You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Caldarale, Charles R" <Ch...@unisys.com> on 2008/10/07 20:52:13 UTC
RE: Non-secure HTTP connector with secure="true" requires a
keystore?
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Non-secure HTTP connector with secure="true"
> requires a keystore?
>
> I tried it with scheme="http" at first, and got the same exception.
The code in 6.0 is noticeably different from that in 5.5 for protocol initialization, including setting up the socket factory. Would it be possible to test the config on 6.0 to see if you can achieve the desired results there?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Gregory Gerard <gg...@ggerard.com>.
Same here. I terminate all SSL in a load balancer and forward in the
clear back to 8080 or 8081. Application code is peppered non-standard
calls to see things set by a filter to see if it's considered secure
even though Tomcat thinks otherwise. In the more extreme case, I
could consider all packets to be secure in that all packets are
traveling over a VPN tunnel or on a high-speed interconnect between
nodes inside the same box.
If I recall, SSL doesn't actually require you to negotiate any
encryption standard (the NULL cipher -- http://www.openssl.org/docs/
apps/ciphers.html). And of course, selecting SSL doesn't meant the
keys haven't been unknowingly compromised.
Really, this should be a marker to denote that the connection is
administratively considered secure.
greg
On Oct 10, 2008, at 9:12 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David,
>
> David Wall wrote:
>>
>>> No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I
>>> want it
>>> to report to my application that SSL is being used.
>>>
>> So you want quality software to lie to you? It would be a bug if
>> Tomcat
>> said it was secure when it's not, and it sounds pretty goofy to
>> want it.
>
> What about the AJP connector, which does exactly the same thing? An
> SSL
> connection to Apache httpd is translated into a non-secure
> communication
> to Tomcat, and yet request.isSecure() returns true.
>
>>> The deal is that I want to be able to have a localhost-only
>>> <Connector>
>>> that appears to be secure, but isn't actually using SSL so I can
>>> avoid
>>> the SSL performance hit.
>>
>> So use HTTP. "Appearing" secure buys you nothing other than fooling
>> yourself. You are not telling us something because such a spec
>> makes no
>> sense. Your app can assume anything it wants (boolean isSecure =
>> true;
>> int one = 2;).
>
> I would also like to use
> <transport-guarantee>CONFIDENTIAL</transport-guarantee> which
> essentially requires HTTPS to be used. I would like to represent a
> connection as secure, not as HTTPS. Since I trust localhost, I
> consider
> that secure, just as I trust the connections coming from mod_jk as
> outlined above.
>
> This is not a case of true = false or 1 = 2.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjvfvoACgkQ9CaO5/Lv0PCJsACffNLqYH1/ecumoMiGdldz+Plz
> xh4An3/+JGTlWBRqWHUL34PMX9pSebDe
> =4Bwd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
David Wall wrote:
>
>> No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I want it
>> to report to my application that SSL is being used.
>>
> So you want quality software to lie to you? It would be a bug if Tomcat
> said it was secure when it's not, and it sounds pretty goofy to want it.
What about the AJP connector, which does exactly the same thing? An SSL
connection to Apache httpd is translated into a non-secure communication
to Tomcat, and yet request.isSecure() returns true.
>> The deal is that I want to be able to have a localhost-only <Connector>
>> that appears to be secure, but isn't actually using SSL so I can avoid
>> the SSL performance hit.
>
> So use HTTP. "Appearing" secure buys you nothing other than fooling
> yourself. You are not telling us something because such a spec makes no
> sense. Your app can assume anything it wants (boolean isSecure = true;
> int one = 2;).
I would also like to use
<transport-guarantee>CONFIDENTIAL</transport-guarantee> which
essentially requires HTTPS to be used. I would like to represent a
connection as secure, not as HTTPS. Since I trust localhost, I consider
that secure, just as I trust the connections coming from mod_jk as
outlined above.
This is not a case of true = false or 1 = 2.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvfvoACgkQ9CaO5/Lv0PCJsACffNLqYH1/ecumoMiGdldz+Plz
xh4An3/+JGTlWBRqWHUL34PMX9pSebDe
=4Bwd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by David Wall <d....@computer.org>.
> No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I want it
> to report to my application that SSL is being used.
>
So you want quality software to lie to you? It would be a bug if Tomcat
said it was secure when it's not, and it sounds pretty goofy to want it.
> The deal is that I want to be able to have a localhost-only <Connector>
> that appears to be secure, but isn't actually using SSL so I can avoid
> the SSL performance hit.
>
So use HTTP. "Appearing" secure buys you nothing other than fooling
yourself. You are not telling us something because such a spec makes no
sense. Your app can assume anything it wants (boolean isSecure = true;
int one = 2;).
David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter,
Peter Rossbach wrote:
> As you want SSL enabled, you must add schema="https" secure="true"
> SSLEnabled="true"
> at your config.
No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I want it
to report to my application that SSL is being used.
The deal is that I want to be able to have a localhost-only <Connector>
that appears to be secure, but isn't actually using SSL so I can avoid
the SSL performance hit.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvZ6EACgkQ9CaO5/Lv0PD1jQCcCSGXFpvP3L5lkDV62rQJau+J
qekAoIhvvNGuoewgdwa6omh6bvzoAlX/
=hA5e
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Filip,
Filip Hanik - Dev Lists wrote:
> secure=... corresponds to request.isSecure
I have not found this to be entirely true. Please see my original post.
If secure="true" merely sets the return value for request.isSecure, then
I should not need a keystore file during startup.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvfz0ACgkQ9CaO5/Lv0PD7qgCgncdi01+AR4eJiSTPHkyG7Ms2
+gQAoI9ZXQ2aLxQuhObdTyyxJnrmBMxG
=Ygca
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Peter Rossbach wrote:
> Hi,
>
> I don't have this problem at tomcat 6.0.18
>
> <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
> maxThreads="150" minSpareThreads="4"/>
> <Connector port="9080" executor="tomcatThreadPool"
> protocol="HTTP/1.1"
> connectionTimeout="60000" URIEncoding="UTF-8" />
> <Connector port="9089" schema="http" secure="true"
> executor="tomcatThreadPool" protocol="HTTP/1.1"
> connectionTimeout="60000" URIEncoding="UTF-8" />
>
>
> Test with folloing index.jsp
> <%= new java.util.Date() %>
> <%= request.isSecure() %
>
> As you want SSL enabled, you must add schema="https" secure="true"
> SSLEnabled="true"
> at your config.
actually, if you want SSL, you only have to add SSLEnabled="true"
scheme=... corresponds to request.getScheme
secure=... corresponds to request.isSecure
this is tomcat6, tomcat5 uses secure to determine if SSL should be turned on
>
> Peter
>
>
>
> Am 07.10.2008 um 21:01 schrieb Christopher Schultz:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Chuck,
>>
>> Caldarale, Charles R wrote:
>>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>>> Subject: Re: Non-secure HTTP connector with secure="true" requires
>>>> a keystore?
>>>>
>>>> I tried it with scheme="http" at first, and got the same exception.
>>>>
>>>
>>> The code in 6.0 is noticeably different from that in 5.5 for protocol
>>> initialization, including setting up the socket factory. Would it be
>>> possible to test the config on 6.0 to see if you can achieve the
>>> desired results there?
>>
>> Yeah, I can probably try that. I don't even need an app to deploy in
>> order to test ;)
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkjrsgkACgkQ9CaO5/Lv0PCWPQCbBXylAq0lmheCGZwpsxPrL9yA
>> SJEAoIoJ/FHSV+pK+6J1PalX9DWWWZCq
>> =xNNQ
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Peter Rossbach <pr...@objektpark.de>.
Hi,
I don't have this problem at tomcat 6.0.18
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
<Connector port="9080" executor="tomcatThreadPool"
protocol="HTTP/1.1"
connectionTimeout="60000" URIEncoding="UTF-8" />
<Connector port="9089" schema="http" secure="true"
executor="tomcatThreadPool" protocol="HTTP/1.1"
connectionTimeout="60000" URIEncoding="UTF-8" />
Test with folloing index.jsp
<%= new java.util.Date() %>
<%= request.isSecure() %
As you want SSL enabled, you must add schema="https" secure="true"
SSLEnabled="true"
at your config.
Peter
Am 07.10.2008 um 21:01 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> Caldarale, Charles R wrote:
>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>> Subject: Re: Non-secure HTTP connector with secure="true" requires
>>> a keystore?
>>>
>>> I tried it with scheme="http" at first, and got the same exception.
>>>
>>
>> The code in 6.0 is noticeably different from that in 5.5 for protocol
>> initialization, including setting up the socket factory. Would it be
>> possible to test the config on 6.0 to see if you can achieve the
>> desired results there?
>
> Yeah, I can probably try that. I don't even need an app to deploy in
> order to test ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjrsgkACgkQ9CaO5/Lv0PCWPQCbBXylAq0lmheCGZwpsxPrL9yA
> SJEAoIoJ/FHSV+pK+6J1PalX9DWWWZCq
> =xNNQ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: Non-secure HTTP connector with secure="true" requires
>> a keystore?
>>
>> I tried it with scheme="http" at first, and got the same exception.
>>
>
> The code in 6.0 is noticeably different from that in 5.5 for protocol
> initialization, including setting up the socket factory. Would it be
> possible to test the config on 6.0 to see if you can achieve the
> desired results there?
Yeah, I can probably try that. I don't even need an app to deploy in
order to test ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjrsgkACgkQ9CaO5/Lv0PCWPQCbBXylAq0lmheCGZwpsxPrL9yA
SJEAoIoJ/FHSV+pK+6J1PalX9DWWWZCq
=xNNQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: Non-secure HTTP connector with secure="true"
>> requires a keystore?
>>
>> I would have expected 5.5 to act like 6.0.
>
> An odd assumption...
Perhaps I should have said "the 6.0 behavior is what I would have expected".
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvjZIACgkQ9CaO5/Lv0PAkgwCeMFz4Co5amkOKLC0PgKM7LcU6
NXAAoLsyCs226ONrxTUtrUqO1spwKglN
=4j8S
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Non-secure HTTP connector with secure="true" requires a
keystore?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Non-secure HTTP connector with secure="true"
> requires a keystore?
>
> Successful startup. Using HTTP, a test JSP reports that
> request.isSecure() returns true, which is exactly what
> Filip claims. It appears that the behavior of TC 6.0
> and 5.5 are not the same.
That's what I surmised from reading the code; 6.0 is more straightforward, with less interaction amongst the attributes.
> I would have expected 5.5 to act like 6.0.
An odd assumption...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Non-secure HTTP connector with secure="true" requires a
keystore?
Posted by Martin Gainty <mg...@hotmail.com>.
I found documentation the
http://tomcat.apache.org/tomcat-6.0-doc/printer/ssl-howto.html
states that situation accurately
Congratulations chris on finding a bonafide bug on Tomcat 5.5.26 doc
Martin Gainty
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission.
> Date: Sat, 11 Oct 2008 13:53:46 +0100
> From: markt@apache.org
> To: users@tomcat.apache.org
> Subject: Re: Non-secure HTTP connector with secure="true" requires a keystore?
>
> Christopher Schultz wrote:
> > Chuck,
> >
> > Caldarale, Charles R wrote:
> >> The code in 6.0 is noticeably different from that in 5.5 for protocol
> >> initialization, including setting up the socket factory. Would it be
> >> possible to test the config on 6.0 to see if you can achieve the
> >> desired results there?
> >
> > Here is what I've found:
> >
> > Tomcat 5.5.26 with the following <Connector> configuration (which is
> > identical to that provided in the example server.xml that ships with TC
> > 5.5.26 plus the secure="true" attribute):
> >
> > <Connector port="8080"
> > maxHttpHeaderSize="8192"
> > maxThreads="150"
> > minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false"
> > redirectPort="8443"
> > acceptCount="100"
> > connectionTimeout="20000"
> > disableUploadTimeout="true"
> > secure="true"
> > />
> >
> > I get the following exception:
> >
> > java.io.FileNotFoundException: /home/chris/.keystore (No such file or
> > directory)
> > at java.io.FileInputStream.open(Native Method)
> > at java.io.FileInputStream.<init>(FileInputStream.java:106)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:284)
> >
> > Removing the secure="true" attribute results in a successful startup (as
> > expected).
> That looks like a bug to me. Please add to to bugzilla so it doesn't get
> lost and forgotten about.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
See how Windows Mobile brings your life together—at home, work, or on the go.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
Mark Thomas wrote:
> That looks like a bug to me. Please add to to bugzilla so it doesn't get
> lost and forgotten about.
Done. Thanks.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45997
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjzavEACgkQ9CaO5/Lv0PB0wgCgt/MUBpo3VYL2yck/Z/J8sPpe
uOUAoJq4XxNXggEp2ugeYpq9264/OEwa
=Afz9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Mark Thomas <ma...@apache.org>.
Christopher Schultz wrote:
> Chuck,
>
> Caldarale, Charles R wrote:
>> The code in 6.0 is noticeably different from that in 5.5 for protocol
>> initialization, including setting up the socket factory. Would it be
>> possible to test the config on 6.0 to see if you can achieve the
>> desired results there?
>
> Here is what I've found:
>
> Tomcat 5.5.26 with the following <Connector> configuration (which is
> identical to that provided in the example server.xml that ships with TC
> 5.5.26 plus the secure="true" attribute):
>
> <Connector port="8080"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> redirectPort="8443"
> acceptCount="100"
> connectionTimeout="20000"
> disableUploadTimeout="true"
> secure="true"
> />
>
> I get the following exception:
>
> java.io.FileNotFoundException: /home/chris/.keystore (No such file or
> directory)
> at java.io.FileInputStream.open(Native Method)
> at java.io.FileInputStream.<init>(FileInputStream.java:106)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:284)
>
> Removing the secure="true" attribute results in a successful startup (as
> expected).
That looks like a bug to me. Please add to to bugzilla so it doesn't get
lost and forgotten about.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Non-secure HTTP connector with secure="true" requires a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
Caldarale, Charles R wrote:
> The code in 6.0 is noticeably different from that in 5.5 for protocol
> initialization, including setting up the socket factory. Would it be
> possible to test the config on 6.0 to see if you can achieve the
> desired results there?
Here is what I've found:
Tomcat 5.5.26 with the following <Connector> configuration (which is
identical to that provided in the example server.xml that ships with TC
5.5.26 plus the secure="true" attribute):
<Connector port="8080"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
redirectPort="8443"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
secure="true"
/>
I get the following exception:
java.io.FileNotFoundException: /home/chris/.keystore (No such file or
directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:284)
Removing the secure="true" attribute results in a successful startup (as
expected).
Tomcat 6.0.18 with the following <Connector> configuration (which is the
default that ships with TC 6.0.18 plus the secure="true" attribute):
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
secure="true"
/>
Successful startup. Using HTTP, a test JSP reports that
request.isSecure() returns true, which is exactly what Filip claims. It
appears that the behavior of TC 6.0 and 5.5 are not the same. I would
have expected 5.5 to act like 6.0.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjvhBEACgkQ9CaO5/Lv0PCyfwCeLea0BMA8CwntIS5GcuM+09KM
ebYAnislqC5kphJalmEBoy+YcuM9JhQt
=ltK5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org