Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ?

I'd love faster SSL but all my keys and certs are java based (keytool). Will APR ever support Java SSL ?

I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to use ?

Thanks for any input.


On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:

Hash: SHA1


On 6/10/2011 9:25 AM, Charles Van Damme wrote:
10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: [...]

FWIW, that's just an INFO message, but if you are going to be using SSL, you might want to go ahead and install the APR library: your performance will improve measurably. Note that <Connector> configuration for an APR connector using SSL is completely different if you choose to go this route.

If you are not going to be using APR, you can disable the APR lifecycle
listener because you aren't using it.

java.security.NoSuchAlgorithmException: RSA SSLContext not available

As Pid points out, it's pretty obvious that "RSA" is not a valid
algorithm in this situation:

    at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
    at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext (JSSESocketFactory.java:490)

So, it's an SSL configuration problem. Let's look at your SSL <Connector>:

<!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port
443 -->
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" scheme="https" secure="true"
keystoreFile="C:/Documents and Settings/ Papa/.keystore"
               clientAuth="false" sslProtocol="RSA" />

SO, you have sslProtocol="RSA"... seems like a good place to look. If
you check the <Connector> documentation, you can see that there are only
a few recognized protocols you can choose.


Note that "protocol" refers to the protocol used for SSL, not for any
specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat
documentation does not list all the available protocols, nor should it:
the protocols available to you are determined by JVM support.

The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to
documentation for "standard names" (which takes you through several hops
to) here:
http://download.oracle.com/javase/6/docs/technotes/guides/security/ StandardNames.html#SSLContext

Those are the valid ssl protocol names you can choose.

If you want use only ciphers that use the RSA algorithm (which is really limiting, IMO), you can look up their names here (after scrolling a bit

http://download.oracle.com/javase/6/docs/technotes/guides/security/ StandardNames.html#jssenames

Just look for stuff like SSL_DH_DSS_blah_blah_blah.

Of course, support for a certain algorithm might not be available in
your environment. It's best to find out what your JVM supports and use that.

I wrote a short bit of code a while back to determine the supported
algorithms and the default cipher suite for an SSLSocketFactory. I'll
try to dig it up and post it.

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

If you aren't using AJP, then disable the extra connector.

Hoping you are not overwhelmed. Anything else ?

You had other errors in the log file. After you get SSL working
properly, stop Tomcat, delete all your logs and re-launch it. Anything
that looks like an error should be investigated and fixed.

Feel free to come back to the list for help on those additional issues:
just remember start a new thread if you do.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Patrick Flaherty                
Rampage Systems Inc.            
411 Waverley Oaks Rd.           
Suite 138
Waltham, MA. 02452-8405
781-891-9400 x239       

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to