On Mar 5, 2014 11:09 AM, "Christopher Schultz" <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Howard, > > On 3/5/14, 9:45 AM, Howard W. Smith, Jr. wrote: > > Chris, > > > > On Tue, Mar 4, 2014 at 4:18 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Dmitry, > >> > >> On 3/4/14, 2:48 AM, Dmitry Batiyevskiy wrote: > >>> Howard, My connector config is the following (i've already > >>> posted that): > >>> > >>> <Connector port="8443" maxHttpHeaderSize="8192" > >>> maxThreads="15000" enableLookups="false" > >>> disableUploadTimeout="true" acceptCount="100" scheme="https" > >>> secure="true" SSLEnabled="true" compression="off" > >>> SSLCertificateFile="/opt/tomcat/mycompany.com.crt" > >>> SSLCertificateKeyFile="/opt/tomcat/mycompany.com.key" /> > >>> > >>> Also -Dhttps.protocols=TLSv1 option is passed to java machine > >>> > >>> The reason for me to use apr connector is https performance, > >>> isn't NIO much slower in that? > >> > >> I don't have any recent performance data, but using OpenSSL is > >> apparently measurably faster than using JSSE. > >> > >> On the other hand, is the NIO connector does not crash, isn't > >> that a point in its favor? > > > > > > Can you please clarify your statements above? are you saying that > > OpenSSL implies (or equals) NIO or APR? > > APR implies OpenSSL, and I suppose vice-versa. APR is native code and > uses OpenSSL for its SSL engine. All of the pure-Java connectors (BIO, > NIO, and possible a soon-to-be-available NIO2 connector) all use JSSE > (Java Secure Sockets Extension) for SSL. For whatever reason, OpenSSL > is measurably faster than JSSE. > > If you are fronting Tomcat with a web server which terminates SSL > itself, then I see no particular reason to use the connectors over the > NIO connectors. > > (Note that you can still use APR for its entropy capabilities even if > not using it for SSL. You'll get session ids coming from OpenSSL's > random source instead of Java's. I'm not sure that matters too much.) > > - -chris
Understood. Thanks Chris! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTF0qNAAoJEBzwKT+lPKRYkIUQALqutaNWH1pLL1Gg89RgHyb+ > 01ORV9O6q2fwtsIgW5WPurZr6gJAcf8K2C1bAkE6WCudgLrHjaTwQtb5peWFqHr0 > IiCLa2bVxkDXDPFy5ESViPTML6UPiOHBXa707ZAK3vzRB5jy6fHbqMVvPBRx4CzD > T0jKAqU9Odj38QBaUWvCi1BNgc0J5i4OyXBDNJmchyB0G6tN29vYo9zpaUnl972e > 4qLzmWEGBzUnQ6y2zTga2fOZQJ4Lu5hQCLYmoCM84sU1Xl9BjHJ1Tn1mWm7jEm7V > zMlIgFlJ/y65AUCqSRerMO5V5y4N+44CeQ2WV5v3hes4htAqRV7BFOgCfQW8e6Ng > oqn4KLQU81rCOsN61tQIv1j17wkP6vux9WbaDScr+UVfjFZgdygaZvOLkmDs/bXG > +b3DNsGVswOU4it2Y/cp6NAzwWDQfdfQUYDn9U/XOi9MnYSXNf+2dorTqnUhZ3Y7 > mbxrCFpwKdbgXTkvs1UPwOZVhJ8dBuno/HofKuqbd+s9SkF/eXZNdyWolRUQ8sdK > KFWgByHW+18IM1RiBieu9/iGA1U4nUz0HvLo0UxXpN1GAXO/67/Hv2h/LiqB/tQh > yVFbvEZV5bR64D9FoPFReGQG4as2NBfIrbFz4XhqHwps5DDYm7WsS4hK87PE7fNC > qeyeWruqGubsZfwDrfft > =ihsJ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
