-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 12/1/16 5:59 PM, Christopher Schultz wrote: > All, > > I'm trying to use JMX to do things with Tomcat Connectors and > ProtocolHandlers. Specifically, I'd like to re-load the keystore > (really certificate) used for an HTTPs connection. > > I'm currently using Tomcat 8.0.30 for my testing. > > It looks like the ProtocolHandler is really the place where the > TLS configuration is taking effect, and not the Connector, so I'm > largely ignoring the Connector for now. Is that the right choice to > make, here? > > It seems that calling the pause()/resume() or stop()/start() on > the ProtocolHandler have no effect on resetting the > SSLServerSockeyFactory, which is what would be required to achieve > my goals (update a certificate for a running Tomcat instance). > > I suspect I'll have to call init(). When I do this without > specifying bindOnInit=false awful things happen. First, calling > init() gets me an error on stdout that the address is already in > use, and then it's basically not possible to restart the > ProtocolHandler after that point: it's dead as far as I can tell, > because you can't call start() or resume() without getting a whole > bunch of errors. > > Does that sound like a problem to anyone? I would think that > failure to call init() would leave the ProtocolHandler in an > uninitialized state, but I'm wondering if trying to RE-initialize > the ProtocolHandler should be something that won't damage a > previously-initialized component. When trying to script these types > of connections, having a non-destructive init() might be useful. > > So, I set bindOnInit="false" which is documented[1] to unbind on > "stop". When calling stop(), the port continues to be bound by > Tomcat. Calling stop() and then start() throws a BindException. :( > Destroying the ProtocolHandler also leaves the port still bound, > and also (unsurprisingly) destroys the ProtocolHandler. > > Stopping the Connector also does not release the port. :( Calling > stop() and then start() also throws a BindException. > > At this point, I think I'm stuck. Is there a bug here? > > I'm going to upgrade to 8.0.latest and repeat my tests, just in > case. I updated to 8.0.39 and noticed that I had moved my keystore out of the way temporarily and so the connector was failing at some point looking for that. I'll be repeating my tests with more attention to detail, but what I think I've noticed is that there are certain errors which can occur that cause the Connector to get itself into a bad state. Specifically, I think that problems with the crypto setup cause the connector to bind to the port, then fail and not unbind. Any later attempt to re-start the Connector fails because the port is still bound. I think the connector should catch (some?) exceptions and unbind the port in those cases when bindOnInit=false. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYQK0sAAoJEBzwKT+lPKRYxEcQAKOnPrSGT12lsaO+Qlk1f0iJ aUjcEcseYN74R91rd0n/vZdrWlx1pigH4bUkzJsqgxt6En14dQiw1AIgh8SY4QDe UZxq4HIunDmcVoOpuOl+GOJRlHoA4LvYIVDM8vDBXqBYt3yBgpeC0DiIB+WfQ2hS bkooGIC1Vkb1BMXv0KOI5NWZ30PoUfm1cfHuoALh1yrPJO2PPYwmaKKka7c5IBKw t2mnT++3k9qGROw8i9koiEXLgdwKlSpKFz/lPZ8Jd+G3Sar3l0rRPxTFAtp5h2nz kJOrKqGNnr0N2cihadbFpOncYCowq12bgx3xAu2ezdE6AdhpbpD4dVntrYICV7Sb gBc4wmNBA3msTzw6dVhf5aDPLOIwHnJJ9oKk/PnVYfvZKjup1ftteYaK//Nty1is TPywDMsOMFZow9I4ywvibLe+3Orf9wv8HuhZB5bl2MU09OwY3V7+lI5Ehk0iNM5v SBfZ0dXeeWg8wRxdyaQyC4NvVueRLm7X1B5Jd3+8AUcI9E4sCwVaMLEZHqlANfjX EGv+Tj7cYvrB8whP0rcZ78emeWDE0P1oR2bbRH5pFBC/MU7ILFeX2g3hcpwQksC3 mODFYFcTBsUdfBrcum5SkpKQL/EjNspztalpLLi712ESd28K4IOSA1VqQAL/MMrl fjXmgcBr+xfTnZl62eUu =1MzW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
