On 10/02/2021 17:11, George Thomas wrote: > Thanks, Mark for the reply. In our case, we may have to stick with AJP .. > However, I have not understood https way. > Are you suggesting to listen to https port in place of AJP port and use a > different connector implementation at HTTP Server?
Yes. Mark > > On Wed, 10 Feb 2021 at 18:53, Mark Thomas <ma...@apache.org> wrote: > >> On 10/02/2021 12:09, George Thomas wrote: >>> As per the below link >>> >>> https://github.com/spring-projects/spring-boot/issues/6164, the >> following >>> features are removed from tomcat 8.5 >>> >>> a) Class org.apache.tomcat.util.net.ServerSocketFactory no longer exists >>> >>> b) Class org.apache.tomcat.util.net.jsse.JSSESocketFactory no longer >> exists >>> >>> c) Method JSSEImplementaton.getServerSockerFactory(AbstractEndpoint) no >>> longer exists >>> >>> d) Method JSSEImplementaton.getSSLUtil(AbstractEndpoint) no longer exists >>> >>> These make our upgrade from tomcat 8.0 to tomcat 8.5.x challenging. >>> >>> We have two requirements >>> >>> 1. Tomcat AJP protocol receives encrypted content coming from the HTTP >>> server and gives an encrypted response. (In HTTP server we have ithe >>> functionality to encrypt using OpenSSL). In tomat versions, prior to >> 8.5 >>> it was possible to extend using custom classes that implement tomcat's >>> ServerSocketFactory interface. >>> 2. Store certificates file for tomcat https in a custom keystore (an >> XML >>> file) >>> >>> How these can be achieved in tomcat 8.5? Any suggestions are appreciated. >> >> The cleanest solution is likely to be switching from AJP to HTTPS. >> >> If you *really* want to continue down the AJP over TLS route then >> something like: >> - set SSLEnabled="true" on the AJP Connector >> - you'll need a custom AJP protocol implementation that extends >> AjpNioProtocol and provides proper implementations of addSslHostConfig >> and findSslHostConfigs >> >> should get you an AJP connector running over TLS. >> >> If the custom KeyStore has been implemented via the standard KeyStore >> SPI it should 'just work'. If it doesn't use the SPI then you'll need to >> create a custom SSLImplementation (probably extending >> JSSEImplementation) and then set the sslImplementationName attribute on >> the Connector. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
