Bug 59150

Summary: Add explicit flag to AprLifecycleListener to enable autoconfiguration of sslImplementationName
Product: Tomcat 9 Reporter: Konstantin Kolinko <knst.kolinko>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Severity: enhancement    
Priority: P2    
Version: 9.0.0.M3   
Target Milestone: -----   
Hardware: PC   
OS: All   

Description Konstantin Kolinko 2016-03-09 09:34:09 UTC
Continuing from my concern raised in "Tomcat 8.next" thread (Feb 2016)

>> 2. The feature of auto-switching sslImplementationName with
>> availability of TCNative library needs better documentation. I suspect
>> that it may come as a surprise.
>> There is documentation of sslImplementationName attribute on
>> config/http.html, but the attribute of AprLifecycleListener
>> (useAprConnector) is not documented at all.
> It is supposed to be documented as of r1729644. OTOH, I'm not that good
> with that kind of thing, and maybe it is still confusing.

1) The "useAprConnector" attribute of AprLifecycleListener must be documented in config/listeners.html

That attribute affects what connector implementation is auto-selected when Connector protocol is specified as simple "HTTP/1.1" or "AJP/1.3". The value of "false" means that the NIO implementation is used. The value of "true" means that the implementation is either NIO or APR, depending on availability of Tomcat-Native library.

Setting it to "false" disables autoselection of Connector protocol implementation.

2) I think there needs to be similar attribute to control autoselection of value of sslImplementationName for a HTTPS connector. With such attribute one will be able to turn off that autoselection magic off.

I do not have a good name yet, though. Maybe "useOpensslJsseImplementation".

Motivation is that AprLifecycleListener can just be there to load the library. A person may not need the autoselection feature. E.g. one can use two explicitly configured APR and NIO connectors in parallel - the AprLifecycleListener is used to load the library and nothing more is expected.

(Implementation pointer: the autoselection happens in o.a.c.connector.Connector.initInternal(). See for "SslImplementationName" there.)

Part 1) is a bug to be fixed (missing documentation for the attribute).

Part 2) is an enhancement request.
Comment 1 Christopher Schultz 2016-03-09 14:47:47 UTC
Selection of the underlying crypto engine in JSSE is typically done by specifying the "provider". So instead of useOpensslJSSEImplementation="true", perhaps we specify JSSEProvider="OpenSSL" (or whatever the OpenSSL provider's name actually is). This would be more extensible, and would even allow for 3rd-party crypto providers to be used, such as Bouncy Castle.

The default would be (blank) and would not specify a provider when initializing algorithms -- giving Tomcat the JVM's default provider.
Comment 2 Mark Thomas 2016-03-09 15:39:32 UTC
I've fixed 1) but not 2) for 9.0.0.M4
Comment 3 Remy Maucherat 2016-03-09 17:38:51 UTC
Thanks, I would have done it in a few hours.

For 2), it used to be an automatic switch for the APR connector so a flag is not necessarily needed, but I'll add a "useOpenSSL" flag anyway [the name is shorter and IMO it works as well].

Note for comment 1: the JCE configuration is not related to this, Tomcat's OpenSSL "JSSE" simply provides an alternate SSL engine implementation.
Comment 4 Mark Thomas 2016-03-09 19:05:49 UTC
(In reply to Remy Maucherat from comment #3)
> Thanks, I would have done it in a few hours.

I know. Normally I would have waited but I'm close to tagging 9.0.0.M4 and at that point it was the only thing between me and the unit test runs before I did the tag. Of course, now those runs have completed I have a few failures to look at...
Comment 5 Remy Maucherat 2016-03-10 09:40:55 UTC
I added a useOpenSSL flag, it's shorter and should be mostly equivalent to useOpensslJsseImplementation.

Good luck with M4 and the forking.