Re: Simple SSL question

[Christopher Schultz]

Jon,

On 8/11/22 11:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
Is there a "name" for the new connector style? The old is known as
the Coyote Connector.
Coyote is just the name of the connector itself, for whatever reason. 
Both the new and old-style configuration is using the same connector 
underneath. When you configure everything on the <Connector>, Tomcat 
still creates an SSLHostConfig object under the covers and fills it with 
that same data.

Why should you bother migrating? Two reasons:

1. The new configuration is easier to read IMO. It separates the TLS 
host/key/certificate and all that associated stuff from the more basic 
socket-type stuff for the <Connector>

2. It allows for more options such as proper name-based virtual-hosting 
with TLS. It also allows multiple types of keys and certificates to be 
used. For example, you can configure both RSA and EC certificates for a 
single host. That's just not possible with the 
one-attribute-to-rule-them-all configuration where everything is on the 
<Connector> element.

-chris

-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 10, 2022 2:43 PM
To: users@tomcat.apache.org
Subject: Re: Simple SSL question

On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
Ok, I'm asking a rather simple, stupid (in my opinion) question, but here
goes:

What is the best practice form of connector for SSL. Is it the old-school
coyote connector or the connector with the <SSLHostConfig...> section?

<SSLHostConfig...>

The old style isn't supported in Tomcat 10.0.x onwards.

Are the two interchangeable, or does the SSLHostConfig one rely on
openssl and won't work without it? The documentation is confusing me on a
hump day afternoon.

They are interchangeable. However, if you want to configure TLS virtual
hosting with SNI you'll need to use SSLHostConfig.

Both approaches can be used with JSSE and OpenSSL based TLS
implementations.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508


jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org