You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/08/20 17:48:09 UTC
[tomcat] 03/03: Update documentation to reflect removal of APR
connector
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a3a6a89a2fcbe5d432640e7b31808eeb591541ce
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Aug 19 19:16:39 2021 +0100
Update documentation to reflect removal of APR connector
---
BUILDING.txt | 24 ++--
RUNNING.txt | 12 +-
TOMCAT-NEXT.txt | 4 +
build.properties.default | 2 -
conf/server.xml | 3 +-
res/tomcat.nsi | 2 +-
test/org/apache/coyote/http2/TestHttp2Limits.java | 6 +-
webapps/docs/apr.xml | 59 +---------
webapps/docs/config/ajp.xml | 59 +---------
webapps/docs/config/http.xml | 131 +++-------------------
webapps/docs/manager-howto.xml | 3 +-
webapps/docs/ssl-howto.xml | 87 ++------------
12 files changed, 57 insertions(+), 335 deletions(-)
diff --git a/BUILDING.txt b/BUILDING.txt
index 07f462f..0670db8 100644
--- a/BUILDING.txt
+++ b/BUILDING.txt
@@ -326,29 +326,29 @@ directory:
output/build/logs
-By default the testsuite is run three times to test 3 different
-implementations of Tomcat connectors: NIO, NIO2 and APR. (If you are not
-familiar with Tomcat connectors, see config/http.html in documentation for
-details).
+By default the testsuite is run twice to test the 2 different implementations
+of Tomcat connectors: NIO and NIO2. (If you are not familiar with Tomcat
+connectors, see config/http.html in documentation for details).
-The 3 runs are enabled and disabled individually by the following
+The 2 runs are enabled and disabled individually by the following
properties, which all are "true" by default:
execute.test.nio=true
execute.test.nio2=true
- execute.test.apr=true
-The APR connector can be tested only if Tomcat-Native library binaries are
-found by the testsuite. The "test.apr.loc" property specifies the directory
-where the library binaries are located.
+The SSL tests will be run twice. Once with the JSSE implementation and once
+with the OpenSSL implementation. The OpenSSL implementation can only can be
+tested if Tomcat-Native library binaries are found by the testsuite. The
+"test.apr.loc" property specifies the directory where the library binaries are
+located.
By default the "test.apr.loc" property specifies the following location:
output/build/bin/native/
-If you are on Windows and want to test the APR connector you can put the
-tcnative-1.dll file into ${tomcat.source}/bin/native/ and it will be copied
-into the above directory when the build runs.
+If you are on Windows and want to test the OpenSSL TLS implementation you can
+put the tcnative-1.dll file into ${tomcat.source}/bin/native/ and it will be
+copied into the above directory when the build runs.
The unit tests include tests of the clustering functionality which require
multicast to be enabled. There is a simple application provided in the Tomcat
diff --git a/RUNNING.txt b/RUNNING.txt
index f96d8b9..7ae9cad 100644
--- a/RUNNING.txt
+++ b/RUNNING.txt
@@ -373,10 +373,9 @@ If you do use them, do not forget to read their documentation.
Apache Tomcat Native library
-----------------------------
-It is a library that allows to use the "Apr" variant of HTTP and AJP
-protocol connectors in Apache Tomcat. It is built around OpenSSL and Apache
-Portable Runtime (APR) libraries. Those are the same libraries as used by
-Apache HTTPD Server project.
+It is a library that allows to use the OpenSSL variant of the TLS implementation
+for the HTTP connector in Apache Tomcat. It is built around OpenSSL and Apache
+Portable Runtime (APR) libraries.
This feature was especially important in the old days when Java performance
was poor. It is less important nowadays, but it is still used and respected
@@ -390,13 +389,10 @@ For further reading:
https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/apr.html
- * Documentation for the HTTP and AJP protocol connectors in the Tomcat
- Configuration Reference
+ * Documentation for the HTTP connector in the Tomcat Configuration Reference
https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/http.html
- https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/ajp.html
-
- Apache Tomcat Native project home
https://tomcat.apache.org/native-doc/
diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
index c875e67..da59f9b 100644
--- a/TOMCAT-NEXT.txt
+++ b/TOMCAT-NEXT.txt
@@ -33,3 +33,7 @@ Deferred until 10.1.x:
the JRE with project Panama.
2. Review code forked from Commons projects and consider removing unused code.
+
+ 3. Implement OCSP checks for client certs with NIO/NIO2.
+ Useful reference:
+ https://stackoverflow.com/questions/5161504/ocsp-revocation-on-client-certificate
\ No newline at end of file
diff --git a/build.properties.default b/build.properties.default
index c05a246..f745036 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -44,8 +44,6 @@ execute.validate=false
execute.download=true
execute.test.nio=true
execute.test.nio2=true
-# Still requires APR/native library to be present
-execute.test.apr=true
# Stop testing if a failure occurs
test.haltonfailure=false
# Activate AccessLog during testing
diff --git a/conf/server.xml b/conf/server.xml
index 5bd92eb..72bda52 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -78,8 +78,7 @@
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
- library and the useOpenSSL attribute of the
- AprLifecycleListener.
+ library and the useOpenSSL attribute of the AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
diff --git a/res/tomcat.nsi b/res/tomcat.nsi
index 3f92c83..b22e7e8 100644
--- a/res/tomcat.nsi
+++ b/res/tomcat.nsi
@@ -146,7 +146,7 @@ Var ServiceInstallLog
LangString DESC_SecTomcat ${LANG_ENGLISH} "Install the Tomcat Servlet container as a Windows service."
LangString DESC_SecTomcatCore ${LANG_ENGLISH} "Install the Tomcat Servlet container core and create the Windows service."
LangString DESC_SecTomcatService ${LANG_ENGLISH} "Automatically start the Tomcat service when the computer is started."
- LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat native .dll for better performance and scalability in production environments."
+ LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat native .dll to enable the OpenSSL based TLS implementation for HTTP connectors."
LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group for Tomcat."
LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation bundle. This includes documentation on the servlet container and its configuration options, on the Jasper JSP page compiler, as well as on the native webserver connectors."
LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager administrative web application."
diff --git a/test/org/apache/coyote/http2/TestHttp2Limits.java b/test/org/apache/coyote/http2/TestHttp2Limits.java
index 2cc7792..f4a7b35 100644
--- a/test/org/apache/coyote/http2/TestHttp2Limits.java
+++ b/test/org/apache/coyote/http2/TestHttp2Limits.java
@@ -291,9 +291,9 @@ public class TestHttp2Limits extends Http2TestBase {
String limitMessage = sm.getString("http2Parser.headerLimitSize", "\\d++", "3");
limitMessage = limitMessage.replace("[", "\\[").replace("]", "\\]");
// Connection reset. Connection ID will vary so use a pattern
- // On some platform / Connector combinations (e.g. Windows / APR),
- // the TCP connection close will be processed before the client gets
- // a chance to read the connection close frame which will trigger an
+ // On some platform / Connector combinations the TCP connection close
+ // will be processed before the client gets a chance to read the
+ // connection close frame which will trigger an
// IOException when we try to read the frame.
// Note: Some platforms will allow the read if if the write fails
// above.
diff --git a/webapps/docs/apr.xml b/webapps/docs/apr.xml
index 21b2006..ba84ee8 100644
--- a/webapps/docs/apr.xml
+++ b/webapps/docs/apr.xml
@@ -37,12 +37,7 @@
<p>
Tomcat can use the <a href="https://apr.apache.org/">Apache Portable Runtime</a> to
- provide superior scalability, performance, and better integration with native server
- technologies. The Apache Portable Runtime is a highly portable library that is at
- the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO
- functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number
- generation, system status, etc), and native process handling (shared memory, NT
- pipes and Unix sockets).
+ provide an OpenSSL based TLS implementation for the HTTP connectors.
</p>
<p>
@@ -111,22 +106,9 @@
<p>
Once the libraries are properly installed and available to Java (if loading fails, the library path
- will be displayed), the Tomcat connectors will automatically use APR. Configuration of the connectors
- is similar to the regular connectors, but have a few extra attributes which are used to configure
- APR components. Note that the defaults should be well tuned for most use cases, and additional
- tweaking shouldn't be required.
+ will be displayed), the Tomcat connectors will automatically use APR.
</p>
- <p>
- When APR is enabled, the following features are also enabled in Tomcat:
- </p>
- <ul>
- <li>Secure session ID generation by default on all platforms (platforms other than Linux required
- random number generation using a configured entropy)</li>
- <li>OS level statistics on memory usage and CPU usage by the Tomcat process are displayed by
- the status servlet</li>
- </ul>
-
</section>
<section name="APR Lifecycle Listener Configuration">
@@ -134,42 +116,5 @@
listener configuration</a>.</p>
</section>
- <section name="APR Connectors Configuration">
-
- <p><strong>Note: The APR/Native AJP and HTTP Connectors are deprecated and
- will be removed in Tomcat 10.1.x onwards.</strong></p>
-
- <subsection name="HTTP/HTTPS">
-
- <p>For HTTP configuration, see the <a href="config/http.html">HTTP</a>
- connector configuration documentation.</p>
-
- <p>For HTTPS configuration, see the
- <a href="config/http.html#SSL_Support">HTTPS</a> connector configuration
- documentation.</p>
-
- <p>An example SSL Connector declaration is:</p>
- <source><![CDATA[ <Connector port="443"
- protocol="org.apache.coyote.http11.Http11AprProtocol"
- SSLEnabled="true" scheme="https" secure="true"
- socket.directBuffer="true" socket.directSslBuffer="true">
- <SSLHostConfig protocols="TLSv1.3">
- <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
- type="RSA" />
- </SSLHostConfig>
- </Connector>]]></source>
-
-
- </subsection>
-
- <subsection name="AJP">
-
- <p>For AJP configuration, see the <a href="config/ajp.html">AJP</a>
- connector configuration documentation.</p>
-
- </subsection>
-
- </section>
-
</body>
</document>
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 81c825a..3188454 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -36,9 +36,6 @@
<section name="Introduction">
- <p><strong>Note: The APR/Native AJP Connector is deprecated and will be
- removed in Tomcat 10.1.x onwards.</strong></p>
-
<p>The <strong>AJP Connector</strong> element represents a
<strong>Connector</strong> component that communicates with a web
connector via the <code>AJP</code> protocol. This is used for cases
@@ -202,8 +199,6 @@
- non blocking Java NIO connector.<br/>
<code>org.apache.coyote.ajp.AjpNio2Protocol</code>
- non blocking Java NIO2 connector.<br/>
- <code>org.apache.coyote.ajp.AjpAprProtocol</code>
- - the APR/native connector (deprecated - will be removed in 10.1.x).<br/>
Custom implementations may also be used.<br/>
Take a look at our <a href="#Connector_Comparison">Connector
Comparison</a> chart.
@@ -288,9 +283,8 @@
<p>To use AJP, you must specify the protocol attribute (see above).</p>
- <p>The standard AJP connectors (NIO, NIO2 and APR/native) all support the
- following attributes in addition to the common Connector attributes listed
- above.</p>
+ <p>The standard AJP connectors (NIO and NIO2) both support the following
+ attributes in addition to the common Connector attributes listed above.</p>
<attributes>
@@ -325,11 +319,7 @@
default, the connector will listen on the loopback address. Unless the JVM
is configured otherwise using system properties, the Java based connectors
(NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
- with either <code>0.0.0.0</code> or <code>::</code>. The APR/native
- connector will only listen on IPv4 addresses if configured with
- <code>0.0.0.0</code> and will listen on IPv6 addresses (and optionally
- IPv4 addresses depending on the setting of <strong>ipv6v6only</strong>) if
- configured with <code>::</code>.</p>
+ with either <code>0.0.0.0</code> or <code>::</code>.</p>
</attribute>
<attribute name="allowedRequestAttributesPattern" required="false">
@@ -371,10 +361,7 @@
<p>When client certificate information is presented in a form other than
instances of <code>java.security.cert.X509Certificate</code> it needs to
be converted before it can be used and this property controls which JSSE
- provider is used to perform the conversion. For example it is used with
- the AJP connectors, the <a href="http.html">HTTP APR connector</a> and
- with the <a href="valve.html#SSL_Authenticator_Valve">
- org.apache.catalina.valves.SSLValve</a>.If not specified, the default
+ provider is used to perform the conversion. If not specified, the default
provider will be used.</p>
</attribute>
@@ -771,34 +758,6 @@
</attributes>
</subsection>
- <subsection name="APR/native specific configuration">
-
- <p><strong>Note: The APR/Native AJP Connector is deprecated and will be
- removed in Tomcat 10.1.x onwards.</strong></p>
-
- <p>The APR/native implementation supports the following attributes in
- addition to the common Connector and AJP attributes listed above.</p>
-
- <attributes>
- <attribute name="ipv6v6only" required="false">
- <p>If listening on an IPv6 address on a dual stack system, should the
- connector only listen on the IPv6 address? If not specified the default
- is <code>false</code> and the connector will listen on the IPv6 address
- and the equivalent IPv4 address if present.</p>
- </attribute>
-
- <attribute name="pollTime" required="false">
- <p>Duration of a poll call in microseconds. Lowering this value will
- slightly decrease latency of connections being kept alive in some cases
- , but will use more CPU as more poll calls are being made. The default
- value is 2000 (2ms).
- </p>
- </attribute>
-
- </attributes>
-
- </subsection>
-
</section>
@@ -836,61 +795,51 @@
<th />
<th style="text-align: center;">Java Nio Connector<br />NIO</th>
<th style="text-align: center;">Java Nio2 Connector<br />NIO2</th>
- <th style="text-align: center;">APR/native Connector<br />APR<br />(deprecated)</th>
</tr>
<tr>
<th>Classname</th>
<td><code class="noHighlight">AjpNioProtocol</code></td>
<td><code class="noHighlight">AjpNio2Protocol</code></td>
- <td><code class="noHighlight">AjpAprProtocol</code></td>
</tr>
<tr>
<th>Tomcat Version</th>
<td>7.x onwards</td>
<td>8.x onwards</td>
- <td>5.5.x onwards</td>
</tr>
<tr>
<th>Support Polling</th>
<td>YES</td>
<td>YES</td>
- <td>YES</td>
</tr>
<tr>
<th>Polling Size</th>
<td><code class="noHighlight">maxConnections</code></td>
<td><code class="noHighlight">maxConnections</code></td>
- <td><code class="noHighlight">maxConnections</code></td>
</tr>
<tr>
<th>Read Request Headers</th>
<td>Blocking</td>
<td>Blocking</td>
- <td>Blocking</td>
</tr>
<tr>
<th>Read Request Body</th>
<td>Blocking</td>
<td>Blocking</td>
- <td>Blocking</td>
</tr>
<tr>
<th>Write Response Headers and Body</th>
<td>Blocking</td>
<td>Blocking</td>
- <td>Blocking</td>
</tr>
<tr>
<th>Wait for next Request</th>
<td>Non Blocking</td>
<td>Non Blocking</td>
- <td>Non Blocking</td>
</tr>
<tr>
<th>Max Connections</th>
<td><code class="noHighlight">maxConnections</code></td>
<td><code class="noHighlight">maxConnections</code></td>
- <td><code class="noHighlight">maxConnections</code></td>
</tr>
</table>
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 2b36912..9a800ed 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -36,9 +36,6 @@
<section name="Introduction">
- <p><strong>Note: The APR/Native HTTP Connector is deprecated and will be
- removed in Tomcat 10.1.x onwards.</strong></p>
-
<p>The <strong>HTTP Connector</strong> element represents a
<strong>Connector</strong> component that supports the HTTP/1.1 protocol.
It enables Catalina to function as a stand-alone web server, in addition
@@ -233,14 +230,10 @@
non blocking Java NIO connector<br/>
<code>org.apache.coyote.http11.Http11Nio2Protocol</code> -
non blocking Java NIO2 connector<br/>
- <code>org.apache.coyote.http11.Http11AprProtocol</code> -
- the APR/native connector (deprecated - will be removed in 10.1.x).<br/>
Custom implementations may also be used.<br/>
Take a look at our <a href="#Connector_Comparison">Connector
- Comparison</a> chart. The configuration for both Java connectors is
- identical, for http and https.<br/>
- For more information on the APR connector and APR specific SSL settings
- please visit the <a href="../apr.html">APR documentation</a>
+ Comparison</a> chart. The configuration for Java connectors is
+ identical, for http and https.
</p>
</attribute>
@@ -327,9 +320,8 @@
<subsection name="Standard Implementation">
- <p>The standard HTTP connectors (NIO, NIO2 and APR/native) all support the
- following attributes in addition to the common Connector attributes listed
- above.</p>
+ <p>The standard HTTP connectors (NIO and NIO2) all support the following
+ attributes in addition to the common Connector attributes listed above.</p>
<attributes>
@@ -356,11 +348,7 @@
default, the connector will listen all local addresses. Unless the JVM is
configured otherwise using system properties, the Java based connectors
(NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
- with either <code>0.0.0.0</code> or <code>::</code>. The APR/native
- connector will only listen on IPv4 addresses if configured with
- <code>0.0.0.0</code> and will listen on IPv6 addresses (and optionally
- IPv4 addresses depending on the setting of <strong>ipv6v6only</strong>) if
- configured with <code>::</code>.</p>
+ with either <code>0.0.0.0</code> or <code>::</code>.</p>
</attribute>
<attribute name="allowHostHeaderMismatch" required="false">
@@ -387,11 +375,7 @@
<p>When client certificate information is presented in a form other than
instances of <code>java.security.cert.X509Certificate</code> it needs to
be converted before it can be used and this property controls which JSSE
- provider is used to perform the conversion. For example it is used with
- the <a href="ajp.html">AJP connectors</a>, the HTTP APR connector and
- with the <a href="valve.html#SSL_Authenticator_Valve">
- org.apache.catalina.valves.SSLValve</a>. If not specified, the default
- provider will be used.</p>
+ provider is used to perform the conversion.</p>
</attribute>
<attribute name="compressibleMimeType" required="false">
@@ -686,8 +670,7 @@
<attribute name="useAsyncIO" required="false">
<p>(bool) Use this attribute to enable or disable usage of the
- asynchronous IO API. The default value is <code>true</code> except when
- using the APR connector due to low performance.</p>
+ asynchronous IO API. The default value is <code>true</code>.</p>
</attribute>
<attribute name="useKeepAliveResponseHeader" required="false">
@@ -1003,73 +986,6 @@
</attributes>
</subsection>
- <subsection name="APR/native specific configuration">
-
- <p><strong>Note: The APR/Native HTTP Connector is deprecated and will be
- removed in Tomcat 10.1.x onwards.</strong></p>
-
- <p>The following attributes are specific to the APR/native connector.</p>
-
- <attributes>
-
- <attribute name="deferAccept" required="false">
- <p>Sets the <code>TCP_DEFER_ACCEPT</code> flag on the listening socket
- for this connector. The default value is <code>true</code> where
- <code>TCP_DEFER_ACCEPT</code> is supported by the operating system,
- otherwise it is <code>false</code>.</p>
- </attribute>
-
- <attribute name="ipv6v6only" required="false">
- <p>If listening on an IPv6 address on a dual stack system, should the
- connector only listen on the IPv6 address? If not specified the default
- is <code>false</code> and the connector will listen on the IPv6 address
- and the equivalent IPv4 address if present.</p>
- </attribute>
-
- <attribute name="pollerThreadCount" required="false">
- <p>Number of threads used to poll kept alive connections. On Windows the
- default is chosen so that the sockets managed by each thread is
- less than 1024. For Linux the default is 1. Changing the default on
- Windows is likely to have a negative performance impact.</p>
- </attribute>
-
- <attribute name="pollTime" required="false">
- <p>Duration of a poll call in microseconds. Lowering this value will
- slightly decrease latency of connections being kept alive in some cases,
- but will use more CPU as more poll calls are being made. The default
- value is 2000 (2ms).</p>
- </attribute>
-
- <attribute name="sendfileSize" required="false">
- <p>Amount of sockets that the poller responsible for sending static
- files asynchronously can hold at a given time. Extra connections will be
- closed right away without any data being sent (resulting in a zero
- length file on the client side). Note that in most cases, sendfile is a
- call that will return right away (being taken care of "synchronously" by
- the kernel), and the sendfile poller will not be used, so the amount of
- static files which can be sent concurrently is much larger than the
- specified amount. The default value is 1024.</p>
- </attribute>
-
- <attribute name="threadPriority" required="false">
- <p>(int)The priority of the acceptor and poller threads.
- The default value is <code>5</code> (the value of the
- <code>java.lang.Thread.NORM_PRIORITY</code> constant). See the JavaDoc
- for the <code>java.lang.Thread</code> class for more details on what
- this priority means.</p>
- </attribute>
-
- <attribute name="useSendfile" required="false">
- <p>(bool)Use this attribute to enable or disable sendfile capability.
- The default value is <code>true</code>. Note that the use of sendfile
- will disable any compression that Tomcat may otherwise have performed on
- the response.</p>
- </attribute>
-
- </attributes>
-
- </subsection>
-
</section>
@@ -1155,10 +1071,7 @@
</p>
<p>For users of Java 16 and higher, support is provided within the NIO
- connectors. For users of Java earlier than 16, support is provided by
- the <code>org.apache.coyote.http11.Http11AprProtocol</code> connector when
- used with the Apache Tomcat Native library v1.2.26 and up, along with
- Apache Portable Runtime v1.6 and higher.
+ connectors.
</p>
<p>The socket path is created with read and write permissions for all
@@ -1194,14 +1107,8 @@
respectively, to pass correct information to the servlets.</p>
<p>The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
- an OpenSSL implementation, whereas the APR/native connector uses OpenSSL only.
- Prior to Tomcat 8.5, different configuration attributes were used for JSSE and
- OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common configuration
- attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL
- implementation, configuration can be set using either the JSSE or APR
- attributes (note: but not both types within the same configuration). This is
- to aid simpler switching between connector implementations for SSL
- connectors.</p>
+ an OpenSSL implementation. As far as possible, common configuration attributes
+ are used for both JSSE and OpenSSL.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
@@ -1625,9 +1532,9 @@
will be used which wraps JVM's default JSSE provider. Note that the
JVM can be configured to use a different JSSE provider as the default.
Tomcat also bundles a special SSL implementation for JSSE that is backed
- by OpenSSL. To enable it, the native library should be enabled as if
- intending to use the APR connector, and Tomcat will automatically enable it
- and the default value of this attribute becomes
+ by OpenSSL. To enable it, the native library should be enabled and Tomcat
+ will automatically enable it and the default value of this attribute
+ becomes
<code>org.apache.tomcat.util.net.openssl.OpenSSLImplementation</code>.
In that case, the attributes from either JSSE and OpenSSL
configuration styles can be used, as long as the two types are not mixed
@@ -1684,73 +1591,61 @@
<th />
<th style="text-align: center;">Java Nio Connector<br />NIO</th>
<th style="text-align: center;">Java Nio2 Connector<br />NIO2</th>
- <th style="text-align: center;">APR/native Connector<br />APR<br />(deprecated)</th>
</tr>
<tr>
<th>Classname</th>
<td><code class="noHighlight">Http11NioProtocol</code></td>
<td><code class="noHighlight">Http11Nio2Protocol</code></td>
- <td><code class="noHighlight">Http11AprProtocol</code></td>
</tr>
<tr>
<th>Tomcat Version</th>
<td>since 6.0.x</td>
<td>since 8.0.x</td>
- <td>since 5.5.x</td>
</tr>
<tr>
<th>Support Polling</th>
<td>YES</td>
<td>YES</td>
- <td>YES</td>
</tr>
<tr>
<th>Polling Size</th>
<td><code class="noHighlight">maxConnections</code></td>
<td><code class="noHighlight">maxConnections</code></td>
- <td><code class="noHighlight">maxConnections</code></td>
</tr>
<tr>
<th>Read Request Headers</th>
<td>Non Blocking</td>
<td>Non Blocking</td>
- <td>Non Blocking</td>
</tr>
<tr>
<th>Read Request Body</th>
<td>Blocking</td>
<td>Blocking</td>
- <td>Blocking</td>
</tr>
<tr>
<th>Write Response Headers and Body</th>
<td>Blocking</td>
<td>Blocking</td>
- <td>Blocking</td>
</tr>
<tr>
<th>Wait for next Request</th>
<td>Non Blocking</td>
<td>Non Blocking</td>
- <td>Non Blocking</td>
</tr>
<tr>
<th>SSL Support</th>
<td>Java SSL or OpenSSL</td>
<td>Java SSL or OpenSSL</td>
- <td>OpenSSL</td>
</tr>
<tr>
<th>SSL Handshake</th>
<td>Non blocking</td>
<td>Non blocking</td>
- <td>Blocking</td>
</tr>
<tr>
<th>Max Connections</th>
<td><code class="noHighlight">maxConnections</code></td>
<td><code class="noHighlight">maxConnections</code></td>
- <td><code class="noHighlight">maxConnections</code></td>
</tr>
</table>
diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml
index 7161b2b..6ae9da1 100644
--- a/webapps/docs/manager-howto.xml
+++ b/webapps/docs/manager-howto.xml
@@ -873,8 +873,7 @@ has been reloaded several times, it may be listed several times.</p>
<source>http://localhost:8080/manager/text/sslConnectorCiphers</source>
<p>The SSL Connector/Ciphers diagnostic lists the SSL/TLS ciphers that are currently
-configured for each connector. For NIO and NIO2, the names of the individual
-cipher suites are listed. For APR, the value of SSLCipherSuite is returned.</p>
+configured for each connector.</p>
<p>The response will look something like this:</p>
<source>OK - Connector / SSL Cipher information
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 712dba1..cf83139 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -115,10 +115,8 @@ for your version of Java for details on protocol and algorithm support.</p>
the <a href="https://www.openssl.org/">OpenSSL</a> cryptographic provider
through JCA/JCE/JSSE which may provide a different selection of cryptographic
algorithms and/or performance benefits relative to the SunJCE provider.
-You can also use <code>tcnative</code> to enable the deprecated
-<a href="apr.html">APR</a> connector which uses OpenSSL for its
-cryptographic operations. Check the documentation for your version of OpenSSL
-for details on protocol and algorithm support.</p>
+Check the documentation for your version of OpenSSL for details on protocol and
+algorithm support.</p>
</section>
@@ -254,12 +252,11 @@ Certificate that can be used by your server.</p>
<subsection name="Edit the Tomcat Configuration File">
<p>
-Tomcat can use three different implementations of SSL:
+Tomcat can use two different implementations of SSL:
</p>
<ul>
<li>JSSE implementation provided as part of the Java runtime</li>
<li>JSSE implementation that uses OpenSSL</li>
-<li>APR implementation (deprecated), which uses the OpenSSL engine by default</li>
</ul>
<p>
The exact configuration details depend on which implementation is being used.
@@ -287,32 +284,23 @@ loaded or not, use one of the following:</p>
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
port="8443" .../>]]></source>
-<p>The OpenSSL JSSE implementation can also be configured explicitly if needed. If the APR library
-is installed (as for using the APR connector), using the sslImplementationName attribute
-allows enabling it. When using the OpenSSL JSSE implementation, the configuration can use
-either the JSSE attributes or
-the OpenSSL attributes (as used for the APR connector), but must not mix attributes from
-both types in the same SSLHostConfig or Connector element.</p>
+<p>The OpenSSL JSSE implementation can also be configured explicitly if needed.
+If the APR library is installed, using the sslImplementationName attribute
+allows enabling it. When using the OpenSSL JSSE implementation, the
+configuration can use either the JSSE attributes or the OpenSSL attributes, but
+must not mix attributes from both types in the same SSLHostConfig or Connector
+element.</p>
<source><![CDATA[<!-- Define an HTTP/1.1 Connector on port 8443, JSSE NIO implementation and OpenSSL -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
.../>]]></source>
-<p>Alternatively, to specify a deprecated APR connector (the APR library must be available) use:</p>
-<source><![CDATA[<!-- Define an HTTP/1.1 Connector on port 8443, APR implementation -->
-<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
- port="8443" .../>]]></source>
-
-<p>If you are using APR or JSSE OpenSSL, you have the option of configuring an alternative engine to OpenSSL.</p>
+<p>If you are using JSSE OpenSSL, you have the option of configuring an alternative engine to OpenSSL.</p>
<source><![CDATA[<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="someengine" SSLRandomSeed="somedevice" />]]></source>
<p>The default value is</p>
<source><![CDATA[<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" SSLRandomSeed="builtin" />]]></source>
-<p>Also the <code>useAprConnector</code> attribute may be used to have Tomcat default to
-using the APR connector rather than the NIO connector:</p>
-<source><![CDATA[<Listener className="org.apache.catalina.core.AprLifecycleListener"
- useAprConnector="true" SSLEngine="on" SSLRandomSeed="builtin" />]]></source>
<p>
So to enable OpenSSL, make sure the SSLEngine attribute is set to something other than <code>off</code>.
The default value is <code>on</code> and if you specify another value,
@@ -356,7 +344,7 @@ so it looks something like this:</p>
is:</p>
<source><![CDATA[<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
- protocol="org.apache.coyote.http11.Http11AprProtocol"
+ protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="150"
SSLEnabled="true" >
@@ -530,49 +518,6 @@ nsComment="Testing OCSP Certificate"
</ul>
</subsection>
-<subsection name="Configuring OCSP Connector">
-
-<p>To configure the OCSP connector, first verify that you are loading the Tomcat
- APR library. Check the <a href="apr.html#Installation">
- Apache Portable Runtime (APR) based Native library for Tomcat</a>
-for more information about installation of APR. A basic OCSP-enabled connector
- definition in the <code>server.xml</code> file looks as follows:</p>
-<source>
-<![CDATA[<Connector
- port="8443"
- protocol="org.apache.coyote.http11.Http11AprProtocol"
- secure="true"
- scheme="https"
- SSLEnabled="true"
- <SSLHostConfig
- caCertificateFile="/path/to/ca.pem"
- certificateVerification="require"
- certificateVerificationDepth="10" >
- <Certificate
- certificateFile="/path/to/ocsp-cert.crt"
- certificateKeyFile="/path/to/ocsp-cert.key" />
- </SSLHostConfig>]]>
-</source>
-</subsection>
-
-<subsection name="Starting OCSP Responder">
- <p>Apache Tomcat will query an OCSP responder server to get the certificate
- status. When testing, an easy way to create an OCSP responder is by executing
- the following:
- <source>openssl ocsp -port 127.0.0.1:8088 \
- -text -sha256 -index index.txt \
- -CA ca-chain.cert.pem -rkey ocsp-cert.key \
- -rsigner ocsp-cert.crt</source> </p>
-
- <p>Do note that when using OCSP, the responder encoded in the connector
- certificate must be running. For further information, see
- <a href="https://www.openssl.org/docs/man1.1.0/apps/ocsp.html">
- OCSP documentation
- </a>.
- </p>
-
-</subsection>
-
</section>
<section name="Troubleshooting">
@@ -630,7 +575,7 @@ SSL communications, and what to do about them.</p>
"java.security.InvalidAlgorithmParameterException: Prime size must be multiple
of 64, and can only range from 512 to 1024 (inclusive)"
- <p>If you are using the APR/native connector or the JSSE OpenSSL implementation,
+ <p>If you are using the the JSSE OpenSSL implementation,
it will determine the strength of ephemeral DH keys from the key size of
your RSA certificate. For example a 2048 bit RSA key will result in
using a 2048 bit prime for the DH keys. Unfortunately Java 6 only supports
@@ -700,9 +645,6 @@ public class SessionTrackingModeListener implements ServletContextListener {
}]]></source>
- <p>Note: SSL session tracking is implemented for the NIO and NIO2 connectors.
- It is not yet implemented for the APR connector.</p>
-
</section>
<section name="Miscellaneous Tips and Bits">
@@ -728,11 +670,6 @@ mgr.invalidateSession();
// Close the connection since the SSL session will be active until the connection
// is closed
response.setHeader("Connection", "close");]]></source>
- <p>
- Note that this code is Tomcat specific due to the use of the
- SSLSessionManager class. This is currently only available for the NIO and
- NIO2 connectors, not the APR/native connector.
- </p>
</section>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org