Am 21.08.2017 um 20:01 schrieb Mark Thomas:
On 19/08/17 22:44, Rainer Jung wrote:
Assume tcantive and OpenSSL is available.
When using the AprLifecycleListener with useOpenssl="true" (default) and
useAprConnector="false" (also default) with a Java NIO or NIO2 connector
and *not* setting the sslImplementationName one gets warnings for each
config item which is OpenSSL only.
Since with these (default) settings the connector uses OpenSSL the
warnings doesn't make sense.
The reason is, that the config is checked very early, especially before
the AprLifecycleListener kicks in and sets the sslImplementationName to
OpenSSL.
I can't reproduce this. Can you provide the configuration you are using?
I do not have a good idea how to fix this. It is not related to my
commits of today.
Example message:
WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.setConfigType
The property [disableCompression] was set on the SSLHostConfig named
[_default_] and is for connectors of type [OPENSSL] but the
SSLHostConfig is being used with a connector of type [JSSE]
That message might need more careful wording since it isn't the
connector type, it is the configuration style.
You can use either configuration style (JSSE or OpenSSL) with either
implementation (JSSE or OpenSSL). However, you can't mix the two
configuration styles within a single SSLHostConfig.
Sorry for not being more specific.
An example that work here:
- current trunk
- adjust server.xml as follows:
--- conf/server.xml 2017-08-21 22:05:12.706794000 +0200
+++ conf/server.xml 2017-08-21 22:10:27.472768000 +0200
@@ -85,14 +85,17 @@
the SSLImplementation selected. JSSE style configuration is
used below.
-->
<!--
+ -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
- <SSLHostConfig>
- <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+ <SSLHostConfig disableCompression="true">
+ <Certificate
+
certificateFile="/path/to/test-ca/certs/localhost-rsa-cert.pem"
+
certificateKeyFile="/path/to/test-ca/keys/localhost-rsa-key.pem"
+
certificateChainFile="/path/to/test-ca/certs/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
- -->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which
always uses
OpenSSL for TLS.
So activating the default 8443 connector, not setting sslImplementation,
removing the jks keystore and instead setting pem config (I used the
files from you pmc test-ca) and adding the disableCompression flag.
- now e.g. run bin/configtest.sh and you will get
...
Aug 21, 2017 10:12:20 PM org.apache.tomcat.util.net.SSLHostConfig
setConfigType
WARNING: The property [disableCompression] was set on the SSLHostConfig
named [_default_] and is for connectors of type [OPENSSL] but the
SSLHostConfig is being used with a connector of type [JSSE]
...
The message occurs with and without making tnative/OpenSSL available.
AFAIK the reason is, that at the time of config parsing the connector is
of type JSSE but after that the APRLifecycleListener sets the
sslImplementationName to the OpenSSL impl (if tcnative/OpenSSL are
available).
And the config style in that example looks to be pure OpenSSL, so IMHO
no reason for a warning. But maybe there are some builtin JSSE configs
involved...
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
