You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Cheshire <ya...@gmail.com> on 2017/12/01 14:57:21 UTC
SSL connectors
I see in the changelog for 8.5.24
60762: Add the ability to make changes to the TLS configuration of a
connector at runtime without having to restart the Connector. (markt)
Does this mean we can now update SSL certificates without bouncing the
connector?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connectors
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 12/1/17 10:44 AM, Mark Thomas wrote:
> On 01/12/17 14:57, Chris Cheshire wrote:
>> I see in the changelog for 8.5.24
>>
>> 60762: Add the ability to make changes to the TLS configuration
>> of a connector at runtime without having to restart the
>> Connector. (markt)
>>
>> Does this mean we can now update SSL certificates without
>> bouncing the connector?
>
> Yes, via one of the following methods on the endpoint:
>
> reloadSslHostConfig(String hostName) reloadSslHostConfigs()
>
> If accessing this via JMX, they appear as operations on the
> ThreadPool objects.
I'll be very happy to update my "Let's Encrypt" presentation to
reflect the new situation :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhFUdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgNERAAx6sc8sdD6YXKw6uO
KEkka/SHtPmPfxGUl55j/DhhIgColGMg4Vp03BA7OoGSZp2UMQwv/Nxw8y94J4wd
G/DTntqWFsR+fO1sc0t7EQq7is3VhMRMcGA7jE9PYyjuDT8ynnua7UcQxlhx0LCw
cZSM5RTPBjNgbazV/BJDJeNRX268fbflJvwUrDIS2p3ZF3gwgdxjVva3OEt67KBQ
3iRnYvtDPUbmfHFr7EyC7kQaM5N+VCNRT8iMmoIEvY892JwBfBP5fGaSSSFF8kLK
Hdu8R8Er+MuFiLA9QBRLcknpzAWiMMZMV27XdU/Pr3oH7G+zWlbVbDCCxSKVGOQE
+NQNYp2tAVM8KjX0x5w7uExD7uBzTGE1GMzjJYGOzw+se7XSXlTC9Go6d1y9mq4i
M2Td+A6rnRuFyg10VNuu3HZicA23c9Ry2VQu03K2JA9nNYoL6ssujy1J1S5OWHnh
I0qWwcD3qCcay6vVYzGhXYUAhTFAQ/OGLa+G3zpZHo+rMyY5JutPkGjRt1PabqPr
A3YJtO0i431SyWapnc/iCH9BG0+21kzckaSJS9ri5yvOjJk+okoP6PIa1NJNj8lf
IFVQ5oagfTqPuRzcc6U9DxbDd/qTAffn6Nw/9xPE5y9rA72mZDbTcYNjgeu34ft/
NVONR4PwFO4ScBGr1Bd90ov0ky8=
=4pKT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connectors
Posted by Mark Thomas <ma...@apache.org>.
On 06/12/17 01:06, George S. wrote:
>
>
> On 12/1/2017 8:44 AM, Mark Thomas wrote:
>> On 01/12/17 14:57, Chris Cheshire wrote:
>>> I see in the changelog for 8.5.24
>>>
>>> 60762: Add the ability to make changes to the TLS configuration of a
>>> connector at runtime without having to restart the Connector. (markt)
>
> What strikes me as odd is that SSL Certificates are still coupled to
> connectors. It seems like certificates should be coupled to Hosts since
> that's what SNI does. SNI removes the coupling between an IP and a
> virtual host name.
>
> Pre-SNI, there was a logical reason to associate a certificate with a
> connector. The fact that you could only have one certificate on one IP,
> made the one-to-one correlation obvious. Now, with SNI, you can have
> many SSL Certificates with one IP. However, Tomcat's continuation of
> associating the SSL Certificate with the Connector, rather than the
> virtual host it's associated with is cumbersome because now when I
> configure a virtual host with an SSL certificate, I not only have to
> configure the host, but also the connector. As a database person, I try
> to follow the rule that the attributes should follow the entity. In this
> case, the attributes (SSLHostConfig) are facts about the virtual host,
> and not about the Connector (entity).
>
> I'd like to see the Connector iterate over the virtual hosts and pick up
> the SSLHostConfig from there. Perhaps the SSLHostConfig should have an
> optional attribute "ConnectorName" to identify which Connector (assuming
> there are multiple) the SSLHostConfig should bind to for the case of
> multi-homed machines. The "ConnectorName" attribute would be used in
> multi-homed hosts to specify which (of several) connectors the
> SSLHostConfig should bind to.
The relationship between virtual host, SSLHostConfig and Connector is a
complex one. Various options were considered when implementing SNI.
The solution you propose assumes that there is a 1-2-1 mapping between
virtual host and SSLHostConfig. That is not always the case. The use of
wildcard certificates and Subject Alternative Names (SAN) so a
certificate can be used with multiple virtual hosts means that the
mapping can be complex.
The complex mapping, combined with a requirement to provide a smooth
migration path for existing uses led to the current solution.
(Note that we don't currently support multiple aliases for a
SSLHostConfig - that is something that should be fairly easy to add if
required.)
Tweaks to the existing implementation to simplify some use cases are
always possible and - assuming no impact on existing users - likely to
be accepted. The more significant the change, the greater the impact to
existing users and the less likely the change is to be accepted.
> Since I'm on wish lists, I wish that the Host XML snippet could be
> specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name
> via a magic name like _HOST.xml, or the like. I run anywhere from
> 600-2000 virtual hosts on a machine, and my current "work-around" is to
> use the inclusion hack to bring in an external file with the defined
> virtual hosts.
Each virtual host with its own set of web applications?
Automatic inclusion of hosts sounds doable but needs thinking through. I
don't see any immediate gotchas but it is similar to automatic context
deployment and there are a huge number of edge cases in that use case
once you start thinking about it. Automatic inclusion at start-up but no
automatic deployment while running would be a lot simpler to implement.
Mark
>
>
>>>
>>> Does this mean we can now update SSL certificates without bouncing the
>>> connector?
>> Yes, via one of the following methods on the endpoint:
>>
>> reloadSslHostConfig(String hostName)
>> reloadSslHostConfigs()
>>
>> If accessing this via JMX, they appear as operations on the ThreadPool
>> objects.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connectors
Posted by "George S." <ge...@mhsoftware.com>.
On 12/1/2017 8:44 AM, Mark Thomas wrote:
> On 01/12/17 14:57, Chris Cheshire wrote:
>> I see in the changelog for 8.5.24
>>
>> 60762: Add the ability to make changes to the TLS configuration of a
>> connector at runtime without having to restart the Connector. (markt)
What strikes me as odd is that SSL Certificates are still coupled to
connectors. It seems like certificates should be coupled to Hosts since
that's what SNI does. SNI removes the coupling between an IP and a
virtual host name.
Pre-SNI, there was a logical reason to associate a certificate with a
connector. The fact that you could only have one certificate on one IP,
made the one-to-one correlation obvious. Now, with SNI, you can have
many SSL Certificates with one IP. However, Tomcat's continuation of
associating the SSL Certificate with the Connector, rather than the
virtual host it's associated with is cumbersome because now when I
configure a virtual host with an SSL certificate, I not only have to
configure the host, but also the connector. As a database person, I try
to follow the rule that the attributes should follow the entity. In this
case, the attributes (SSLHostConfig) are facts about the virtual host,
and not about the Connector (entity).
I'd like to see the Connector iterate over the virtual hosts and pick up
the SSLHostConfig from there. Perhaps the SSLHostConfig should have an
optional attribute "ConnectorName" to identify which Connector (assuming
there are multiple) the SSLHostConfig should bind to for the case of
multi-homed machines. The "ConnectorName" attribute would be used in
multi-homed hosts to specify which (of several) connectors the
SSLHostConfig should bind to.
Since I'm on wish lists, I wish that the Host XML snippet could be
specified via a file in $CATALINA_BASE/conf/EngineName/Virtual.Host.Name
via a magic name like _HOST.xml, or the like. I run anywhere from
600-2000 virtual hosts on a machine, and my current "work-around" is to
use the inclusion hack to bring in an external file with the defined
virtual hosts.
>>
>> Does this mean we can now update SSL certificates without bouncing the
>> connector?
> Yes, via one of the following methods on the endpoint:
>
> reloadSslHostConfig(String hostName)
> reloadSslHostConfigs()
>
> If accessing this via JMX, they appear as operations on the ThreadPool
> objects.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Re: SSL connectors
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 12/6/17 7:32 AM, Johan Compagner wrote:
> On 1 December 2017 at 16:44, Mark Thomas <ma...@apache.org> wrote:
>
>> On 01/12/17 14:57, Chris Cheshire wrote:
>>> I see in the changelog for 8.5.24
>>>
>>> 60762: Add the ability to make changes to the TLS configuration
>>> of a connector at runtime without having to restart the
>>> Connector. (markt)
>>>
>>> Does this mean we can now update SSL certificates without
>>> bouncing the connector?
>>
>> Yes, via one of the following methods on the endpoint:
>>
>> reloadSslHostConfig(String hostName) reloadSslHostConfigs()
>>
>>
>>
> now it would be nice if tomcat just had a build in file scanner
> that calls those method for use without doing anything else then
> change the file on disk ;)
This could easily be done using the background processor.
Care to propose a patch?
Be sure to make sure this feature is OPT-IN... it's not okay to
auto-reload a file on the disk if the admin doesn't want that to happen.
..
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlooJkIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiUHRAAgfQf/DyjfF1ocSwW
206zT+eWeKoIE1hYQ+tUsUyFYM+lH3ULKcFjWEMHZ7RNYrRPL6FFAynK9zyaeEoU
QU7ZpSfBI0tlVrKuPboRWFXYib00/tISxEF8yefSCkMsp8L94heTTfj3atiwmWju
fzWVCFzxLX3akZOoQRjjC0Pv5yDivDCF6z/CpYlChGsD2cA/h363X8u8nfW/gCUr
G2O9KlOB0B67uSHWnBMmkSF5f3xHW1bWwq4bfl4LnAafEfO2If9LhURmcb4rAef1
wUt62+aCkvB30HzQPaAV2mct+Ice0M9eAwBIYVZuwBnQWb87CTVd0OQ5MeNmbY6w
bPexKyy5fp37P6gaUMPZeDYpVHi7+XVuNNKHCnFhJclTB45i+yj2BFjNkjtRrPMb
dsO8Sx+Ma0w8xXPcqL9desNsu4yeIY2w7dOLIn5stQrgms5KWOX+xfDlAIQJmgOV
eOBM7BXBv4iErPBzVyCMQrzX0BE9P/Q/+lQonHHQgbWSxIAkDSHx4HPsHIvuY0pH
nzX1mm8gh/BLSCx+8082V+6N6fOQhWBc+Sir2L/0m1KaoojnRKUT167X0LQcnagV
e4aq1csZLed4F/KjiV5QA4b6WMwy3wQjanCUDauxV7YTqXPk9kv9P5FrlpYjv6YD
Nf5ZkjozGyOuTqfICtTqi2sCVBA=
=F0ZN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL connectors
Posted by Johan Compagner <jc...@servoy.com>.
On 1 December 2017 at 16:44, Mark Thomas <ma...@apache.org> wrote:
> On 01/12/17 14:57, Chris Cheshire wrote:
> > I see in the changelog for 8.5.24
> >
> > 60762: Add the ability to make changes to the TLS configuration of a
> > connector at runtime without having to restart the Connector. (markt)
> >
> > Does this mean we can now update SSL certificates without bouncing the
> > connector?
>
> Yes, via one of the following methods on the endpoint:
>
> reloadSslHostConfig(String hostName)
> reloadSslHostConfigs()
>
>
>
now it would be nice if tomcat just had a build in file scanner that calls
those method for use without doing anything else then change the file on
disk ;)
Re: SSL connectors
Posted by Mark Thomas <ma...@apache.org>.
On 01/12/17 14:57, Chris Cheshire wrote:
> I see in the changelog for 8.5.24
>
> 60762: Add the ability to make changes to the TLS configuration of a
> connector at runtime without having to restart the Connector. (markt)
>
> Does this mean we can now update SSL certificates without bouncing the
> connector?
Yes, via one of the following methods on the endpoint:
reloadSslHostConfig(String hostName)
reloadSslHostConfigs()
If accessing this via JMX, they appear as operations on the ThreadPool
objects.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org