thad Humphries 
wrote:

> My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and
> TLS.
>
> Since I eventually must demonstrate the various HTTPS approaches to others,
> I have tried both the APR and the NIO implementation, as well as the
> different  layouts in the docs (
>
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> ),
> and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
> working both ways, but not quite NIO.
>
> When I use the following connector for NIO (from the docs), my SSL works:
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>port="8443" maxThreads="200" compression="on"
>scheme="https" secure="true" SSLEnabled="true"
>keystoreFile="conf/foo.jks" keystorePass="changeit"
>clientAuth="false" sslProtocol="TLS">
>   
> 
>
> However when I try the approach in the server.xml comments, Tomcat does not
> start:
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="200" SSLEnabled="true"
>scheme="https" secure="true" clientAuth="false"
>sslProtocol="TLS">
>   
>   
>   certificateKeystoreType="JKS"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>   
> 
>
> The error at the top of catalina.out is below. I'm trying to understand
> why, both for myself and so that I can explain it to others. The "Caused
> by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
> were provided for the host name [_default_]. Host names must be unique."
> has me stumped as I have only the one uncommented SSLHostConfig in
> server.xml.
>
> (Once I have this second  working, I must make a write-up for
> folks here, a write-up which I hope will be clearer and more direct than
> the docs. I would be happy to offer that write-up to the wiki or docs.)
>
> 05-Apr-2016 15:32:42.642 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.endElement End event threw
> exception
>  java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
> at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
> at
>
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
> at
>
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
> at
>
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
> at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>


> *Caused by: java.lang.*
>
> *IllegalArgumentException: Multiple SSLHostConfig elements were provided
> for the host name [_default_]. Host names must be unique.*
>



> at
>
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
> at
>
> org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
>

Re: Tomcat 8.5 and TLS

2016-04-05 Thread Thad Humphries 
On Tue, Apr 5, 2016 at 4:25 PM, Rémy Maucherat  wrote:

> 2016-04-05 15:11 GMT-05:00 Thad Humphries :
>
> > My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and
> > TLS.
> >
> > Since I eventually must demonstrate the various HTTPS approaches to
> others,
> > I have tried both the APR and the NIO implementation, as well as the
> > different  layouts in the docs (
> >
> >
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> > ),
> > and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
> > working both ways, but not quite NIO.
> >
> > When I use the following connector for NIO (from the docs), my SSL works:
> >
> >  >protocol="org.apache.coyote.http11.Http11NioProtocol"
> >port="8443" maxThreads="200" compression="on"
> >scheme="https" secure="true" SSLEnabled="true"
> >keystoreFile="conf/foo.jks" keystorePass="changeit"
> >clientAuth="false" sslProtocol="TLS">
> >/>
> > 
> >
> > However when I try the approach in the server.xml comments, Tomcat does
> not
> > start:
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >maxThreads="200" SSLEnabled="true"
> >scheme="https" secure="true" clientAuth="false"
> >sslProtocol="TLS">
> >/>
> >   
> >  >  certificateKeystoreType="JKS"
> >  certificateKeystorePassword="changeit"
> >  certificateKeyAlias="tomcat"
> >  type="RSA" />
> >   
> > 
> >
> > The error at the top of catalina.out is below. I'm trying to understand
> > why, both for myself and so that I can explain it to others. The "Caused
> > by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
> > were provided for the host name [_default_]. Host names must be unique."
> > has me stumped as I have only the one uncommented SSLHostConfig in
> > server.xml.
> >
> > (Once I have this second  working, I must make a write-up for
> > folks here, a write-up which I hope will be clearer and more direct than
> > the docs. I would be happy to offer that write-up to the wiki or docs.)
> >
>
> You still have some attributes which should go into SSLHostConfig, so you
> have two SNI for the default host (clientAuth and sslProtocol). BTW
> sslProtocol is really useless.
>
> Rémy
>

I'm sorry, I'm not following you. Are you saying that to make the second
 work I must remove either clientAuth or sslProtocol? (No, I
must be mistaken--remove either/or and Tomcat still fails to start).

"BTW sslProtocol is really useless." does make sense. If so, I think I'm
hearing that I should not use the sslProtocol="TLS" attribute or the

element. Is that right?

The 8.5 docs say
"As of Tomcat 9, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to configure a
SSLHostConfig and Certificate for the sslDefaultHost. Note that if an
explicit SSLHostConfig element also exists for the sslDefaultHost then that
will be treated as a configuration error. It is expected that Tomcat 10
will drop support for the SSL configuration attributes in the Connector."

This confuses me. The 8.5 server.xml uses  in its commented
examples while the 8.0 server.xml does not. And if SSL* attributes are
going away, why is  now the example? And without SSL*, how
do I specify the certificates in an APR connector like this one (which is
the first I got working):


  



>
> >
> > 05-Apr-2016 15:32:42.642 SEVERE [main]
> > org.apache.tomcat.util.digester.Digester.endElement End event threw
> > exception
> >  java.lang.reflect.InvocationTargetException
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at
> >
> >
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
> > at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> > at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
> > at
> >
> >
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
> > at
> >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
> > at
> >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
> > at
> >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> > at
> >
> >
>

Re: Tomcat 8.5 and TLS

2016-04-05 Thread Rémy Maucherat 
2016-04-05 15:11 GMT-05:00 Thad Humphries :

> My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and
> TLS.
>
> Since I eventually must demonstrate the various HTTPS approaches to others,
> I have tried both the APR and the NIO implementation, as well as the
> different  layouts in the docs (
>
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> ),
> and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
> working both ways, but not quite NIO.
>
> When I use the following connector for NIO (from the docs), my SSL works:
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>port="8443" maxThreads="200" compression="on"
>scheme="https" secure="true" SSLEnabled="true"
>keystoreFile="conf/foo.jks" keystorePass="changeit"
>clientAuth="false" sslProtocol="TLS">
>   
> 
>
> However when I try the approach in the server.xml comments, Tomcat does not
> start:
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="200" SSLEnabled="true"
>scheme="https" secure="true" clientAuth="false"
>sslProtocol="TLS">
>   
>   
>   certificateKeystoreType="JKS"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>   
> 
>
> The error at the top of catalina.out is below. I'm trying to understand
> why, both for myself and so that I can explain it to others. The "Caused
> by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
> were provided for the host name [_default_]. Host names must be unique."
> has me stumped as I have only the one uncommented SSLHostConfig in
> server.xml.
>
> (Once I have this second  working, I must make a write-up for
> folks here, a write-up which I hope will be clearer and more direct than
> the docs. I would be happy to offer that write-up to the wiki or docs.)
>

You still have some attributes which should go into SSLHostConfig, so you
have two SNI for the default host (clientAuth and sslProtocol). BTW
sslProtocol is really useless.

Rémy

>
> 05-Apr-2016 15:32:42.642 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.endElement End event threw
> exception
>  java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
> at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
> at
>
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
> at
>
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
> at
>
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
> at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
> elements were provided for the host name [_default_]. Host names must be
> unique.
> at
>
>

Tomcat 8.5 and TLS

2016-04-05 Thread Thad Humphries 
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and TLS.

Since I eventually must demonstrate the various HTTPS approaches to others,
I have tried both the APR and the NIO implementation, as well as the
different  layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File),
and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
working both ways, but not quite NIO.

When I use the following connector for NIO (from the docs), my SSL works:


  


However when I try the approach in the server.xml comments, Tomcat does not
start:


  
  

  


The error at the top of catalina.out is below. I'm trying to understand
why, both for myself and so that I can explain it to others. The "Caused
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique."
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.

(Once I have this second  working, I must make a write-up for
folks here, a write-up which I hope will be clearer and more direct than
the docs. I would be happy to offer that write-up to the wiki or docs.)

05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
 java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must be
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
... 26 more


-- 
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)