On 27/02/2014 14:40, Mike Johnson wrote: > Here's the issue that I'm looking for insight on(I did a workaround that > seems to work fine, just doesn't make sense why it works differently on OS > if Tomcat is portable across OS).
If you use different configurations - on the same OS or across different OSes - you will get different behaviour. If you want the same behaviour, start by using the same configuration. > Tomcat 7.0.47 Not related to this question but you need to upgrade. > Using SSL on a connector, defining the connector like so... > > <Connector port="443" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="101" debug="0" scheme="https" secure="true" > SSLEnabled="true" keyAlias="MyAlias" > keystoreFile="<relative path to file cert file>.pfx" > keystoreType="pkcs12" > keystorePass="mypassword" > clientAuth="false" sslProtocol="TLS" > /> > > Seems as though on Linux, works like a charm... > > When I recreate this install on a Windows 2008 R2 box, I get an error > > SEVERE: Failed to initialize end point associated with ProtocolHandler [...] > java.lang.Exception: Connector attribute SSLCertificateFile must be defined > when using SSL with APR If you had used protocol="org.apache.coyote.http11.Http11Protocol" then you'd see the same (working) behaviour on Linux and Windows. If you had used protocol="org.apache.coyote.http11.Http11AprProtocol" then you'd see the same (broken) behaviour on Linux and Windows. > I have to take out the following line from the server.xml > <Listener className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> This disables the APR/native library. > Now, from what I'm reading(far from an expert here) it looks like APR is > OpenSSL and if you comment this out, it defaults to JSSE's SSL "stuff". Not quite. Disabling that listener disables APR support. In turn, that removes the possibility of auto switching as described under the protocol attribute in http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Common_Attributes > > When I google further, it seems that people are having this issue and they > think it's related to how the .pfx file is being read in, text vs binary. Then those people would be wrong. > Anyway, I've contacted a few colleagues that do the same thing as me at > other organizations, and they have been able to reproduce this problem. > > It just doesn't seem right that I can't do the same thing on a Windows box. You didn't do "the same thing", hence you got a different result. > Anyone have any thoughts? On Linux you didn't installed the APR/native library so you will be using the HTTP BIO connector which uses JSSE style configuration for SSL which is how you configured the HTTPS connector so it works. On Windows you did install the APR/native library so you will be using the HTTP APR connector which uses OpenSSL style configuration for SSL which is not how you configured the HTTPS connector so it fails. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
