Jon, I extracted a part of my test-server.xml. This for the JSSE Implementation.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" allowTrace="false" maxThreads="150" SSLEnabled="true" compression="off" scheme="https" server="Apache Tomcat" secure="true" defaultSSLHostConfigName="name1.mydomain.com" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" compression="on" /> <SSLHostConfig hostName="name2.mydomain.com" honorCipherOrder="true" protocols="TLSv1.2+TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/name2.p12" certificateKeystorePassword="changeit" certificateKeyAlias="name2" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="name1.mydomain.com" honorCipherOrder="true" protocols="TLSv1.2+TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/name1_ecc.p12" certificateKeystorePassword="changeit" certificateKeyAlias="name1_ecc" type="EC" /> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/name1_rsa.p12" certificateKeystorePassword="changeit" certificateKeyAlias="name1" type="RSA" /> </SSLHostConfig> </Connector> If you have separate crt and key files in pem-format the Certificate-section looks like this: <Certificate certificateKeyFile="${catalina.base}/conf/ssl/name2.key" certificateFile="${catalina.base}/conf/ssl/name2.crt" certificateChainFile="${catalina.base}/conf/ssl/chain.pem" type="RSA" /> We could start from there - I have no "old style" config to match against. Peter > Am 11.08.2022 um 23:10 schrieb jonmcalexan...@wellsfargo.com.invalid > <jonmcalexan...@wellsfargo.com.INVALID>: > > Peter, > > Yes, that WOULD be a good thing. That and some examples of implementing the > new COOL stuff like configure TLS virtual hosting with SNI, would be very > helpful. > > > > Dream * Excel * Explore * Inspire > Jon McAlexander > Senior Infrastructure Engineer > Asst. Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > >> -----Original Message----- >> From: Peter Kreuser <l...@kreuser.name> >> Sent: Thursday, August 11, 2022 4:00 PM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Simple SSL question >> >> >> Jon and Chris, >> >> >>> Am 11.08.2022 um 19:33 schrieb Christopher Schultz >> <ch...@christopherschultz.net>: >>> >>> Jon, >>> >>>> On 8/11/22 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote: >>>> I was just wondering if there was a vanity name for the "new" structure is >> all, to differentiate in documentation. >>> >>> *shrug* >>> >>> "New"? >>> >>> That kind of loses its lustre after a while. Today, that's just "the way >>> you do >> it". So the "new" way is The Way and the old way is ... the Old Way. >>> >>> Use SSLHostConfig. I'm sure you'll sleep better at night after you've >> switched. >>> >>> -chris >>> >>>>> -----Original Message----- >>>>> From: Christopher Schultz <ch...@christopherschultz.net> >>>>> Sent: Thursday, August 11, 2022 11:29 AM >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: Simple SSL question >>>>> >>>>> Jon, >>>>> >>>>> On 8/11/22 11:22, jonmcalexan...@wellsfargo.com.INVALID wrote: >>>>>> Is there a "name" for the new connector style? The old is known as >>>>>> the Coyote Connector. >>>>> Coyote is just the name of the connector itself, for whatever reason. >>>>> Both the new and old-style configuration is using the same connector >>>>> underneath. When you configure everything on the <Connector>, >> Tomcat >>>>> still creates an SSLHostConfig object under the covers and fills it >>>>> with that same data. >>>>> >>>>> Why should you bother migrating? Two reasons: >>>>> >>>>> 1. The new configuration is easier to read IMO. It separates the TLS >>>>> host/key/certificate and all that associated stuff from the more >>>>> basic socket- type stuff for the <Connector> >>>>> >>>>> 2. It allows for more options such as proper name-based >>>>> virtual-hosting with TLS. It also allows multiple types of keys and >>>>> certificates to be used. For example, you can configure both RSA and EC >> certificates for a single host. >>>>> That's just not possible with the one-attribute-to-rule-them-all >>>>> configuration where everything is on the <Connector> element. >>>>> >> >> I have tried all the fancy new cert options and they are cool. >> >> And I do agree that it's more readable. >> >> What would be useful would be one sample how to transfer a simple "old" >> config to SSLHostConfig. >> That would take away the fear to get going. In another thread I said, that it >> may be a lot of work to migrate a lot of tomcat instances. But I guess most >> people would only need a single SSLHostConfig to add to their one >> connector... >> >> Peter >>>>> -chris >>>>> >>>>>>> -----Original Message----- >>>>>>> From: Mark Thomas <ma...@apache.org> >>>>>>> Sent: Wednesday, August 10, 2022 2:43 PM >>>>>>> To: users@tomcat.apache.org >>>>>>> Subject: Re: Simple SSL question >>>>>>> >>>>>>> On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID >> wrote: >>>>>>>> Ok, I'm asking a rather simple, stupid (in my opinion) question, >>>>>>>> but here >>>>>>> goes: >>>>>>>> >>>>>>>> What is the best practice form of connector for SSL. Is it the >>>>>>>> old-school >>>>>>> coyote connector or the connector with the <SSLHostConfig...> >> section? >>>>>>> >>>>>>> <SSLHostConfig...> >>>>>>> >>>>>>> The old style isn't supported in Tomcat 10.0.x onwards. >>>>>>> >>>>>>>> Are the two interchangeable, or does the SSLHostConfig one rely >>>>>>>> on >>>>>>> openssl and won't work without it? The documentation is confusing >>>>>>> me on a hump day afternoon. >>>>>>> >>>>>>> They are interchangeable. However, if you want to configure TLS >>>>>>> virtual hosting with SNI you'll need to use SSLHostConfig. >>>>>>> >>>>>>> Both approaches can be used with JSSE and OpenSSL based TLS >>>>>>> implementations. >>>>>>> >>>>>>> Mark >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Dream * Excel * Explore * Inspire Jon McAlexander Senior >>>>>>>> Infrastructure Engineer Asst. Vice President He/His >>>>>>>> >>>>>>>> Middleware Product Engineering >>>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions >>>>>>>> >>>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322 >>>>>>>> MAC: F4469-010 >>>>>>>> Tel 515-988-2508 | Cell 515-988-2508 >>>>>>>> >>>>>>>> >>>>>>> >>>>> >> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> >>>>>>>> This message may contain confidential and/or privileged >> information. >>>>>>>> If you >>>>>>> are not the addressee or authorized to receive this for the >>>>>>> addressee, you must not use, copy, disclose, or take any action >>>>>>> based on this message or any information herein. If you have >>>>>>> received this message in error, please advise the sender >>>>>>> immediately by reply e-mail and delete this message. Thank you for >> your cooperation. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------ >>>>>>> --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------- >>>>>> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>> >>>>> -------------------------------------------------------------------- >>>>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org