https://bz.apache.org/bugzilla/show_bug.cgi?id=66670
Bug ID: 66670
Summary: Add SSLHostConfig#certificateKeyPasswordFile
Product: Tomcat 9
Version: 9.0.76
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: micha...@apache.org
Target Milestone: -----
This is somewhat expired by
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslpassphrasedialog and
its flexiblity, but I do not intend to request all of those features.
One of the current problems to use inline passwords (certificateKeyPassword) in
the server.xml
* Multiple connectors for the same certificate/key pair on different ports
* Multiple Tomcat instances for the same hostname, but you need different JVM
configs/version/etc. or need the physical separation between processes
All of these requires to touch every single certificateKeyPassword and update
when you rotate the cert/key pair and password. In HTTPd you don't have that
problem because you modify a single password file and done.
Note: I don't intend to put HTTPd in front of those Tomcat because I need to
configure and update it, it adds overhead and it has several open issues with
expect/continue support for some of our use cases.
I'd like to introduce this parameter only for OpenSSL or PEM-based cert keys,
not Java keystores since certificateKeystorePassword has a default value which
does not allow to make it mutually exclusive. This attribute will be mutually
exclusive with certificateKeyPassword since only either one should be
populated, an exception will be raised when both is provided.
This will require changes in a few Java files as well as Tomcat Native in Java
and C.
Target config example:
> <Connector port="%%HTTPS_PORT%%" connectionTimeout="20000"
> keepAliveTimeout="300000" maxParameterCount="1000"
> maxHttpHeaderSize="24576" maxThreads="250"
> SSLEnabled="true" scheme="https" secure="true"
> defaultSSLHostConfigName="%%VIRTUAL_HOSTNAME%%">
> <SSLHostConfig hostName="%%VIRTUAL_HOSTNAME%%" protocols="TLSv1.2+TLSv1.3"
> honorCipherOrder="true" disableSessionTickets="true"
>
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
> <Certificate certificateFile="/etc/ssl/%%VIRTUAL_HOSTNAME%%/cert.crt"
> certificateKeyFile="/etc/ssl/%%VIRTUAL_HOSTNAME%%/key.crt"
> certificateKeyPasswordFile="/etc/ssl/%%VIRTUAL_HOSTNAME%%/password"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
IMPORTANT: This is not a security concern or to avoid plaintext passwords in
conf files, it is solely about reducing admin overhead.
Let me know what you think, I'd like to start implementing it this week.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
