Re: Custom protocol implementation not found

Wed, 14 Oct 2020 05:11:01 -0700 

On Wed, Oct 14, 2020 at 11:38 AM Maarten van den Broek <
mbr...@messagedesign.nl> wrote:

> I use tomcat 9.0.33 with windows10 home and amazon corretto jdk1.8.0_212.
>
> Below a snapshot of two different Connector definitions in server.xml
>
>      <Connector port="443" connectionTimeout="20000" acceptCount="100"
>                 maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
> protocol="nl.messagedesign.tomcatlib.EncryptedPassword_Http11Nio2Protocol"
>                 clientAuth="false" sslEnabledProtocols="TLSv1.2"
>                 minSpareThreads="5"
>                 enableLookups="true" disableUploadTimeout="true"
> keystoreFile="C:/Users/Maarten/Certificaten/gm_messagedesign_nl2020.jks"
> keystorePass="ZURV/6aoh/mLRxJGFhnvEpVZ7PoL72h3"
>                 />
>
>      <Connector acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" enableLookups="true" maxThreads="150"
> minSpareThreads="5" port="443"
> protocol="nl.messagedesign.tomcatlib.EncryptedPassword_Http11Nio2Protocol"
> SSLEnabled="true" scheme="https" secure="true">
>          <SSLHostConfig protocols="TLSv1.2">
>              <Certificate
> certificateKeystoreFile="C:/Users/Maarten/Certificaten/gm_messagedesign_nl2020.jks"
>
> certificateKeystorePassword="ZURV/6aoh/mLRxJGFhnvEpVZ7PoL72h3"
> certificateKeystoreType="JKS"/>
>          </SSLHostConfig>
>      </Connector>
>
> Using the first Connector everything is working fine. Debugging the
> setKeystorePass method of the class
> nl.messagedesign.tomcatlib.EncryptedPassword_Http11Nio2Protocol in the
> protocol attribute shows that the encrypted password gets decrypted.
>
> Using the second connector with the SSLHostConfig element instead of the
> deprecated attributes debugging shows that the setKeystorePass method is
> not called and I get errors for the incorrect password of the keystore.
>
> What am I doing wrong in migrating to the configuration with the
> SSLHostConfig element?
>
> Sincerely yours,    Maarten van den Broek
>

If you simply want to obfuscate server.xml attributes, you should look into
the digester property sources instead of engaging in this sort of stuff.
One such property source out there:
https://github.com/web-servers/tomcat-vault

Note: This capability is not included directly into Tomcat itself because
it provides no actual extra security.

Rémy

Reply via email to