You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2019/10/07 14:39:11 UTC
[PROPOSAL] Tomcat 10: Drop APR Connector
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I recently gave a presentation on locking-down Apache Tomcat[1] and I
briefly discussed the "sharp edges" present in Tomcat. Some of them
are unnecessarily sharp and may be actually unnecessary. I'm going to
make a few proposals to remove functions from Tomcat.
Proposal: Remove APR connector
Justification:
The APR connector was once used to provide superior I/O when compared
to the only other available I/O mechanism available in Java: blocking
I/O. Specifically, the APR connector allowed Tomcat to wait for
keepalive requests on a connection to in a non-blocking fashion which
was not possible with Java BIO-based connectors.
The introduction of NIO into Java back in Java 1.4 (!!) changed
things, and NIO support was added to Tomcat in 6.0. Now that it has
had time to mature, the NIO connector is superior to the APR connector
in several ways:
1. NIO connector allows non-blocking TLS handshakes
2. NIO connector uses less (Tomcat-owned) native code
The first item improves performance and availability and the second
item improves stability (and thus availability).
The last advantage which (until recently) made the APR connector still
very useful was the ability to use the OpenSSL cryptographic library
for all cryptographic operations which is measurably
higher-performance than those typically provided by the JVM.
This last advantage no longer exists since we have a JSSE provider
available for OpenSSL using libtcnative.
Notes:
This proposal does not recommend the removal of libtcnative. Only the
removal of the APR connector, the APR lifecycle listener, and the
associated native code required to support those components.
- -chris
[1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
at
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bTg8ACgkQHPApP6U8
pFghUhAAwXEdrarxE5sgqMbZxswlOrRTQSIGZuh2t9KV8pJG+M8NrRbPMZxL3IX/
UkJA9JGxFGA20D9kn0Xx2eX276tKtW/ZyVhg9vvlKqm8+n+vXLuN/sj15sPw1f64
rCqj/GA+iMPP1AtBwc3E2bxBUI7WYGjgMutobwWOfHrlrw6/D4aNyO/t8XXlh9UT
ZcP9Nq0ed4G4I+zx+R//FmEa0Ky2ARUtiyuBhnA+yEFm0XT/iMpgGnl5DHpJ5nOv
U9YiTOU/bMXP1ABgCYoPgHPnYADKoEepdhD8x7CZTyUpR4vTr7DXxAABvapwynBo
sPb+CFjlQilS8zxNYbGZbCu/mpux88jKYvOrrf5Jjb8YzxAGmmy00VyzuyzApdLs
T9eYJazcej8u0he26U+QJi+HCQ+KpdSeMP/kQuw2BorvdD5BkPA22MvqoeIdU1Xs
IzS6+69/MwjkTSL3YOlxp/E7HuG/gegGYBgVphVVJVAYh5lyBcY9o5diTIwdbejU
yK+3WBbkK9dp8nM0GmKoaUqhLP/XvACG5FohW6P+EHLTjlCy7dPbr7s409coQb/1
JQqur4GABbM47MXSDaXHisXLSLY3RpF6Uo0Fb2AC2AuuAihjNpQ0GmeuLHhoPI7W
CycCLjMqLystoj8pNR1pil1FOgI1zOPilylpMX0mV5VuDhPxuFw=
=MZ7V
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Coty Sutherland <cs...@apache.org>.
On Mon, Oct 7, 2019 at 10:39 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove APR connector
>
I'm +1 for this
>
> Justification:
>
> The APR connector was once used to provide superior I/O when compared
> to the only other available I/O mechanism available in Java: blocking
> I/O. Specifically, the APR connector allowed Tomcat to wait for
> keepalive requests on a connection to in a non-blocking fashion which
> was not possible with Java BIO-based connectors.
>
> The introduction of NIO into Java back in Java 1.4 (!!) changed
> things, and NIO support was added to Tomcat in 6.0. Now that it has
> had time to mature, the NIO connector is superior to the APR connector
> in several ways:
>
> 1. NIO connector allows non-blocking TLS handshakes
> 2. NIO connector uses less (Tomcat-owned) native code
>
> The first item improves performance and availability and the second
> item improves stability (and thus availability).
>
> The last advantage which (until recently) made the APR connector still
> very useful was the ability to use the OpenSSL cryptographic library
> for all cryptographic operations which is measurably
> higher-performance than those typically provided by the JVM.
>
> This last advantage no longer exists since we have a JSSE provider
> available for OpenSSL using libtcnative.
>
> Notes:
>
> This proposal does not recommend the removal of libtcnative. Only the
> removal of the APR connector, the APR lifecycle listener, and the
> associated native code required to support those components.
>
> - -chris
>
>
> [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
> at
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bTg8ACgkQHPApP6U8
> pFghUhAAwXEdrarxE5sgqMbZxswlOrRTQSIGZuh2t9KV8pJG+M8NrRbPMZxL3IX/
> UkJA9JGxFGA20D9kn0Xx2eX276tKtW/ZyVhg9vvlKqm8+n+vXLuN/sj15sPw1f64
> rCqj/GA+iMPP1AtBwc3E2bxBUI7WYGjgMutobwWOfHrlrw6/D4aNyO/t8XXlh9UT
> ZcP9Nq0ed4G4I+zx+R//FmEa0Ky2ARUtiyuBhnA+yEFm0XT/iMpgGnl5DHpJ5nOv
> U9YiTOU/bMXP1ABgCYoPgHPnYADKoEepdhD8x7CZTyUpR4vTr7DXxAABvapwynBo
> sPb+CFjlQilS8zxNYbGZbCu/mpux88jKYvOrrf5Jjb8YzxAGmmy00VyzuyzApdLs
> T9eYJazcej8u0he26U+QJi+HCQ+KpdSeMP/kQuw2BorvdD5BkPA22MvqoeIdU1Xs
> IzS6+69/MwjkTSL3YOlxp/E7HuG/gegGYBgVphVVJVAYh5lyBcY9o5diTIwdbejU
> yK+3WBbkK9dp8nM0GmKoaUqhLP/XvACG5FohW6P+EHLTjlCy7dPbr7s409coQb/1
> JQqur4GABbM47MXSDaXHisXLSLY3RpF6Uo0Fb2AC2AuuAihjNpQ0GmeuLHhoPI7W
> CycCLjMqLystoj8pNR1pil1FOgI1zOPilylpMX0mV5VuDhPxuFw=
> =MZ7V
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rémy,
On 11/11/19 14:20, Rémy Maucherat wrote:
> On Mon, Nov 11, 2019 at 7:47 PM Michael Osipov
> <michaelo@apache.org <ma...@apache.org>> wrote:
>
> To revive this, why APR is stil important:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63916
>
> There is some severe bug making NIO performing very bad.
>
>
> We're making long term plans here, a bug report filed yesterday is
> rather irrelevant.
I tend to agree, especially due to the subsequent resolution of this
problem.
The BIO connector had better performance than NIO, too, with less CPU
usage and yet we still removed it.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3MNsIACgkQHPApP6U8
pFiagA/+MV29Y6W2GTfvAVDrfsv87jlB63BOqPbw7cNtUCA7XEH/iiK9kVSiOuqJ
0s9rBHMo0QtMAHEUixfgHRQFMeoAsEwSyJK4vAF3nN7kBBSq8fL7DGIczNEDmKf1
0p20DFTRGHJBxPptNCJJvSSgYn9MiUAXhiDaPomJ4daL/5dlLincWS7fo+kiP36L
cTglITbILknMyrGsYS9AvYQYEpA2epfJFiWHxDYO3ZgB4MCSazr9nmUky/Pscrir
ew8aBcCm0ArTB65v6729zB3f7UJxNo74FtkbSUtdR28WTvpVAcSVC9eiEFnivXR9
gyO9w9sZYAt0X5jZbV4SA23wnBLx63tWwNm3GNKBV+v2hOZYd5H8cF6iMJ20I/x4
MhqaLnUSQZyu2YvMXtwVAYkGGEnEmUagBU5quII2lSdyH6idsI70I01cxCMd8bEc
/64a81zriaQK20IlAEm6zAClC9dS3s8Qugx0hW+l+Gs73BTLOSzXK6Qm7XGH+uUV
hYMoK31i4lZKsctWKtuV1r9sOSNOSfDc91FjBnkasuXD/YO3K4ZoilYQwWvKpsoH
biLOMeA5PFGSi1ptaaIF/ij6BmHRwYaU75CXd2BCb9lDgGHbYge+8fhgU9Usip1b
8m8WGWtn6W6Cgs4ix4BdYSrvxqJaj37L5F8aZTQZlBoe/boXYzg=
=DCXE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Rémy Maucherat <re...@apache.org>.
On Mon, Nov 11, 2019 at 7:47 PM Michael Osipov <mi...@apache.org> wrote:
> To revive this, why APR is stil important:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63916
>
> There is some severe bug making NIO performing very bad.
>
We're making long term plans here, a bug report filed yesterday is rather
irrelevant.
Rémy
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-10-09 um 21:40 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael
>
> On 10/9/19 11:40, Michael Osipov wrote:
>> Am 2019-10-07 um 16:39 schrieb Christopher Schultz:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>
>>> All,
>>>
>>> I recently gave a presentation on locking-down Apache Tomcat[1]
>>> and I briefly discussed the "sharp edges" present in Tomcat. Some
>>> of them are unnecessarily sharp and may be actually unnecessary.
>>> I'm going to make a few proposals to remove functions from
>>> Tomcat.
>>>
>>> Proposal: Remove APR connector
>>>
>>> Justification:
>>>
>>> The APR connector was once used to provide superior I/O when
>>> compared to the only other available I/O mechanism available in
>>> Java: blocking I/O. Specifically, the APR connector allowed
>>> Tomcat to wait for keepalive requests on a connection to in a
>>> non-blocking fashion which was not possible with Java BIO-based
>>> connectors.
>>>
>>> The introduction of NIO into Java back in Java 1.4 (!!) changed
>>> things, and NIO support was added to Tomcat in 6.0. Now that it
>>> has had time to mature, the NIO connector is superior to the APR
>>> connector in several ways:
>>>
>>> 1. NIO connector allows non-blocking TLS handshakes 2. NIO
>>> connector uses less (Tomcat-owned) native code
>>>
>>> The first item improves performance and availability and the
>>> second item improves stability (and thus availability).
>>>
>>> The last advantage which (until recently) made the APR connector
>>> still very useful was the ability to use the OpenSSL
>>> cryptographic library for all cryptographic operations which is
>>> measurably higher-performance than those typically provided by
>>> the JVM.
>>>
>>> This last advantage no longer exists since we have a JSSE
>>> provider available for OpenSSL using libtcnative.
>>>
>>> Notes:
>>>
>>> This proposal does not recommend the removal of libtcnative. Only
>>> the removal of the APR connector, the APR lifecycle listener, and
>>> the associated native code required to support those components.
>>
>> Though, I have no opion for or against. It has worked very well for
>> me for the last 10+ years on HP-UX for our software.
>
> I'd love to get your feedback on NIO+OpenSSL, then.
To revive this, why APR is stil important:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63916
There is some severe bug making NIO performing very bad.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Michael
On 10/9/19 11:40, Michael Osipov wrote:
> Am 2019-10-07 um 16:39 schrieb Christopher Schultz:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> All,
>>
>> I recently gave a presentation on locking-down Apache Tomcat[1]
>> and I briefly discussed the "sharp edges" present in Tomcat. Some
>> of them are unnecessarily sharp and may be actually unnecessary.
>> I'm going to make a few proposals to remove functions from
>> Tomcat.
>>
>> Proposal: Remove APR connector
>>
>> Justification:
>>
>> The APR connector was once used to provide superior I/O when
>> compared to the only other available I/O mechanism available in
>> Java: blocking I/O. Specifically, the APR connector allowed
>> Tomcat to wait for keepalive requests on a connection to in a
>> non-blocking fashion which was not possible with Java BIO-based
>> connectors.
>>
>> The introduction of NIO into Java back in Java 1.4 (!!) changed
>> things, and NIO support was added to Tomcat in 6.0. Now that it
>> has had time to mature, the NIO connector is superior to the APR
>> connector in several ways:
>>
>> 1. NIO connector allows non-blocking TLS handshakes 2. NIO
>> connector uses less (Tomcat-owned) native code
>>
>> The first item improves performance and availability and the
>> second item improves stability (and thus availability).
>>
>> The last advantage which (until recently) made the APR connector
>> still very useful was the ability to use the OpenSSL
>> cryptographic library for all cryptographic operations which is
>> measurably higher-performance than those typically provided by
>> the JVM.
>>
>> This last advantage no longer exists since we have a JSSE
>> provider available for OpenSSL using libtcnative.
>>
>> Notes:
>>
>> This proposal does not recommend the removal of libtcnative. Only
>> the removal of the APR connector, the APR lifecycle listener, and
>> the associated native code required to support those components.
>
> Though, I have no opion for or against. It has worked very well for
> me for the last 10+ years on HP-UX for our software.
I'd love to get your feedback on NIO+OpenSSL, then.
> Do we have any numbers comparing performance of both for different
> loads?
Yes. All of Jean-Frederic's presentations[1] for the last few years at
ApacheCon conferences all have slides showing the performance comparison
.
> Are there any drawbacks not using the APR connector?
The only drawback I see from using NIO+OpenSSL is that CPU usage goes
up a bit. The APR connector is apparently (slightly) more efficient in
terms of CPU, but everything else seems to be just about the same --
such as throughput.
> OpenSSL must stay, it always works very well.
Whether or works or not isn't the issue. It's how well is performs.
(Well... once it's working.) OpenSSL is a requirement because most
Java cryptographic providers perform terribly.
- -chris
[1] http://tomcat.apache.org/presentations.html
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2eN5YACgkQHPApP6U8
pFjeSw//fTDGf9WnsSHHlyM4hZTmJaeg2PodguITTSytOopcPGBDjqm9lL0U2c+C
YtmMZfSQ659IQrSfKajJqAGINTRvSe/PViAKKFMW38v7tObkGZrQG6bfEj8zcnXS
jH5P2IoijTCS7nC7bJmrYoWIMN50BElynMzQ9BMQEIk39sqtOuJ270bJNI9fqtw9
zeB4lnMUv9BXliLtWdKFBH1dUOHbBJLFg3oSri5EI6CVZvbgkBlVZwAsfifQKrQF
B5NwEgJEamXZX+g7opwbx/+ePrZ9Jm3d94I2C5RoAtooVhkdVz/EpfcqX+EoYhbd
Ku8O/UbIZTqZgYj6qPB9Ow06M23VRbRWI6YC2FtSIoumjjt9OJBRgJhL/1E4etjQ
Hl/Nl+mS2kG5EOIvIDWyvubdunhOXmtdJEaVqtMBNzaqKYNfSUlJVcx/AUs8asP4
O6ajSfOWDJW3DLkin+CDARKgFpQ0B773MyVJ2DjfU0/9eMwO85r2UuWUinabImJm
l4gF70DPymXz4mrA0eRyRjNFSHPA7lj+a1X/vyIyn1nNztCfpbpwZwQYY9u+lJaP
TdtHBxbKqyl6wxvQYHGPCwvbjEPlECHviUvz1RJq7Ynf9GjI8TYLVaWBMSaE4mck
pXuB4KTznLW34XJ+ov3Mmyq2WeWWp+A4vnYNPL82oHPyfbU6vYE=
=sE0J
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-10-07 um 16:39 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove APR connector
>
> Justification:
>
> The APR connector was once used to provide superior I/O when compared
> to the only other available I/O mechanism available in Java: blocking
> I/O. Specifically, the APR connector allowed Tomcat to wait for
> keepalive requests on a connection to in a non-blocking fashion which
> was not possible with Java BIO-based connectors.
>
> The introduction of NIO into Java back in Java 1.4 (!!) changed
> things, and NIO support was added to Tomcat in 6.0. Now that it has
> had time to mature, the NIO connector is superior to the APR connector
> in several ways:
>
> 1. NIO connector allows non-blocking TLS handshakes
> 2. NIO connector uses less (Tomcat-owned) native code
>
> The first item improves performance and availability and the second
> item improves stability (and thus availability).
>
> The last advantage which (until recently) made the APR connector still
> very useful was the ability to use the OpenSSL cryptographic library
> for all cryptographic operations which is measurably
> higher-performance than those typically provided by the JVM.
>
> This last advantage no longer exists since we have a JSSE provider
> available for OpenSSL using libtcnative.
>
> Notes:
>
> This proposal does not recommend the removal of libtcnative. Only the
> removal of the APR connector, the APR lifecycle listener, and the
> associated native code required to support those components.
Though, I have no opion for or against. It has worked very well for me
for the last 10+ years on HP-UX for our software.
Do we have any numbers comparing performance of both for different
loads? Are there any drawbacks not using the APR connector?
OpenSSL must stay, it always works very well.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Rémy Maucherat <re...@apache.org>.
On Mon, Oct 7, 2019 at 4:59 PM Mark Thomas <ma...@apache.org> wrote:
> > All,
> >
> > I recently gave a presentation on locking-down Apache Tomcat[1] and I
> > briefly discussed the "sharp edges" present in Tomcat. Some of them
> > are unnecessarily sharp and may be actually unnecessary. I'm going to
> > make a few proposals to remove functions from Tomcat.
> >
> > Proposal: Remove APR connector
>
> +1
>
> > This proposal does not recommend the removal of libtcnative. Only the
> > removal of the APR connector, the APR lifecycle listener, and the
> > associated native code required to support those components.
>
> Yes, we'd need to keep that library going until at least 9.0.x is EOL.
>
> There is then an argument for a new native library that simply wraps
> OpenSSL (or ideally any OpenSSL clone). Project Panama may prove useful:
> https://openjdk.java.net/projects/panama/
Fun fact: Graal has a more radical way to replace JNI for accesses to
native libraries.
It looks like this:
https://cornerwings.github.io/2018/07/graal-native-methods/
So let's forget it, but still fun though.
Rémy
>
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Mark Thomas <ma...@apache.org>.
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove APR connector
+1
> This proposal does not recommend the removal of libtcnative. Only the
> removal of the APR connector, the APR lifecycle listener, and the
> associated native code required to support those components.
Yes, we'd need to keep that library going until at least 9.0.x is EOL.
There is then an argument for a new native library that simply wraps
OpenSSL (or ideally any OpenSSL clone). Project Panama may prove useful:
https://openjdk.java.net/projects/panama/
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Rémy Maucherat <re...@apache.org>.
On Mon, Oct 7, 2019 at 4:39 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove APR connector
>
> Justification:
>
> The APR connector was once used to provide superior I/O when compared
> to the only other available I/O mechanism available in Java: blocking
> I/O. Specifically, the APR connector allowed Tomcat to wait for
> keepalive requests on a connection to in a non-blocking fashion which
> was not possible with Java BIO-based connectors.
>
> The introduction of NIO into Java back in Java 1.4 (!!) changed
> things, and NIO support was added to Tomcat in 6.0. Now that it has
>
But it really didn't work then.
> had time to mature, the NIO connector is superior to the APR connector
> in several ways:
>
> 1. NIO connector allows non-blocking TLS handshakes
> 2. NIO connector uses less (Tomcat-owned) native code
>
> The first item improves performance and availability and the second
> item improves stability (and thus availability).
>
I agree the OpenSSL native code used alone inside an OpenSSLContext is much
easier to make crash proof than the network code as a whole in the APR
connector.
>
> The last advantage which (until recently) made the APR connector still
> very useful was the ability to use the OpenSSL cryptographic library
> for all cryptographic operations which is measurably
> higher-performance than those typically provided by the JVM.
>
> This last advantage no longer exists since we have a JSSE provider
> available for OpenSSL using libtcnative.
>
> Notes:
>
> This proposal does not recommend the removal of libtcnative. Only the
> removal of the APR connector, the APR lifecycle listener, and the
> associated native code required to support those components.
>
The APR lifecycle listener is not part of the APR connector, it initializes
the libraries and sets config defaults based on that.
Anyway, +1 to attempt the APR connector removal.
Rémy
>
> - -chris
>
>
> [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
> at
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bTg8ACgkQHPApP6U8
> pFghUhAAwXEdrarxE5sgqMbZxswlOrRTQSIGZuh2t9KV8pJG+M8NrRbPMZxL3IX/
> UkJA9JGxFGA20D9kn0Xx2eX276tKtW/ZyVhg9vvlKqm8+n+vXLuN/sj15sPw1f64
> rCqj/GA+iMPP1AtBwc3E2bxBUI7WYGjgMutobwWOfHrlrw6/D4aNyO/t8XXlh9UT
> ZcP9Nq0ed4G4I+zx+R//FmEa0Ky2ARUtiyuBhnA+yEFm0XT/iMpgGnl5DHpJ5nOv
> U9YiTOU/bMXP1ABgCYoPgHPnYADKoEepdhD8x7CZTyUpR4vTr7DXxAABvapwynBo
> sPb+CFjlQilS8zxNYbGZbCu/mpux88jKYvOrrf5Jjb8YzxAGmmy00VyzuyzApdLs
> T9eYJazcej8u0he26U+QJi+HCQ+KpdSeMP/kQuw2BorvdD5BkPA22MvqoeIdU1Xs
> IzS6+69/MwjkTSL3YOlxp/E7HuG/gegGYBgVphVVJVAYh5lyBcY9o5diTIwdbejU
> yK+3WBbkK9dp8nM0GmKoaUqhLP/XvACG5FohW6P+EHLTjlCy7dPbr7s409coQb/1
> JQqur4GABbM47MXSDaXHisXLSLY3RpF6Uo0Fb2AC2AuuAihjNpQ0GmeuLHhoPI7W
> CycCLjMqLystoj8pNR1pil1FOgI1zOPilylpMX0mV5VuDhPxuFw=
> =MZ7V
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [PROPOSAL] Tomcat 10: Drop APR Connector
Posted by Rainer Jung <ra...@kippdata.de>.
Am 07.10.2019 um 16:39 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove APR connector
+1 and +1 to the additional comments by Mark and Remy
> Justification:
>
> The APR connector was once used to provide superior I/O when compared
> to the only other available I/O mechanism available in Java: blocking
> I/O. Specifically, the APR connector allowed Tomcat to wait for
> keepalive requests on a connection to in a non-blocking fashion which
> was not possible with Java BIO-based connectors.
>
> The introduction of NIO into Java back in Java 1.4 (!!) changed
> things, and NIO support was added to Tomcat in 6.0. Now that it has
> had time to mature, the NIO connector is superior to the APR connector
> in several ways:
>
> 1. NIO connector allows non-blocking TLS handshakes
> 2. NIO connector uses less (Tomcat-owned) native code
>
> The first item improves performance and availability and the second
> item improves stability (and thus availability).
>
> The last advantage which (until recently) made the APR connector still
> very useful was the ability to use the OpenSSL cryptographic library
> for all cryptographic operations which is measurably
> higher-performance than those typically provided by the JVM.
>
> This last advantage no longer exists since we have a JSSE provider
> available for OpenSSL using libtcnative.
>
> Notes:
>
> This proposal does not recommend the removal of libtcnative. Only the
> removal of the APR connector, the APR lifecycle listener, and the
> associated native code required to support those components.
>
> - -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org