Re: Question about TLS/SSL setup and SSLHostConfig or not
On 02.03.21 23:50, Peter Kreuser wrote: Alex, Am 02.03.2021 um 23:19 schrieb Alex : Hi. On 02.03.21 23:14, John Larsen wrote: I usually let the apache webserver or nginx handle the SSL while proxying to the tomcat. Unless you need some really fancy rewriting or caching, Tomcat is absolutely capable to handle this. Even static files are OK nowadays. To use tomcat's built in server you'll need to import the SSL certificate into the keystore via your jdk. That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and openssl config. (See below) Even dynamic reloading of SSL configs can be achieved with the jmxproxy. Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to the backend, in this case tomcat. John Larsen On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: Hi. I try to make a "good" tomcat config and read the docs. Now in the Connector doc is the following statement. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support Each secure connector must define at least one SSLHostConfig. But when I look into the SSL/TLS Configuration How-To is the snipplet without SSLHostConfig. What's now the "best" way to setup TLS/SSL with tomcat. I would prefer to put SSLHostConfig but I'm not sure if it's the way how the developer think to setup the TLS in tomcat? I use JSSE as implementation. http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ``` ``` You should move this to SSLHostConfig. Thank you for the clarification, I will do it. HTH Peter What's your suggestion and opinion to configure the tomcat in a proper way to use TLS also for the future versions. Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about TLS/SSL setup and SSLHostConfig or not
Alex, > Am 02.03.2021 um 23:19 schrieb Alex : > > Hi. > >> On 02.03.21 23:14, John Larsen wrote: >> I usually let the apache webserver or nginx handle the SSL while proxying >> to the tomcat. Unless you need some really fancy rewriting or caching, Tomcat is absolutely capable to handle this. Even static files are OK nowadays. >> To use tomcat's built in server you'll need to import the >> SSL certificate into the keystore via your jdk. That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and openssl config. (See below) Even dynamic reloading of SSL configs can be achieved with the jmxproxy. > > Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to > the backend, in this case tomcat. > >> John Larsen >>> On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: >>> Hi. >>> >>> I try to make a "good" tomcat config and read the docs. >>> >>> Now in the Connector doc is the following statement. >>> >>> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support >>> http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support >>> >>> Each secure connector must define at least one SSLHostConfig. >>> >>> But when I look into the SSL/TLS Configuration How-To is the snipplet >>> without SSLHostConfig. What's now the "best" way to setup TLS/SSL >>> with tomcat. I would prefer to put SSLHostConfig but I'm not sure if >>> it's the way how the developer think to setup the TLS in tomcat? >>> >>> I use JSSE as implementation. >>> >>> http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html >>> http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html >>> >>> ``` >>> >>> >> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> port="8443" maxThreads="200" >>> scheme="https" secure="true" SSLEnabled="true" >>> keystoreFile="${user.home}/.keystore" keystorePass="changeit" >>> clientAuth="false" sslProtocol="TLS"/> >>> ``` >>> You should move this to SSLHostConfig. HTH Peter >>> What's your suggestion and opinion to configure the tomcat in a >>> proper way to use TLS also for the future versions. >>> >>> Regards >>> Alex >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about TLS/SSL setup and SSLHostConfig or not
Hi. On 02.03.21 23:14, John Larsen wrote: I usually let the apache webserver or nginx handle the SSL while proxying to the tomcat. To use tomcat's built in server you'll need to import the SSL certificate into the keystore via your jdk. Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to the backend, in this case tomcat. John Larsen On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: Hi. I try to make a "good" tomcat config and read the docs. Now in the Connector doc is the following statement. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support Each secure connector must define at least one SSLHostConfig. But when I look into the SSL/TLS Configuration How-To is the snipplet without SSLHostConfig. What's now the "best" way to setup TLS/SSL with tomcat. I would prefer to put SSLHostConfig but I'm not sure if it's the way how the developer think to setup the TLS in tomcat? I use JSSE as implementation. http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ``` ``` What's your suggestion and opinion to configure the tomcat in a proper way to use TLS also for the future versions. Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about TLS/SSL setup and SSLHostConfig or not
I usually let the apache webserver or nginx handle the SSL while proxying to the tomcat. To use tomcat's built in server you'll need to import the SSL certificate into the keystore via your jdk. John Larsen On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: > Hi. > > I try to make a "good" tomcat config and read the docs. > > Now in the Connector doc is the following statement. > > http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support > http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support > > Each secure connector must define at least one SSLHostConfig. > > But when I look into the SSL/TLS Configuration How-To is the snipplet > without SSLHostConfig. What's now the "best" way to setup TLS/SSL > with tomcat. I would prefer to put SSLHostConfig but I'm not sure if > it's the way how the developer think to setup the TLS in tomcat? > > I use JSSE as implementation. > > http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html > http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html > > ``` > > protocol="org.apache.coyote.http11.Http11NioProtocol" > port="8443" maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > keystoreFile="${user.home}/.keystore" keystorePass="changeit" > clientAuth="false" sslProtocol="TLS"/> > ``` > > What's your suggestion and opinion to configure the tomcat in a > proper way to use TLS also for the future versions. > > Regards > Alex > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >