Mladen Turk wrote:
I have two suggestions
1. The SSLEngine attribute should be in the APR lifecycle listener,
and not in the connector, since its static, I can't have more than
one, so why do I have to define it more than once.
This would require doubling directives for enabling SSL, once in
Listener and once in Connector.
2. Add a SSLEnabled (or sslEnabled) attribute to the connector with
only true/false values.
The goal from the beginning was consistency, and also support
secure=true scheme=https even though its not actually running SSL, a
pretty important feature.
I agree, but then SSLEngine implicitly enables ssl processing with APR
connector, while on other it would depend on scheme.
Perhaps we should consider scheme for enabling ssl in APR as well
and if SSLEngine != Off && sheme=https then calling SSL.initialize
My suggestion would be this:
[1]
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="someengine/on/off"/>
[2]
<Connector port="8444" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true"/>
[3]
<Connector port="8555" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="false"/>
[1] - this calls SSL.initialize if the value is set to anything but "off".
[2] - this is a SSL connector, handshake/encryption/decryption is done
by Tomcat
[3] - this is a non SSL connector, but tricking the application to think
it is, in this example, my network card does the SSL enc/dec, and passes
HTTP to tomcat
It's the [3] feature I am looking after, as APR already has this, but
hidden into the connector.
[3] is accomplished with APR today like this,
<Connector port="8666" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEngine="off"/>
But this functionality should exist for the java connectors as well.
The benefits:
1. SSL.initialize is only called once per VM, I can add multiple APR SSL
connectors
2. [3] & [4] have the same attributes, I could swap out
Http11AprProtocol with Http11NioProtocol or Http11Protocol
3. Consistency across the connectors
does this make sense, no connector depends on "secure" or "scheme" these
are just values passed onto the request if the admin wants to force
those values.
Filip
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
