Author: markt
Date: Sat Jan 30 19:46:02 2010
New Revision: 904859

URL: http://svn.apache.org/viewvc?rev=904859&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48311
Only the APR lifecycle listener should try and initialise APR
Patch also syncs all APR lifecycle listener changes from 6.0.x to 5.5.x
  
Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Connector.java
    
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
    tomcat/tc5.5.x/trunk/container/webapps/docs/ssl-howto.xml

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=904859&r1=904858&r2=904859&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Sat Jan 30 19:46:02 2010
@@ -102,16 +102,6 @@
   +1: markt, rjung
   -1: 
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48311
-  Only the APR lifecycle listener should try and initialise APR
-  Patch also syncs all APR lifecycle listener changes from 6.0.x to 5.5.x
-  http://people.apache.org/~markt/patches/2009-11-27-bug48300-tc5.patch
-  +1: markt, rjung, kkolinko
-  -1: 
-    kkolinko: 1. It introduces SSLEngine property in AprLifecycleListener,
-     it could be described in ssl-howto.html, see 6.0.  2. BZ 48613 is
-     an issue that existed before this patch, but it makes it noticeable.
-
 * Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
   Prevent session fixation by changing session ID on authentication by default
   If you don't like the session ID changing by default, feel free to caveat 
your

Modified: 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Connector.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Connector.java?rev=904859&r1=904858&r2=904859&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Connector.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Connector.java
 Sat Jan 30 19:46:02 2010
@@ -32,6 +32,7 @@
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleListener;
 import org.apache.catalina.Service;
+import org.apache.catalina.core.AprLifecycleListener;
 import org.apache.catalina.core.StandardEngine;
 import org.apache.catalina.util.LifecycleSupport;
 import org.apache.catalina.util.StringManager;
@@ -607,23 +608,7 @@
      */
     public void setProtocol(String protocol) {
 
-        // Test APR support
-        boolean apr = false;
-        try {
-            String methodName = "initialize";
-            Class paramTypes[] = new Class[1];
-            paramTypes[0] = String.class;
-            Object paramValues[] = new Object[1];
-            paramValues[0] = null;
-            Method method = Class.forName("org.apache.tomcat.jni.Library")
-                .getMethod(methodName, paramTypes);
-            method.invoke(null, paramValues);
-            apr = true;
-        } catch (Throwable t) {
-            // Ignore
-        }
-
-        if (apr) {
+        if (AprLifecycleListener.isAprAvailable()) {
             if ("HTTP/1.1".equals(protocol)) {
                 setProtocolHandlerClassName
                     ("org.apache.coyote.http11.Http11AprProtocol");

Modified: 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java?rev=904859&r1=904858&r2=904859&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/core/AprLifecycleListener.java
 Sat Jan 30 19:46:02 2010
@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,20 +18,25 @@
 package org.apache.catalina.core;
 
 
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
 import org.apache.catalina.LifecycleListener;
 import org.apache.catalina.util.StringManager;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.tomcat.jni.Library;
+
 
 
 /**
  * Implementation of <code>LifecycleListener</code> that will init and
  * and destroy APR.
- *
+ * 
  * @author Remy Maucherat
+ * @author Filip Hanik
  * @version $Revision$ $Date$
  * @since 4.1
  */
@@ -44,12 +49,11 @@
     /**
      * The string manager for this package.
      */
-    protected StringManager sm =
+    protected static StringManager sm =
         StringManager.getManager(Constants.Package);
 
-    protected static String SSLRandomSeed = "builtin";
-    
-    // -------------------------------------------------------------- Constants
+
+    // ---------------------------------------------- Constants
 
 
     protected static final int REQUIRED_MAJOR = 1;
@@ -58,8 +62,20 @@
     protected static final int RECOMMENDED_PV = 17;
 
 
-    // ---------------------------------------------- LifecycleListener Methods
+    // ---------------------------------------------- Properties
+    protected static String SSLEngine = "on"; //default on
+    protected static String SSLRandomSeed = "builtin";
+    protected static boolean sslInitialized = false;
+    protected static boolean aprInitialized = false;
+    protected static boolean sslAvailable = false;
+    protected static boolean aprAvailable = false;
+
+    public static boolean isAprAvailable() {
+        init();
+        return aprAvailable;
+    }
 
+    // ---------------------------------------------- LifecycleListener Methods
 
     /**
      * Primary entry point for startup and shutdown events.
@@ -69,65 +85,24 @@
     public void lifecycleEvent(LifecycleEvent event) {
 
         if (Lifecycle.INIT_EVENT.equals(event.getType())) {
-            int major = 0;
-            int minor = 0;
-            int patch = 0;
-            try {
-                String methodName = "initialize";
-                Class paramTypes[] = new Class[1];
-                paramTypes[0] = String.class;
-                Object paramValues[] = new Object[1];
-                paramValues[0] = null;
-                Class clazz = Class.forName("org.apache.tomcat.jni.Library");
-                Method method = clazz.getMethod(methodName, paramTypes);
-                method.invoke(null, paramValues);
-
-                major = clazz.getField("TCN_MAJOR_VERSION").getInt(null);
-                minor = clazz.getField("TCN_MINOR_VERSION").getInt(null);
-                patch = clazz.getField("TCN_PATCH_VERSION").getInt(null);
-                
-                methodName = "randSet";
-                paramValues[0] = SSLRandomSeed;
-                clazz = Class.forName("org.apache.tomcat.jni.SSL");
-                method = clazz.getMethod(methodName, paramTypes);
-                method.invoke(null, paramValues);
-            } catch (Throwable t) {
-                if (!log.isDebugEnabled()) {
-                    log.info(sm.getString("aprListener.aprInit", 
-                            System.getProperty("java.library.path")));
-                } else {
-                    log.debug(sm.getString("aprListener.aprInit", 
-                            System.getProperty("java.library.path")), t);
+            init();
+            if (aprAvailable) {
+                try {
+                    initializeSSL();
+                } catch (Throwable t) {
+                    if (!log.isDebugEnabled()) {
+                        log.info(sm.getString("aprListener.sslInit"));
+                    } else {
+                        log.debug(sm.getString("aprListener.sslInit"), t);
+                    }
                 }
-                return;
-            }
-            if ((major != REQUIRED_MAJOR) || (minor != REQUIRED_MINOR)
-                    || (patch < REQUIRED_PATCH)) {
-                log.error(sm.getString("aprListener.tcnInvalid", major + "." 
-                        + minor + "." + patch, REQUIRED_MAJOR + "." 
-                        + REQUIRED_MINOR + "." + REQUIRED_PATCH));
-            }
-            if (patch < RECOMMENDED_PV) {
-                /* The version is lower then recommended.
-                 * Instruct the user to consider upgrading the native
-                 * to the current stable version.
-                 */
-                if (!log.isDebugEnabled()) {
-                    log.info(sm.getString("aprListener.tcnVersion", major + 
"." 
-                            + minor + "." + patch, REQUIRED_MAJOR + "." 
-                            + REQUIRED_MINOR + "." + RECOMMENDED_PV));
-                } else {
-                    log.debug(sm.getString("aprListener.tcnVersion", major + 
"." 
-                            + minor + "." + patch, REQUIRED_MAJOR + "." 
-                            + REQUIRED_MINOR + "." + RECOMMENDED_PV));
-                }                
             }
         } else if (Lifecycle.AFTER_STOP_EVENT.equals(event.getType())) {
+            if (!aprAvailable) {
+                return;
+            }
             try {
-                String methodName = "terminate";
-                Method method = Class.forName("org.apache.tomcat.jni.Library")
-                    .getMethod(methodName, (Class [])null);
-                method.invoke(null, (Object []) null);
+                terminateAPR();
             } catch (Throwable t) {
                 if (!log.isDebugEnabled()) {
                     log.info(sm.getString("aprListener.aprDestroy"));
@@ -139,11 +114,141 @@
 
     }
 
+    private static synchronized void terminateAPR()
+        throws ClassNotFoundException, NoSuchMethodException,
+               IllegalAccessException, InvocationTargetException
+    {
+        String methodName = "terminate";
+        Method method = Class.forName("org.apache.tomcat.jni.Library")
+            .getMethod(methodName, (Class [])null);
+        method.invoke(null, (Object []) null);
+    }
+
+    private static void init()
+    {
+        int major = 0;
+        int minor = 0;
+        int patch = 0;
+        if (aprInitialized) {
+            return;    
+        }
+        aprInitialized = true;
+        
+        try {
+            String methodName = "initialize";
+            Class paramTypes[] = new Class[1];
+            paramTypes[0] = String.class;
+            Object paramValues[] = new Object[1];
+            paramValues[0] = null;
+            Class clazz = Class.forName("org.apache.tomcat.jni.Library");
+            Method method = clazz.getMethod(methodName, paramTypes);
+            method.invoke(null, paramValues);
+            major = clazz.getField("TCN_MAJOR_VERSION").getInt(null);
+            minor = clazz.getField("TCN_MINOR_VERSION").getInt(null);
+            patch = clazz.getField("TCN_PATCH_VERSION").getInt(null);
+        } catch (Throwable t) {
+            if (!log.isDebugEnabled()) {
+                log.info(sm.getString("aprListener.aprInit",
+                        System.getProperty("java.library.path")));
+            } else {
+                log.debug(sm.getString("aprListener.aprInit",
+                        System.getProperty("java.library.path")), t);
+            }
+            return;
+        }
+        if ((major != REQUIRED_MAJOR)  ||
+            (minor != REQUIRED_MINOR) ||
+            (patch <  REQUIRED_PATCH)) {
+            log.error(sm.getString("aprListener.tcnInvalid", major + "."
+                    + minor + "." + patch,
+                    REQUIRED_MAJOR + "." +
+                    REQUIRED_MINOR + "." +
+                    REQUIRED_PATCH));
+            try {
+                // Terminate the APR in case the version
+                // is below required.                
+                terminateAPR();
+            } catch (Throwable t) {
+                // Ignore
+            }
+            return;
+        }
+        if (patch <  RECOMMENDED_PV) {
+            if (!log.isDebugEnabled()) {
+                log.info(sm.getString("aprListener.tcnVersion", major + "."
+                        + minor + "." + patch,
+                        REQUIRED_MAJOR + "." +
+                        REQUIRED_MINOR + "." +
+                        RECOMMENDED_PV));
+            } else {
+                log.debug(sm.getString("aprListener.tcnVersion", major + "."
+                        + minor + "." + patch,
+                        REQUIRED_MAJOR + "." +
+                        REQUIRED_MINOR + "." +
+                        RECOMMENDED_PV));
+            }
+        }
+        if (!log.isDebugEnabled()) {
+           log.info(sm.getString("aprListener.tcnValid", major + "."
+                    + minor + "." + patch));
+        }
+        else {
+           log.debug(sm.getString("aprListener.tcnValid", major + "."
+                     + minor + "." + patch));
+        }
+        // Log APR flags
+        log.info(sm.getString("aprListener.flags", Library.APR_HAVE_IPV6,
+                Library.APR_HAS_SENDFILE, Library.APR_HAS_SO_ACCEPTFILTER,
+                Library.APR_HAS_RANDOM));
+        aprAvailable = true;
+    }
+
+    private static synchronized void initializeSSL()
+        throws ClassNotFoundException, NoSuchMethodException,
+               IllegalAccessException, InvocationTargetException
+    {
+
+        if ("off".equalsIgnoreCase(SSLEngine)) {
+            return;
+        }
+        if (sslInitialized) {
+             //only once per VM
+            return;
+        }
+        sslInitialized = true;
+
+        String methodName = "randSet";
+        Class paramTypes[] = new Class[1];
+        paramTypes[0] = String.class;
+        Object paramValues[] = new Object[1];
+        paramValues[0] = SSLRandomSeed;
+        Class clazz = Class.forName("org.apache.tomcat.jni.SSL");
+        Method method = clazz.getMethod(methodName, paramTypes);
+        method.invoke(null, paramValues);
+        
+
+        methodName = "initialize";
+        paramValues[0] = "on".equalsIgnoreCase(SSLEngine)?null:SSLEngine;
+        method = clazz.getMethod(methodName, paramTypes);
+        method.invoke(null, paramValues);
+ 
+        sslAvailable = true;
+    }
+
+    public String getSSLEngine() {
+        return SSLEngine;
+    }
+
+    public void setSSLEngine(String SSLEngine) {
+        this.SSLEngine = SSLEngine;
+    }
+
     public String getSSLRandomSeed() {
         return SSLRandomSeed;
     }
 
     public void setSSLRandomSeed(String SSLRandomSeed) {
-        AprLifecycleListener.SSLRandomSeed = SSLRandomSeed;
+        this.SSLRandomSeed = SSLRandomSeed;
     }
+    
 }

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=904859&r1=904858&r2=904859&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Sat Jan 30 
19:46:02 2010
@@ -164,6 +164,10 @@
         Greg Vanore. (markt)
       </fix>
       <fix>
+        <bug>48311</bug>: APR should not be initialised if the APR life-cycle
+        listener is not enabled. (markt)
+      </fix>
+      <fix>
         CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
         (markt/costin) 
       </fix>

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/ssl-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/ssl-howto.xml?rev=904859&r1=904858&r2=904859&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/ssl-howto.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/ssl-howto.xml Sat Jan 30 
19:46:02 2010
@@ -281,23 +281,97 @@
 </subsection>
 
 <subsection name="Edit the Tomcat Configuration File">
+<p>
+Tomcat can use two different implementations of SSL:
+<ul>
+<li>the JSSE implementation provided as part of the Java runtime (since 
1.4)</li>
+<li>the APR implementation, which uses the OpenSSL engine by default.</li>
+</ul>
+The exact configuration details depend on which implementation is being used.
+The implementation used by Tomcat is chosen automatically unless it is 
overriden as described below.
+If the installation uses <a href="apr.html">APR</a> 
+- i.e. you have installed the Tomcat native library -
+then it will use the APR SSL implementation, otherwise it will use the Java 
JSSE implementation.  
+</p>
+
+<p>
+  To avoid auto configuration you can define which implementation to use by 
specifying a classname 
+  in the <b>protocol</b> attribute of the Connector.<br/>
+  To define a Java (JSSE) connector, regardless of whether the APR library is 
loaded or not do:
+<source>
+&lt;-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 --&gt;
+&lt;Connector protocol="org.apache.coyote.http11.Http11Protocol"
+           port="8443" .../&gt;
+
+&lt;-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 
--&gt;
+&lt;Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
+           port="8443" .../&gt;
+</source>
+Alternatively, to specify an APR connector (the APR library must be available) 
use:
+<source>
+&lt;-- Define a APR SSL Coyote HTTP/1.1 Connector on port 8443 --&gt;
+&lt;Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
+           port="8443" .../&gt;
+</source>
+
+</p>
+
+<p>If you are using APR, you have the option of configuring an alternative 
engine to OpenSSL.
+<source>
+&lt;Listener className="org.apache.catalina.core.AprLifecycleListener"
+          SSLEngine="someengine" SSLRandomSeed="somedevice" /&gt;
+</source>
+The default value is
+<source>
+&lt;Listener className="org.apache.catalina.core.AprLifecycleListener"
+          SSLEngine="on" SSLRandomSeed="builtin" /&gt;
+</source>
+So to use SSL under APR, make sure the SSLEngine attribute is set to something 
other than <code>off</code>.
+The default value is <code>on</code> and if you specify another value, it has 
to be a valid engine name.
+<br/>
+If you haven't compiled in SSL support into your Tomcat Native library, then 
you can turn this initialization off
+<source>
+&lt;Listener className="org.apache.catalina.core.AprLifecycleListener"
+          SSLEngine="off" /&gt;
+</source>
+SSLRandomSeed allows to specify a source of entropy. Productive system needs a 
reliable source of entropy
+but entropy may need a lot of time to be collected therefore test systems 
could use no blocking entropy
+sources like "/dev/urandom" that will allow quicker starts of Tomcat.
 
-<p>The final step is to configure your secure socket in the
-<code>$CATALINA_HOME/conf/server.xml</code> file, where
-<code>$CATALINA_HOME</code> represents the directory into which you
-installed Tomcat 5.  An example <code>&lt;Connector&gt;</code> element
+</p>
+
+<p>The final step is to configure the Connector in the
+<code>$CATALINA_BASE/conf/server.xml</code> file, where
+<code>$CATALINA_BASE</code> represents the base directory for the
+Tomcat 6 instance.  An example <code>&lt;Connector&gt;</code> element
 for an SSL connector is included in the default <code>server.xml</code>
-file installed with Tomcat.  It will look something like this:</p>
+file installed with Tomcat.  For JSSE, it should look something like this:</p>
 <source>
 &lt;-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --&gt;
 &lt;!--
 &lt;Connector 
-           port="8443" minProcessors="5" maxProcessors="75"
-           enableLookups="true" disableUploadTimeout="true"
-           acceptCount="100" debug="0" scheme="https" secure="true";
+           port="8443" maxThreads="200"
+           scheme="https" secure="true" SSLEnabled="true"
+           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
            clientAuth="false" sslProtocol="TLS"/&gt;
 --&gt;
 </source>
+<p>
+  The example above will throw an error if you have the APR and the Tomcat 
Native libraries in your path,
+  as Tomcat will try to use the APR connector. The APR connector uses 
different attributes for 
+  SSL keys and certificates. An example of an APR configuration is:
+<source>
+&lt;-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --&gt;
+&lt;!--
+&lt;Connector 
+           port="8443" maxThreads="200"
+           scheme="https" secure="true" SSLEnabled="true"
+           SSLCertificateFile="/usr/local/ssl/server.crt" 
+           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
+           clientAuth="optional" SSLProtocol="TLSv1"/&gt;
+--&gt;
+</source>
+</p>
 
 <p>You will note that the Connector element itself is commented out by default,
 so you will need to remove the comment tags around it.  Then, you can
@@ -319,93 +393,17 @@
   value specified for the <code>redirectPort</code> attribute on the
   non-SSL connector.  This allows Tomcat to automatically redirect
   users who attempt to access a page with a security constraint specifying
-  that SSL is required, as required by the Servlet 2.4 Specification.</p>
+  that SSL is required, as required by the Servlet Specification.</p>
   </em></blockquote>
 
-<p>There are additional option used to configure the SSL protocol.
-  You may need to add or change the following attribute
-values, depending on how you configured your keystore earlier:</p>
-
-<table border="1">
-  <tr>
-    <th>Attribute</th>
-    <th>Description</th>
-  </tr>
-  <tr>
-    <td><code>clientAuth</code></td>
-    <td>Set this value to <code>true</code> if you want Tomcat to require
-        all SSL clients to present a client Certificate in order to use
-        this socket.  Set this value to <code>want</code> if you want Tomcat
-        to request a client Certificate, but not fail if one isn't presented.
-        For using clientAuth on a per-user or per-session basis, check out
-        the tips in 
-        <a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=34643"; 
title="Bugzilla 34643">Bugzilla 34643</a>.
-    </td>
-  </tr>
-  <tr>
-    <td><code>keystoreFile</code></td>
-    <td>Add this attribute if the keystore file you created is not in
-        the default place that Tomcat expects (a file named
-        <code>.keystore</code> in the user home directory under
-        which Tomcat is running).  You can specify an absolute pathname,
-        or a relative pathname that is resolved against the
-        <code>$CATALINA_BASE</code> environment variable.</td>
-  </tr>
-  <tr>
-    <td><code>keystorePass</code></td>
-    <td>Add this element if you used a different keystore (and Certificate)
-        password than the one Tomcat expects (<code>changeit</code>).</td>
-  </tr>
-  <tr>
-    <td><code>keystoreType</code></td>
-    <td>Add this element if using a keystore type other than
-    <code>JKS</code>.</td>
-  </tr>
-  <tr>
-    <td><code>sslProtocol</code></td>
-    <td>The encryption/decryption protocol to be used on this socket.
-        It is not recommended to change this value if you are using Sun's
-        JVM.  It is reported that IBM's 1.4.1 implementation
-        of the TLS protocol is not compatible with some popular browsers.
-        In this case, use the value <code>SSL</code>.</td>
-  </tr>
-  <tr>
-    <td><code>ciphers</code></td>
-    <td>The comma separated list of encryption ciphers that this socket is 
-        allowed to use. By default, the default ciphers for the JVM will be
-        used. Note that this usually means that the weak export grade ciphers
-        will be included in the list of available ciphers. The ciphers are
-        specified using the JSSE cipher naming convention.</td>
-  </tr>
-  <tr>
-    <td><code>algorithm</code></td>
-    <td>The <code>X509</code> algorithm to use.  This defaults to the Sun 
-        implementation (<code>SunX509</code>).  For IBM JVMs you should use
-        the value <code>IbmX509</code>.  For other vendors, consult the JVM
-        documentation for the correct value.
-    </td>
-  </tr>
-  <tr>
-   <td><code>truststoreFile</code></td>
-   <td>The TrustStore file to use to validate client certificates.</td>
-  </tr>
-  <tr>
-   <td><code>truststorePass</code></td>
-   <td>The password to access the TrustStore.  This defaults to the value
-       of <code>keystorePass</code>.</td>
-  </tr>
-  <tr>
-   <td><code>truststoreType</code></td>
-    <td>Add this element if your are using a different format for the 
-        TrustStore then you are using for the KeyStore.</td>
-  </tr>
-  <tr>
-   <td><code>keyAlias</code></td>
-    <td>Add this element if your have more than one key in the KeyStore.
-        If the element is not present the first key read in the KeyStore
-        will be used.</td>
-  </tr>
-</table>
+<p>There are additional options used to configure the SSL protocol. You may
+need to add or change some attributes, depending on how you configured your
+keystore earlier. If you are using a Java JSSE based SSL connector then
+configuration options are documented in the
+<a href="config/http.html">Java HTTP connector</a> configuration
+reference. If you are using the APR/native connector then refer to the
+<a href="apr.html">APR connector</a> configuration guide for details of the
+available configuration options.</p>
 
 <p>After completing these configuration changes, you must restart Tomcat as
 you normally do, and you should be in business.  You should be able to access



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to