You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Igor Cicimov <ic...@gmail.com> on 2015/09/21 09:37:37 UTC
Tomcat 7 and APR connector parameters
Hi all,
After enabling the APR/Native connector I can see the following warning
messages upon tomcat restart:
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLDisableCompression' to 'true' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLHonorCipherOrder' to 'true' did not find a matching property.
although I can see those options available in the documentation:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
The relevant config in server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Connector port="443"
scheme="https" secure="true" SSLEnabled="true"
SSLDisableCompression="true"
SSLProtocol="all"
SSLHonorCipherOrder="true"
SSLCipherSuite="EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP
!DSS !RC4"
SSLCertificateChainFile="${catalina.base}/conf/cachain.pem"
SSLCertificateFile="${catalina.base}/conf/star.pem"
SSLCertificateKeyFile="${catalina.base}/conf/star_key.pem" />
Am I missing something or am I maybe hitting some limitation related to
tomcat/apr/tcnative version?
OS: Ubuntu 12.04.5 LTS
Tomcat: 7.0.26 (Ubuntu repository)
openssl: 1.0.1-4ubuntu5.31
libtcnative-1: 1.1.22-1build1
Thanks,
Igor
Re: Tomcat 7 and APR connector parameters
Posted by Mark Thomas <ma...@apache.org>.
On 22/09/2015 01:31, Igor Cicimov wrote:
> On 21/09/2015 7:47 PM, "Mark Thomas" <ma...@apache.org> wrote:
>>
>> On 21/09/2015 10:45, Igor Cicimov wrote:
>>> On Mon, Sep 21, 2015 at 6:21 PM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> On 21/09/2015 08:37, Igor Cicimov wrote:
>>>>> Hi all,
>>>>>
>>>>> After enabling the APR/Native connector I can see the following
> warning
>>>>> messages upon tomcat restart:
>>>>>
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>>>> property
>>>>> 'SSLDisableCompression' to 'true' did not find a matching property.
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>>>> property
>>>>> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
>>>>>
>>>>> although I can see those options available in the documentation:
>>>>>
>>>>
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>>>>
>>>> You are looking at the docs for 7.0.64 but running 7.0.26.
>>>>
>>>> You need to use a more recent Tomcat 7.0.x release if you want to use
>>>> those features.
>>>>
>>>> Mark
>>>>
>>>
>>> Thanks Mark for confirming. Is it possible to specify this in the
>>> documentation like which feature is available since which release?
>>
>> That is (usually) in the change log.
>>
>> Each release ships with docs appropriate to that release. The website
>> always has the docs for the latest release.
>>
>> Mark
>>
> True but that means if I was interested in finding when was a feature
> introduced in tomcat 7 lets say I need to read dozens (depends on how lucky
> I am and when and where I start reading from) of change logs right?
Nope. The changelog contains everything from 7.0.0 to the latest. If you
are lucky the attribute name will be mentioned in the change log. If it
isn't a sensible search should led you to the right entry.
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
SSLDisableCompression -> compression -> 7.0.?
SSLHonorCipherOrder -> 7.0.?
I shouldn't take you more than a few seconds to fill in the blanks.
> It would be helpful if the latest tomcat docs include something like:
>
> 'SSLHonorCipherOrder' | some description (available since tomcat 7.0.x)
>
> I see this on many other web sites for various products and I personally
> find this very useful and user friendly.
Patches welcome.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and APR connector parameters
Posted by Igor Cicimov <ic...@gmail.com>.
On 21/09/2015 7:47 PM, "Mark Thomas" <ma...@apache.org> wrote:
>
> On 21/09/2015 10:45, Igor Cicimov wrote:
> > On Mon, Sep 21, 2015 at 6:21 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 21/09/2015 08:37, Igor Cicimov wrote:
> >>> Hi all,
> >>>
> >>> After enabling the APR/Native connector I can see the following
warning
> >>> messages upon tomcat restart:
> >>>
> >>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> >> property
> >>> 'SSLDisableCompression' to 'true' did not find a matching property.
> >>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> >> property
> >>> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
> >>>
> >>> although I can see those options available in the documentation:
> >>>
> >>
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
> >>
> >> You are looking at the docs for 7.0.64 but running 7.0.26.
> >>
> >> You need to use a more recent Tomcat 7.0.x release if you want to use
> >> those features.
> >>
> >> Mark
> >>
> >
> > Thanks Mark for confirming. Is it possible to specify this in the
> > documentation like which feature is available since which release?
>
> That is (usually) in the change log.
>
> Each release ships with docs appropriate to that release. The website
> always has the docs for the latest release.
>
> Mark
>
True but that means if I was interested in finding when was a feature
introduced in tomcat 7 lets say I need to read dozens (depends on how lucky
I am and when and where I start reading from) of change logs right?
It would be helpful if the latest tomcat docs include something like:
'SSLHonorCipherOrder' | some description (available since tomcat 7.0.x)
I see this on many other web sites for various products and I personally
find this very useful and user friendly.
Thanks,
Igor
Re: Tomcat 7 and APR connector parameters
Posted by Mark Thomas <ma...@apache.org>.
On 21/09/2015 10:45, Igor Cicimov wrote:
> On Mon, Sep 21, 2015 at 6:21 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 21/09/2015 08:37, Igor Cicimov wrote:
>>> Hi all,
>>>
>>> After enabling the APR/Native connector I can see the following warning
>>> messages upon tomcat restart:
>>>
>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>> property
>>> 'SSLDisableCompression' to 'true' did not find a matching property.
>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>> property
>>> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
>>>
>>> although I can see those options available in the documentation:
>>>
>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>>
>> You are looking at the docs for 7.0.64 but running 7.0.26.
>>
>> You need to use a more recent Tomcat 7.0.x release if you want to use
>> those features.
>>
>> Mark
>>
>
> Thanks Mark for confirming. Is it possible to specify this in the
> documentation like which feature is available since which release?
That is (usually) in the change log.
Each release ships with docs appropriate to that release. The website
always has the docs for the latest release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and APR connector parameters
Posted by Igor Cicimov <ic...@gmail.com>.
On Mon, Sep 21, 2015 at 6:21 PM, Mark Thomas <ma...@apache.org> wrote:
> On 21/09/2015 08:37, Igor Cicimov wrote:
> > Hi all,
> >
> > After enabling the APR/Native connector I can see the following warning
> > messages upon tomcat restart:
> >
> > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property
> > 'SSLDisableCompression' to 'true' did not find a matching property.
> > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property
> > 'SSLHonorCipherOrder' to 'true' did not find a matching property.
> >
> > although I can see those options available in the documentation:
> >
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> You are looking at the docs for 7.0.64 but running 7.0.26.
>
> You need to use a more recent Tomcat 7.0.x release if you want to use
> those features.
>
> Mark
>
Thanks Mark for confirming. Is it possible to specify this in the
documentation like which feature is available since which release?
Apologises if this has already been done and I have missed it somehow.
Thanks again.
Igor
Re: Tomcat 7 and APR connector parameters
Posted by Mark Thomas <ma...@apache.org>.
On 21/09/2015 08:37, Igor Cicimov wrote:
> Hi all,
>
> After enabling the APR/Native connector I can see the following warning
> messages upon tomcat restart:
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLDisableCompression' to 'true' did not find a matching property.
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
>
> although I can see those options available in the documentation:
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
You are looking at the docs for 7.0.64 but running 7.0.26.
You need to use a more recent Tomcat 7.0.x release if you want to use
those features.
Mark
>
> The relevant config in server.xml:
>
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>
> <Connector port="443"
> scheme="https" secure="true" SSLEnabled="true"
> SSLDisableCompression="true"
> SSLProtocol="all"
> SSLHonorCipherOrder="true"
> SSLCipherSuite="EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384
> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4
> EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP
> !DSS !RC4"
> SSLCertificateChainFile="${catalina.base}/conf/cachain.pem"
> SSLCertificateFile="${catalina.base}/conf/star.pem"
> SSLCertificateKeyFile="${catalina.base}/conf/star_key.pem" />
>
> Am I missing something or am I maybe hitting some limitation related to
> tomcat/apr/tcnative version?
>
>
> OS: Ubuntu 12.04.5 LTS
> Tomcat: 7.0.26 (Ubuntu repository)
> openssl: 1.0.1-4ubuntu5.31
> libtcnative-1: 1.1.22-1build1
>
> Thanks,
> Igor
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7 and APR connector parameters
Posted by Sanaullah <sa...@gmail.com>.
Hi Igro,
I think you need to add the protocol attribute in the connector
configuration so that it will load the connector with APR
protocol="org.apache.coyote.http11.Http11AprProtocol"
If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems)
environment variables contain the Tomcat native library, the
APR/native connector will be used. If the native library cannot be
found, the blocking Java based connector will be used. Note that the
APR/native connector has different settings for HTTPS than the Java
connectors.
you can verify the protocol attribute document here [1]
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
Regards,
Sanaullah
On Mon, Sep 21, 2015 at 12:37 PM, Igor Cicimov <ic...@gmail.com> wrote:
> Hi all,
>
> After enabling the APR/Native connector I can see the following warning
> messages upon tomcat restart:
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLDisableCompression' to 'true' did not find a matching property.
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
>
> although I can see those options available in the documentation:
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> The relevant config in server.xml:
>
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>
> <Connector port="443"
> scheme="https" secure="true" SSLEnabled="true"
> SSLDisableCompression="true"
> SSLProtocol="all"
> SSLHonorCipherOrder="true"
> SSLCipherSuite="EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384
> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4
> EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP
> !DSS !RC4"
> SSLCertificateChainFile="${catalina.base}/conf/cachain.pem"
> SSLCertificateFile="${catalina.base}/conf/star.pem"
> SSLCertificateKeyFile="${catalina.base}/conf/star_key.pem" />
>
> Am I missing something or am I maybe hitting some limitation related to
> tomcat/apr/tcnative version?
>
>
> OS: Ubuntu 12.04.5 LTS
> Tomcat: 7.0.26 (Ubuntu repository)
> openssl: 1.0.1-4ubuntu5.31
> libtcnative-1: 1.1.22-1build1
>
> Thanks,
> Igor
>