Re: My web application to use SSL (JSSE - RSA)

Fri, 10 Jun 2011 13:30:19 -0700 

Hi,
Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ? 


I'd love faster SSL but all my keys and certs are java based  
(keytool). Will APR ever support Java SSL ?



I find Java keytool to be reasonably easy to use. Is OpenSSL as easy  
to use ?


Thanks for any input.

Pat

On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles,

On 6/10/2011 9:25 AM, Charles Van Damme wrote:

10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener  
init

INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: [...]



FWIW, that's just an INFO message, but if you are going to be using  
SSL,
you might want to go ahead and install the APR library: your  
performance
will improve measurably. Note that <Connector> configuration for an  
APR
connector using SSL is completely different if you choose to go  
this route.



If you are not going to be using APR, you can disable the APR  
lifecycle

listener because you aren't using it.


java.security.NoSuchAlgorithmException: RSA SSLContext not available


As Pid points out, it's pretty obvious that "RSA" is not a valid
algorithm in this situation:


    at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
    at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
    at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext 
(JSSESocketFactory.java:490)



So, it's an SSL configuration problem. Let's look at your SSL  
<Connector>:



    <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector  
on port

443 -->
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
               maxThreads="150" scheme="https" secure="true"
SSLEnabled="true"

               keystoreFile="C:/Documents and Settings/ 
Papa/.keystore"

keystorePass="changeit"
               clientAuth="false" sslProtocol="RSA" />


SO, you have sslProtocol="RSA"... seems like a good place to look. If

you check the <Connector> documentation, you can see that there are  
only

a few recognized protocols you can choose.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Note that "protocol" refers to the protocol used for SSL, not for any
specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat

documentation does not list all the available protocols, nor should  
it:

the protocols available to you are determined by JVM support.

The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to

documentation for "standard names" (which takes you through several  
hops

to) here:

http://download.oracle.com/javase/6/docs/technotes/guides/security/ 
StandardNames.html#SSLContext


Those are the valid ssl protocol names you can choose.


If you want use only ciphers that use the RSA algorithm (which is  
really
limiting, IMO), you can look up their names here (after scrolling a  
bit

downward):


http://download.oracle.com/javase/6/docs/technotes/guides/security/ 
StandardNames.html#jssenames


Just look for stuff like SSL_DH_DSS_blah_blah_blah.

Of course, support for a certain algorithm might not be available in

your environment. It's best to find out what your JVM supports and  
use that.


I wrote a short bit of code a while back to determine the supported
algorithms and the default cipher suite for an SSLSocketFactory. I'll
try to dig it up and post it.


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


If you aren't using AJP, then disable the extra connector.


Hoping you are not overwhelmed. Anything else ?


You had other errors in the log file. After you get SSL working
properly, stop Tomcat, delete all your logs and re-launch it. Anything
that looks like an error should be investigated and fixed.


Feel free to come back to the list for help on those additional  
issues:

just remember start a new thread if you do.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt
rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0
=fu8H
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Patrick Flaherty                
        
Rampage Systems Inc.            
411 Waverley Oaks Rd.           
Suite 138
Waltham, MA. 02452-8405
781-891-9400 x239       







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to