Continuing from my concern raised in "Tomcat 8.next" thread (Feb 2016) >> >> 2. The feature of auto-switching sslImplementationName with >> availability of TCNative library needs better documentation. I suspect >> that it may come as a surprise. >> >> There is documentation of sslImplementationName attribute on >> config/http.html, but the attribute of AprLifecycleListener >> (useAprConnector) is not documented at all. >> > > It is supposed to be documented as of r1729644. OTOH, I'm not that good > with that kind of thing, and maybe it is still confusing. > 1) The "useAprConnector" attribute of AprLifecycleListener must be documented in config/listeners.html That attribute affects what connector implementation is auto-selected when Connector protocol is specified as simple "HTTP/1.1" or "AJP/1.3". The value of "false" means that the NIO implementation is used. The value of "true" means that the implementation is either NIO or APR, depending on availability of Tomcat-Native library. Setting it to "false" disables autoselection of Connector protocol implementation. 2) I think there needs to be similar attribute to control autoselection of value of sslImplementationName for a HTTPS connector. With such attribute one will be able to turn off that autoselection magic off. I do not have a good name yet, though. Maybe "useOpensslJsseImplementation". Motivation is that AprLifecycleListener can just be there to load the library. A person may not need the autoselection feature. E.g. one can use two explicitly configured APR and NIO connectors in parallel - the AprLifecycleListener is used to load the library and nothing more is expected. (Implementation pointer: the autoselection happens in o.a.c.connector.Connector.initInternal(). See for "SslImplementationName" there.) Part 1) is a bug to be fixed (missing documentation for the attribute). Part 2) is an enhancement request.
Selection of the underlying crypto engine in JSSE is typically done by specifying the "provider". So instead of useOpensslJSSEImplementation="true", perhaps we specify JSSEProvider="OpenSSL" (or whatever the OpenSSL provider's name actually is). This would be more extensible, and would even allow for 3rd-party crypto providers to be used, such as Bouncy Castle. The default would be (blank) and would not specify a provider when initializing algorithms -- giving Tomcat the JVM's default provider.
I've fixed 1) but not 2) for 9.0.0.M4
Thanks, I would have done it in a few hours. For 2), it used to be an automatic switch for the APR connector so a flag is not necessarily needed, but I'll add a "useOpenSSL" flag anyway [the name is shorter and IMO it works as well]. Note for comment 1: the JCE configuration is not related to this, Tomcat's OpenSSL "JSSE" simply provides an alternate SSL engine implementation.
(In reply to Remy Maucherat from comment #3) > Thanks, I would have done it in a few hours. I know. Normally I would have waited but I'm close to tagging 9.0.0.M4 and at that point it was the only thing between me and the unit test runs before I did the tag. Of course, now those runs have completed I have a few failures to look at...
I added a useOpenSSL flag, it's shorter and should be mostly equivalent to useOpensslJsseImplementation. Good luck with M4 and the forking.