|Summary:||Add explicit flag to AprLifecycleListener to enable autoconfiguration of sslImplementationName|
|Product:||Tomcat 9||Reporter:||Konstantin Kolinko <knst.kolinko>|
|Component:||Connectors||Assignee:||Tomcat Developers Mailing List <dev>|
Description Konstantin Kolinko 2016-03-09 09:34:09 UTC
Continuing from my concern raised in "Tomcat 8.next" thread (Feb 2016) >> >> 2. The feature of auto-switching sslImplementationName with >> availability of TCNative library needs better documentation. I suspect >> that it may come as a surprise. >> >> There is documentation of sslImplementationName attribute on >> config/http.html, but the attribute of AprLifecycleListener >> (useAprConnector) is not documented at all. >> > > It is supposed to be documented as of r1729644. OTOH, I'm not that good > with that kind of thing, and maybe it is still confusing. > 1) The "useAprConnector" attribute of AprLifecycleListener must be documented in config/listeners.html That attribute affects what connector implementation is auto-selected when Connector protocol is specified as simple "HTTP/1.1" or "AJP/1.3". The value of "false" means that the NIO implementation is used. The value of "true" means that the implementation is either NIO or APR, depending on availability of Tomcat-Native library. Setting it to "false" disables autoselection of Connector protocol implementation. 2) I think there needs to be similar attribute to control autoselection of value of sslImplementationName for a HTTPS connector. With such attribute one will be able to turn off that autoselection magic off. I do not have a good name yet, though. Maybe "useOpensslJsseImplementation". Motivation is that AprLifecycleListener can just be there to load the library. A person may not need the autoselection feature. E.g. one can use two explicitly configured APR and NIO connectors in parallel - the AprLifecycleListener is used to load the library and nothing more is expected. (Implementation pointer: the autoselection happens in o.a.c.connector.Connector.initInternal(). See for "SslImplementationName" there.) Part 1) is a bug to be fixed (missing documentation for the attribute). Part 2) is an enhancement request.
Comment 1 Christopher Schultz 2016-03-09 14:47:47 UTC
Selection of the underlying crypto engine in JSSE is typically done by specifying the "provider". So instead of useOpensslJSSEImplementation="true", perhaps we specify JSSEProvider="OpenSSL" (or whatever the OpenSSL provider's name actually is). This would be more extensible, and would even allow for 3rd-party crypto providers to be used, such as Bouncy Castle. The default would be (blank) and would not specify a provider when initializing algorithms -- giving Tomcat the JVM's default provider.
Comment 2 Mark Thomas 2016-03-09 15:39:32 UTC
I've fixed 1) but not 2) for 9.0.0.M4
Comment 3 Remy Maucherat 2016-03-09 17:38:51 UTC
Thanks, I would have done it in a few hours. For 2), it used to be an automatic switch for the APR connector so a flag is not necessarily needed, but I'll add a "useOpenSSL" flag anyway [the name is shorter and IMO it works as well]. Note for comment 1: the JCE configuration is not related to this, Tomcat's OpenSSL "JSSE" simply provides an alternate SSL engine implementation.
Comment 4 Mark Thomas 2016-03-09 19:05:49 UTC
(In reply to Remy Maucherat from comment #3) > Thanks, I would have done it in a few hours. I know. Normally I would have waited but I'm close to tagging 9.0.0.M4 and at that point it was the only thing between me and the unit test runs before I did the tag. Of course, now those runs have completed I have a few failures to look at...
Comment 5 Remy Maucherat 2016-03-10 09:40:55 UTC
I added a useOpenSSL flag, it's shorter and should be mostly equivalent to useOpensslJsseImplementation. Good luck with M4 and the forking.