Ivano,
On 1/19/22 10:58, Ivano Luberti wrote:
Mark, Christopher
Il 19/01/2022 15:31, Christopher Schultz ha scritto:
Mark,
On 1/19/22 05:00, Mark Thomas wrote:
On 18/01/2022 23:16, Christopher Schultz wrote:
All,
There are a bunch of parameters in SSLHostConfig which are
documented[1] to be "OpenSSL Only" and "JSSE only". I thought we
made it so either configuration could be used with either underlying
crypto engine. Is that not true? Or is it only true if you are using
JSSE with OpenSSL as the JSSE-provider??
You can configure TLS using JSSE style configuration or OpenSSL style
configuration. That configuration style choice is independent of
implementation.
So you can have any of:
- JSSE style config with NIO(2)+JSSE
- JSSE style config with NIO(2)+OpenSSL
- JSSE style config with APR/Native
- OpenSSL style config with NIO(2)+JSSE
- OpenSSL style config with NIO(2)+OpenSSL
- OpenSSL style config with APR/Native
What you can't do is mix JSSE configuration with OpenSSL
configuration. You have to pick a single configuration style.
To slightly complicate things, some configuration settings work with
JSSE or OpenSSL. What that means if you use a "JSSE only" setting
then you can't also use an "OpenSSL only" setting (and vice versa).
Thanks.
How can we adjust the documentation to make it clear that you can
choose either style of configuration, but that you have to be consistent?
Maybe two separate sections of the documentation with an introduction
saying "there are two styles of config: pick one" and then remove the
"JSSE Only" or "OpenSSL Only" notes on each?
-chris
I was greatly misled by that documentation when I had to study and apply
it, so I agree it should be modified.
But it would make even more sense to me, if is only a matter of style,
that one of the two styles is removed: we are talking about
configuration not poetry: I cannot see any usefulness in having more
than one way to express the same configuration
We can't remove configuration elements from a release in the way you
describe. Perhaps in 10.1 as it's still in alpha-phase.
All of this evolved to the present over a long period of time, and it
used to be that only one set of configuration options would work for
either APR+OpenSSL or BIO/NIO+JSSE. That's now changed and we are more
flexible but there are a few things that would require some care to remove:
certificateFile/certificateKeyFile/etc vs certificateKeystore/etc
There are things in a keystore that don't make sense for the other type
of configuration. Like "alias". PEM files don't have aliases.
But we have to take care to merge / remove things in a way that makes
the most sense. For example, would it be okay to use a Java keystore
(e.g. PKCS12 file) for the certificateFile and/or certificateKeyFile?
We'd have to put extra logic in Tomcat to determine what type of file
you are trying to open.
I'm just saying it's not 100% clear what to do in all cases.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org