Discussion:
Tomcat 8.5 and TLS
Thad Humphries
2016-04-05 20:11:54 UTC
Permalink
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and TLS.

Since I eventually must demonstrate the various HTTPS approaches to others,
I have tried both the APR and the NIO implementation, as well as the
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is
working both ways, but not quite NIO.

When I use the following connector for NIO (from the docs), my SSL works:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

However when I try the approach in the server.xml comments, Tomcat does not
start:

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>

The error at the top of catalina.out is below. I'm trying to understand
why, both for myself and so that I can explain it to others. The "Caused
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique."
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.

(Once I have this second <Connector> working, I must make a write-up for
folks here, a write-up which I hope will be clearer and more direct than
the docs. I would be happy to offer that write-up to the wiki or docs.)

05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must be
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Rémy Maucherat
2016-04-05 20:25:53 UTC
Permalink
Post by Thad Humphries
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and TLS.
Since I eventually must demonstrate the various HTTPS approaches to others,
I have tried both the APR and the NIO implementation, as well as the
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is
working both ways, but not quite NIO.
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
However when I try the approach in the server.xml comments, Tomcat does not
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
The error at the top of catalina.out is below. I'm trying to understand
why, both for myself and so that I can explain it to others. The "Caused
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique."
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.
(Once I have this second <Connector> working, I must make a write-up for
folks here, a write-up which I hope will be clearer and more direct than
the docs. I would be happy to offer that write-up to the wiki or docs.)
You still have some attributes which should go into SSLHostConfig, so you
have two SNI for the default host (clientAuth and sslProtocol). BTW
sslProtocol is really useless.

Rémy
Post by Thad Humphries
05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must be
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Thad Humphries
2016-04-05 20:57:09 UTC
Permalink
Post by Thad Humphries
Post by Thad Humphries
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and TLS.
Since I eventually must demonstrate the various HTTPS approaches to
others,
Post by Thad Humphries
I have tried both the APR and the NIO implementation, as well as the
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
Post by Thad Humphries
),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is
working both ways, but not quite NIO.
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
Post by Thad Humphries
</Connector>
However when I try the approach in the server.xml comments, Tomcat does
not
Post by Thad Humphries
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
Post by Thad Humphries
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
The error at the top of catalina.out is below. I'm trying to understand
why, both for myself and so that I can explain it to others. The "Caused
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique."
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.
(Once I have this second <Connector> working, I must make a write-up for
folks here, a write-up which I hope will be clearer and more direct than
the docs. I would be happy to offer that write-up to the wiki or docs.)
You still have some attributes which should go into SSLHostConfig, so you
have two SNI for the default host (clientAuth and sslProtocol). BTW
sslProtocol is really useless.
Rémy
I'm sorry, I'm not following you. Are you saying that to make the second
<Connector> work I must remove either clientAuth or sslProtocol? (No, I
must be mistaken--remove either/or and Tomcat still fails to start).

"BTW sslProtocol is really useless." does make sense. If so, I think I'm
hearing that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig>
element. Is that right?

The 8.5 docs say
"As of Tomcat 9, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to configure a
SSLHostConfig and Certificate for the sslDefaultHost. Note that if an
explicit SSLHostConfig element also exists for the sslDefaultHost then that
will be treated as a configuration error. It is expected that Tomcat 10
will drop support for the SSL configuration attributes in the Connector."

This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its commented
examples while the 8.0 server.xml does not. And if SSL* attributes are
going away, why is <SSLHostConfig> now the example? And without SSL*, how
do I specify the certificates in an APR connector like this one (which is
the first I got working):

<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="conf/foo.pem"
SSLCertificateKeyFile="conf/foo-nopp.pem"
SSLVerifyClient="none" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
Post by Thad Humphries
Post by Thad Humphries
05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
Post by Thad Humphries
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
Post by Thad Humphries
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must be
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
Post by Thad Humphries
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
Post by Thad Humphries
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
Post by Thad Humphries
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where
we
Post by Thad Humphries
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Coty Sutherland
2016-04-06 16:17:32 UTC
Permalink
Hi Thad,

Hopefully I can help clear up some confusion here. I'd also suggest
watching the 8.5 connector video that markt presented here
for more information on the
connector changes introduced by 8.5. I found the bits on the SSL change
particularly informative as it was my first exposure to how tomcat9 handles
TLS, if you're interested in moving to the way that tomcat 9 handles SSL
with the upgrade to 8.5. Otherwise, you can use the same Connector tags
that you had before without change (I think).

In any case, I'll reply to your last inquiries in line below. I'm using
Tomcat 8.5.0.Beta and OpenJDK 8.
Are you saying that to make the second <Connector> work I must remove
either clientAuth or sslProtocol? (No, I must be mistaken--remove either/or
and Tomcat still fails to start).

Yes; you should remove _both_ of them and move that configuration into the
SSLHostConfig. You can find the replacements for them in the docs for
clientAuth and sslProtocol here
<https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2>;
I've tested this and it works for me. I believe that the reason behind this
(although I am no expert) is that tomcat is taking the old Connector
configuration that you have in place and creating a default SSLHostConfig
behind the scenes; this action causes a conflict with your defined
SSLHostConfig hence the exception about the multiple non-unique host names
and such.
"BTW sslProtocol is really useless." does make sense. If so, I think I'm hearing
that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig> element. Is that right?

You don't need the sslProtocol attribute because you're just setting the
default value for TLS. As far as the SSLHostConfig goes, I think that's up
to you. For now, tomcat will take your old Connector configuration and
translate it behind the scenes into what it needs to function. If you do
use the SSLHostConfig tag, then you'll need to move all of the attributes
from the Connector to the SSLHostConfig that belong there; this is
basically upgrading your connector from the tomcat 8.0 syntax to tomcat 9's
syntax.
This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
commented examples while the 8.0 server.xml does not. And if SSL*
attributes are going away, why is <SSLHostConfig> now the example?

Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
comes from. I think that the example was left there to encourage movement
to the tomcat 9 syntax because the older connector syntax will eventually
be removed. I do notice that the ssl-howto docs still refer to the tomcat8
syntax, so it doesn't seem like there is a unified message regarding which
one is the preferred method (they're both still correct and will work when
the hosts don't conflict).
And without SSL*, how do I specify the certificates in an APR connector
like this one (which is the first I got working):

All of the SSL* attributes from the connector were migrated to the
SSLHostConfig and it's new tags.

Let me know if any of my response was vague and I'll try and clarify.
Post by Thad Humphries
Post by Thad Humphries
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and TLS.
Since I eventually must demonstrate the various HTTPS approaches to
others,
Post by Thad Humphries
I have tried both the APR and the NIO implementation, as well as the
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
Post by Thad Humphries
Post by Thad Humphries
),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is
working both ways, but not quite NIO.
When I use the following connector for NIO (from the docs), my SSL
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Thad Humphries
/>
Post by Thad Humphries
</Connector>
However when I try the approach in the server.xml comments, Tomcat does
not
Post by Thad Humphries
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Thad Humphries
/>
Post by Thad Humphries
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
The error at the top of catalina.out is below. I'm trying to understand
why, both for myself and so that I can explain it to others. The
"Caused
Post by Thad Humphries
Post by Thad Humphries
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be
unique."
Post by Thad Humphries
Post by Thad Humphries
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.
(Once I have this second <Connector> working, I must make a write-up
for
Post by Thad Humphries
Post by Thad Humphries
folks here, a write-up which I hope will be clearer and more direct
than
Post by Thad Humphries
Post by Thad Humphries
the docs. I would be happy to offer that write-up to the wiki or docs.)
You still have some attributes which should go into SSLHostConfig, so you
have two SNI for the default host (clientAuth and sslProtocol). BTW
sslProtocol is really useless.
Rémy
I'm sorry, I'm not following you. Are you saying that to make the second
<Connector> work I must remove either clientAuth or sslProtocol? (No, I
must be mistaken--remove either/or and Tomcat still fails to start).
"BTW sslProtocol is really useless." does make sense. If so, I think I'm
hearing that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig>
element. Is that right?
The 8.5 docs say
"As of Tomcat 9, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to configure a
SSLHostConfig and Certificate for the sslDefaultHost. Note that if an
explicit SSLHostConfig element also exists for the sslDefaultHost then that
will be treated as a configuration error. It is expected that Tomcat 10
will drop support for the SSL configuration attributes in the Connector."
This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its commented
examples while the 8.0 server.xml does not. And if SSL* attributes are
going away, why is <SSLHostConfig> now the example? And without SSL*, how
do I specify the certificates in an APR connector like this one (which is
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="conf/foo.pem"
SSLCertificateKeyFile="conf/foo-nopp.pem"
SSLVerifyClient="none" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
Post by Thad Humphries
Post by Thad Humphries
05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Thad Humphries
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Thad Humphries
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
Post by Thad Humphries
Post by Thad Humphries
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Thad Humphries
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Thad Humphries
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must
be
Post by Thad Humphries
Post by Thad Humphries
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
Post by Thad Humphries
Post by Thad Humphries
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where
we
Post by Thad Humphries
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
Coty Sutherland, RHCSA, RHCE, JBCAA
Senior Software Engineer @ Red Hat, Inc.
100 East Davie Street
Raleigh, NC 27606

Email: ***@redhat.com
IRC Nickname: coty
Office: 919-890-8303
Thad Humphries
2016-04-06 19:58:24 UTC
Permalink
Post by Coty Sutherland
Hi Thad,
Hopefully I can help clear up some confusion here. I'd also suggest
watching the 8.5 connector video that markt presented here
http://youtu.be/LBSWixIwMmU for more information on the
connector changes introduced by 8.5. I found the bits on the SSL change
particularly informative as it was my first exposure to how tomcat9 handles
TLS, if you're interested in moving to the way that tomcat 9 handles SSL
with the upgrade to 8.5. Otherwise, you can use the same Connector tags
that you had before without change (I think).
In any case, I'll reply to your last inquiries in line below. I'm using
Tomcat 8.5.0.Beta and OpenJDK 8.
Are you saying that to make the second <Connector> work I must remove
either clientAuth or sslProtocol? (No, I must be mistaken--remove either/or
and Tomcat still fails to start).
Yes; you should remove _both_ of them and move that configuration into the
SSLHostConfig. You can find the replacements for them in the docs for
clientAuth and sslProtocol here
<
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
;
I've tested this and it works for me. I believe that the reason behind this
(although I am no expert) is that tomcat is taking the old Connector
configuration that you have in place and creating a default SSLHostConfig
behind the scenes; this action causes a conflict with your defined
SSLHostConfig hence the exception about the multiple non-unique host names
and such.
"BTW sslProtocol is really useless." does make sense. If so, I think I'm
hearing
that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig> element. Is that right?
You don't need the sslProtocol attribute because you're just setting the
default value for TLS. As far as the SSLHostConfig goes, I think that's up
to you. For now, tomcat will take your old Connector configuration and
translate it behind the scenes into what it needs to function. If you do
use the SSLHostConfig tag, then you'll need to move all of the attributes
from the Connector to the SSLHostConfig that belong there; this is
basically upgrading your connector from the tomcat 8.0 syntax to tomcat 9's
syntax.
This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
commented examples while the 8.0 server.xml does not. And if SSL*
attributes are going away, why is <SSLHostConfig> now the example?
Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
comes from. I think that the example was left there to encourage movement
to the tomcat 9 syntax because the older connector syntax will eventually
be removed. I do notice that the ssl-howto docs still refer to the tomcat8
syntax, so it doesn't seem like there is a unified message regarding which
one is the preferred method (they're both still correct and will work when
the hosts don't conflict).
And without SSL*, how do I specify the certificates in an APR connector
All of the SSL* attributes from the connector were migrated to the
SSLHostConfig and it's new tags.
Let me know if any of my response was vague and I'll try and clarify.
Thank you, Coty. I think that answered my questions (the video was useful,
too).

So, for the record--and I hope I've labeled them correctly--I have gotten
the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77.
My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5,
both installed with Homebrew.

<!-- NIO connector with JSSE -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" compression="on"
scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>

<!-- NIO connector with OpenSSL -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" compression="on"
scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeyFile="conf/foo-nopp.pem"
certificateFile="conf/foo.pem"
type="RSA" />
</SSLHostConfig>
</Connector>

<!-- APR/Tomcat native connector with OpenSSL -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="200" SSLEnabled="true" compression="on"
scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false" >
<Certificate certificateKeyFile="conf/foo-nopp.pem"
certificateFile="conf/foo.pem"
type="RSA" />
</SSLHostConfig>
</Connector>

Now to see if this breaks any of my apps. :)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS
and
Post by Thad Humphries
Post by Thad Humphries
TLS.
Since I eventually must demonstrate the various HTTPS approaches to
others,
Post by Thad Humphries
I have tried both the APR and the NIO implementation, as well as the
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
Post by Thad Humphries
Post by Thad Humphries
),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is
working both ways, but not quite NIO.
When I use the following connector for NIO (from the docs), my SSL
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Thad Humphries
/>
Post by Thad Humphries
</Connector>
However when I try the approach in the server.xml comments, Tomcat
does
Post by Thad Humphries
not
Post by Thad Humphries
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Thad Humphries
/>
Post by Thad Humphries
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
The error at the top of catalina.out is below. I'm trying to
understand
Post by Thad Humphries
Post by Thad Humphries
why, both for myself and so that I can explain it to others. The
"Caused
Post by Thad Humphries
Post by Thad Humphries
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements
Post by Thad Humphries
Post by Thad Humphries
were provided for the host name [_default_]. Host names must be
unique."
Post by Thad Humphries
Post by Thad Humphries
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.
(Once I have this second <Connector> working, I must make a write-up
for
Post by Thad Humphries
Post by Thad Humphries
folks here, a write-up which I hope will be clearer and more direct
than
Post by Thad Humphries
Post by Thad Humphries
the docs. I would be happy to offer that write-up to the wiki or
docs.)
Post by Thad Humphries
You still have some attributes which should go into SSLHostConfig, so
you
Post by Thad Humphries
have two SNI for the default host (clientAuth and sslProtocol). BTW
sslProtocol is really useless.
Rémy
I'm sorry, I'm not following you. Are you saying that to make the second
<Connector> work I must remove either clientAuth or sslProtocol? (No, I
must be mistaken--remove either/or and Tomcat still fails to start).
"BTW sslProtocol is really useless." does make sense. If so, I think I'm
hearing that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig>
element. Is that right?
The 8.5 docs say
"As of Tomcat 9, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to configure a
SSLHostConfig and Certificate for the sslDefaultHost. Note that if an
explicit SSLHostConfig element also exists for the sslDefaultHost then
that
will be treated as a configuration error. It is expected that Tomcat 10
will drop support for the SSL configuration attributes in the Connector."
This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
commented
examples while the 8.0 server.xml does not. And if SSL* attributes are
going away, why is <SSLHostConfig> now the example? And without SSL*, how
do I specify the certificates in an APR connector like this one (which is
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="conf/foo.pem"
SSLCertificateKeyFile="conf/foo-nopp.pem"
SSLVerifyClient="none" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
</Connector>
Post by Thad Humphries
Post by Thad Humphries
05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Thad Humphries
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Thad Humphries
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
Post by Thad Humphries
Post by Thad Humphries
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Thad Humphries
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Thad Humphries
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must
be
Post by Thad Humphries
Post by Thad Humphries
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
Post by Thad Humphries
Post by Thad Humphries
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but
where
Post by Thad Humphries
we
Post by Thad Humphries
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where
we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
Coty Sutherland, RHCSA, RHCE, JBCAA
100 East Davie Street
Raleigh, NC 27606
IRC Nickname: coty
Office: 919-890-8303
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Coty Sutherland
2016-04-07 13:24:50 UTC
Permalink
I'm glad I was able to help, Thad. Good luck! Let me know if you have any
other questions regarding the connectors (or anything else, in a separate
thread please).
Post by Coty Sutherland
Post by Coty Sutherland
Hi Thad,
Hopefully I can help clear up some confusion here. I'd also suggest
watching the 8.5 connector video that markt presented here
http://youtu.be/LBSWixIwMmU for more information on
the
Post by Coty Sutherland
connector changes introduced by 8.5. I found the bits on the SSL change
particularly informative as it was my first exposure to how tomcat9
handles
Post by Coty Sutherland
TLS, if you're interested in moving to the way that tomcat 9 handles SSL
with the upgrade to 8.5. Otherwise, you can use the same Connector tags
that you had before without change (I think).
In any case, I'll reply to your last inquiries in line below. I'm using
Tomcat 8.5.0.Beta and OpenJDK 8.
Are you saying that to make the second <Connector> work I must remove
either clientAuth or sslProtocol? (No, I must be mistaken--remove
either/or
Post by Coty Sutherland
and Tomcat still fails to start).
Yes; you should remove _both_ of them and move that configuration into
the
Post by Coty Sutherland
SSLHostConfig. You can find the replacements for them in the docs for
clientAuth and sslProtocol here
<
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
Post by Coty Sutherland
;
I've tested this and it works for me. I believe that the reason behind
this
Post by Coty Sutherland
(although I am no expert) is that tomcat is taking the old Connector
configuration that you have in place and creating a default SSLHostConfig
behind the scenes; this action causes a conflict with your defined
SSLHostConfig hence the exception about the multiple non-unique host
names
Post by Coty Sutherland
and such.
"BTW sslProtocol is really useless." does make sense. If so, I think
I'm
Post by Coty Sutherland
hearing
that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig> element. Is that right?
You don't need the sslProtocol attribute because you're just setting the
default value for TLS. As far as the SSLHostConfig goes, I think that's
up
Post by Coty Sutherland
to you. For now, tomcat will take your old Connector configuration and
translate it behind the scenes into what it needs to function. If you do
use the SSLHostConfig tag, then you'll need to move all of the attributes
from the Connector to the SSLHostConfig that belong there; this is
basically upgrading your connector from the tomcat 8.0 syntax to tomcat
9's
Post by Coty Sutherland
syntax.
This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
commented examples while the 8.0 server.xml does not. And if SSL*
attributes are going away, why is <SSLHostConfig> now the example?
Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
comes from. I think that the example was left there to encourage movement
to the tomcat 9 syntax because the older connector syntax will eventually
be removed. I do notice that the ssl-howto docs still refer to the
tomcat8
Post by Coty Sutherland
syntax, so it doesn't seem like there is a unified message regarding
which
Post by Coty Sutherland
one is the preferred method (they're both still correct and will work
when
Post by Coty Sutherland
the hosts don't conflict).
And without SSL*, how do I specify the certificates in an APR connector
All of the SSL* attributes from the connector were migrated to the
SSLHostConfig and it's new tags.
Let me know if any of my response was vague and I'll try and clarify.
Thank you, Coty. I think that answered my questions (the video was useful,
too).
So, for the record--and I hope I've labeled them correctly--I have gotten
the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77.
My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5,
both installed with Homebrew.
<!-- NIO connector with JSSE -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" compression="on"
scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
<!-- NIO connector with OpenSSL -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" compression="on"
scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeyFile="conf/foo-nopp.pem"
certificateFile="conf/foo.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<!-- APR/Tomcat native connector with OpenSSL -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="200" SSLEnabled="true" compression="on"
scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false" >
<Certificate certificateKeyFile="conf/foo-nopp.pem"
certificateFile="conf/foo.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Now to see if this breaks any of my apps. :)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS
and
Post by Thad Humphries
Post by Thad Humphries
TLS.
Since I eventually must demonstrate the various HTTPS approaches to
others,
Post by Thad Humphries
I have tried both the APR and the NIO implementation, as well as
the
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR
is
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
working both ways, but not quite NIO.
When I use the following connector for NIO (from the docs), my SSL
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Thad Humphries
/>
Post by Thad Humphries
</Connector>
However when I try the approach in the server.xml comments, Tomcat
does
Post by Thad Humphries
not
Post by Thad Humphries
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Thad Humphries
/>
Post by Thad Humphries
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
The error at the top of catalina.out is below. I'm trying to
understand
Post by Thad Humphries
Post by Thad Humphries
why, both for myself and so that I can explain it to others. The
"Caused
Post by Thad Humphries
Post by Thad Humphries
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements
Post by Thad Humphries
Post by Thad Humphries
were provided for the host name [_default_]. Host names must be
unique."
Post by Thad Humphries
Post by Thad Humphries
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.
(Once I have this second <Connector> working, I must make a
write-up
Post by Coty Sutherland
for
Post by Thad Humphries
Post by Thad Humphries
folks here, a write-up which I hope will be clearer and more direct
than
Post by Thad Humphries
Post by Thad Humphries
the docs. I would be happy to offer that write-up to the wiki or
docs.)
Post by Thad Humphries
You still have some attributes which should go into SSLHostConfig, so
you
Post by Thad Humphries
have two SNI for the default host (clientAuth and sslProtocol). BTW
sslProtocol is really useless.
Rémy
I'm sorry, I'm not following you. Are you saying that to make the
second
Post by Coty Sutherland
<Connector> work I must remove either clientAuth or sslProtocol? (No, I
must be mistaken--remove either/or and Tomcat still fails to start).
"BTW sslProtocol is really useless." does make sense. If so, I think
I'm
Post by Coty Sutherland
hearing that I should not use the sslProtocol="TLS" attribute or the
<SSLHostConfig>
element. Is that right?
The 8.5 docs say
"As of Tomcat 9, the majority of the SSL configuration attributes in
the
Post by Coty Sutherland
Connector are deprecated. If specified, they will be used to configure
a
Post by Coty Sutherland
SSLHostConfig and Certificate for the sslDefaultHost. Note that if an
explicit SSLHostConfig element also exists for the sslDefaultHost then
that
will be treated as a configuration error. It is expected that Tomcat 10
will drop support for the SSL configuration attributes in the
Connector."
Post by Coty Sutherland
This confuses me. The 8.5 server.xml uses <SSLHostConfig> in its
commented
examples while the 8.0 server.xml does not. And if SSL* attributes are
going away, why is <SSLHostConfig> now the example? And without SSL*,
how
Post by Coty Sutherland
do I specify the certificates in an APR connector like this one (which
is
Post by Coty Sutherland
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="conf/foo.pem"
SSLCertificateKeyFile="conf/foo-nopp.pem"
SSLVerifyClient="none" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
Post by Coty Sutherland
/>
</Connector>
Post by Thad Humphries
Post by Thad Humphries
05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.IllegalArgumentException: Multiple
SSLHostConfig
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
elements were provided for the host name [_default_]. Host names
must
Post by Coty Sutherland
be
Post by Thad Humphries
Post by Thad Humphries
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but
where
Post by Thad Humphries
we
Post by Thad Humphries
are is hell, And where hell is, there must we ever be"
--Christopher
Post by Coty Sutherland
Post by Thad Humphries
Post by Thad Humphries
Marlowe, *Doctor Faustus* (v. 121-24)
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where
we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
Coty Sutherland, RHCSA, RHCE, JBCAA
100 East Davie Street
Raleigh, NC 27606
IRC Nickname: coty
Office: 919-890-8303
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
--
Coty Sutherland, RHCSA, RHCE, JBCAA
Senior Software Engineer @ Red Hat, Inc.
100 East Davie Street
Raleigh, NC 27606

Email: ***@redhat.com
IRC Nickname: coty
Office: 919-890-8303
Igor Cicimov
2016-04-06 07:00:01 UTC
Permalink
Post by Thad Humphries
My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and TLS.
Since I eventually must demonstrate the various HTTPS approaches to others,
I have tried both the APR and the NIO implementation, as well as the
different <Connector> layouts in the docs (
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
),
and the $CATALINA_BASE/conf/server.xml comments. I've gotten APR is
working both ways, but not quite NIO.
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" compression="on"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/foo.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
However when I try the approach in the server.xml comments, Tomcat does not
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeystoreFile="conf/foo.jks"
certificateKeystoreType="JKS"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
The error at the top of catalina.out is below. I'm trying to understand
why, both for myself and so that I can explain it to others. The "Caused
by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique."
has me stumped as I have only the one uncommented SSLHostConfig in
server.xml.
(Once I have this second <Connector> working, I must make a write-up for
folks here, a write-up which I hope will be clearer and more direct than
the docs. I would be happy to offer that write-up to the wiki or docs.)
05-Apr-2016 15:32:42.642 SEVERE [main]
org.apache.tomcat.util.digester.Digester.endElement End event threw
exception
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
*Caused by: java.lang.*
*IllegalArgumentException: Multiple SSLHostConfig elements were provided
for the host name [_default_]. Host names must be unique.*
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
... 26 more
--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 121-24)
Continue reading on narkive:
Loading...