- Introduction
- Attributes
- Nested Components
- Special Features
- HTTP/1.1 and HTTP/1.0 Support
- HTTP/2 Support
- Proxy Support
- Unix Domain Socket Support
- SSL Support
- SSL Support - SSLHostConfig
- SSL Support - Certificate
- SSL Support - Connector - NIO and NIO2
- SSL Support - OpenSSL's SSL_CONF API
- Key store types
- SSL Support - Connector - NIO and NIO2 (deprecated)
- SSL Support - Connector - APR/Native (deprecated)
- Connector Comparison
The HTTP Connector
Table of Contents
Introduction
The HTTP Connector element represents a Connector component that supports the HTTP/1.1 protocol. It enables Catalina to function as a stand-alone web server, in addition to its ability to execute servlets and JSP pages. A particular instance of this component listens for connections on a specific TCP port number on the server. One or more such Connectors can be configured as part of a single Service, each forwarding to the associated Engine to perform request processing and create the response.
If you wish to configure the Connector that is used
for connections to web servers using the AJP protocol (such as the
mod_jk 1.2.x
connector for Apache 1.3), please refer to the
AJP Connector documentation.
Each incoming, non-asynchronous request requires a thread for the duration
of that request. If more simultaneous requests are received than can be
handled by the currently available request processing threads, additional
threads will be created up to the configured maximum (the value of the
maxThreads
attribute). If still more simultaneous requests are
received, Tomcat will accept new connections until the current number of
connections reaches maxConnections
. Connections are queued inside
the server socket created by the Connector until a thread
becomes avaialble to process the connection. Once maxConnections
has been reached the operating system will queue further connections. The size
of the operating system provided connection queue may be controlled by the
acceptCount
attribute. If the operating system queue fills,
further connection requests may be refused or may time out.
Attributes
Common Attributes
All implementations of Connector support the following attributes:
Attribute | Description |
---|---|
allowTrace |
A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false. |
asyncTimeout |
The default timeout for asynchronous requests in milliseconds. If not specified, this attribute is set to the Servlet specification default of 30000 (30 seconds). |
discardFacades |
A boolean value which can be used to enable or disable the recycling
of the facade objects that isolate the container internal request
processing objects. If set to |
enableLookups |
Set to |
encodedSolidusHandling |
When set to |
maxCookieCount |
The maximum number of cookies that are permitted for a request. A value of less than zero means no limit. If not specified, a default value of 200 will be used. |
maxParameterCount |
The maximum number of parameter and value pairs (GET plus POST) which
will be automatically parsed by the container. Parameter and value pairs
beyond this limit will be ignored. A value of less than 0 means no limit.
If not specified, a default of 10000 is used. Note that
|
maxPostSize |
The maximum size in bytes of the POST which will be handled by
the container FORM URL parameter parsing. The limit can be disabled by
setting this attribute to a value less than zero. If not specified, this
attribute is set to 2097152 (2 megabytes). Note that the
|
maxSavePostSize |
The maximum size in bytes of the request body which will be saved/buffered by the container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade. For both types of authentication, the request body will be saved/buffered before the user is authenticated. For CLIENT-CERT authentication, the request body is buffered for the duration of the SSL handshake and the buffer emptied when the request is processed. For FORM authentication the POST is saved whilst the user is re-directed to the login form and is retained until the user successfully authenticates or the session associated with the authentication request expires. For HTTP/1.1 upgrade, the request body is buffered for the duration of the upgrade process. The limit can be disabled by setting this attribute to -1. Setting the attribute to zero will disable the saving of the requets body data during authentication and HTTP/1.1 upgrade. If not specified, this attribute is set to 4096 (4 kilobytes). |
parseBodyMethods |
A comma-separated list of HTTP methods for which request
bodies using |
port |
The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address. If the special value of 0 (zero) is used, then Tomcat will select a free port at random to use for this connector. This is typically only useful in embedded and testing applications. |
protocol |
Sets the protocol to handle incoming traffic. The default value is
|
proxyName |
If this Connector is being used in a proxy
configuration, configure this attribute to specify the server name
to be returned for calls to |
proxyPort |
If this Connector is being used in a proxy
configuration, configure this attribute to specify the server port
to be returned for calls to |
redirectPort |
If this Connector is supporting non-SSL
requests, and a request is received for which a matching
|
scheme |
Set this attribute to the name of the protocol you wish to have
returned by calls to |
secure |
Set this attribute to |
URIEncoding |
This specifies the character encoding used to decode the URI bytes,
after %xx decoding the URL. The default value is |
useBodyEncodingForURI |
This specifies if the encoding specified in contentType should be used
for URI query parameters, instead of using the URIEncoding. This
setting is present for compatibility with Tomcat 4.1.x, where the
encoding specified in the contentType, or explicitly set using
Request.setCharacterEncoding method was also used for the parameters from
the URL. The default value is Notes: 1) This setting is applied only to the
query string of a request. Unlike |
useIPVHosts |
Set this attribute to |
xpoweredBy |
Set this attribute to |
Standard Implementation
The standard HTTP connectors (NIO, NIO2 and APR/native) all support the following attributes in addition to the common Connector attributes listed above.
Attribute | Description |
---|---|
acceptCount |
The maximum length of the operating system provided queue for incoming
connection requests when |
acceptorThreadPriority |
The priority of the acceptor thread. The thread used to accept
new connections. The default value is |
address |
For servers with more than one IP address, this attribute specifies
which address will be used for listening on the specified port. By
default, the connector will listen all local addresses. Unless the JVM is
configured otherwise using system properties, the Java based connectors
(NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
with either |
allowHostHeaderMismatch |
By default Tomcat will reject requests that specify a host in the
request line but specify a different host in the host header. This
check can be disabled by setting this attribute to |
allowedTrailerHeaders |
By default Tomcat will ignore all trailer headers when processing chunked input. For a header to be processed, it must be added to this comma-separated list of header names. |
bindOnInit |
Controls when the socket used by the connector is bound. By default it
is bound when the connector is initiated and unbound when the connector is
destroyed. If set to |
clientCertProvider |
When client certificate information is presented in a form other than
instances of |
compressibleMimeType |
The value is a comma separated list of MIME types for which HTTP
compression may be used.
The default value is
|
compression |
The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth. The acceptable values for the parameter is "off" (disable compression), "on" (allow compression, which causes text data to be compressed), "force" (forces compression in all cases), or a numerical integer value (which is equivalent to "on", but specifies the minimum amount of data before the output is compressed). If the content-length is not known and compression is set to "on" or more aggressive, the output will also be compressed. If not specified, this attribute is set to "off". Note: There is a tradeoff between using compression (saving
your bandwidth) and using the sendfile feature (saving your CPU cycles).
If the connector supports the sendfile feature, e.g. the NIO connector,
using sendfile will take precedence over compression. The symptoms will
be that static files greater that 48 Kb will be sent uncompressed.
You can turn off sendfile by setting |
compressionMinSize |
If compression is set to "on" then this attribute may be used to specify the minimum amount of data before the output is compressed. If not specified, this attribute is defaults to "2048". Units are in bytes. |
connectionLinger |
The number of seconds during which the sockets used by this
Connector will linger when they are closed. The default
value is |
connectionTimeout |
The number of milliseconds this Connector will wait,
after accepting a connection, for the request URI line to be
presented. Use a value of -1 to indicate no (i.e. infinite) timeout.
The default value is 60000 (i.e. 60 seconds) but note that the standard
server.xml that ships with Tomcat sets this to 20000 (i.e. 20 seconds).
Unless disableUploadTimeout is set to |
connectionUploadTimeout |
Specifies the timeout, in milliseconds, to use while a data upload is
in progress. This only takes effect if
disableUploadTimeout is set to |
continueResponseTiming |
When to respond with a
|
defaultSSLHostConfigName |
The name of the default SSLHostConfig that will be
used for secure connections (if this connector is configured for secure
connections) if the client connection does not provide SNI or if the SNI
is provided but does not match any configured
SSLHostConfig. If not specified the default value of
|
disableUploadTimeout |
This flag allows the servlet container to use a different, usually
longer connection timeout during data upload. If not specified, this
attribute is set to |
executor |
A reference to the name in an Executor element. If this attribute is set, and the named executor exists, the connector will use the executor, and all the other thread attributes will be ignored. Note that if a shared executor is not specified for a connector then the connector will use a private, internal executor to provide the thread pool. |
executorTerminationTimeoutMillis |
The time that the private internal executor will wait for request
processing threads to terminate before continuing with the process of
stopping the connector. If not set, the default is |
keepAliveTimeout |
The number of milliseconds this Connector will wait for another HTTP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute. Use a value of -1 to indicate no (i.e. infinite) timeout. |
maxConnections |
The maximum number of connections that the server will accept and
process at any given time. When this number has been reached, the server
will accept, but not process, one further connection. This additional
connection be blocked until the number of connections being processed
falls below maxConnections at which point the server will
start accepting and processing new connections again. Note that once the
limit has been reached, the operating system may still accept connections
based on the For NIO/NIO2 only, setting the value to -1, will disable the maxConnections feature and connections will not be counted. |
maxExtensionSize |
Limits the total length of chunk extensions in chunked HTTP requests.
If the value is |
maxHeaderCount |
The maximum number of headers in a request that are allowed by the container. A request that contains more headers than the specified limit will be rejected. A value of less than 0 means no limit. If not specified, a default of 100 is used. |
maxHttpHeaderSize |
The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB). |
maxHttpRequestHeaderSize |
The maximum size of the request HTTP header, specified
in bytes. If not specified, this attribute is set to the value of
the |
maxHttpResponseHeaderSize |
The maximum size of the response HTTP header, specified
in bytes. If not specified, this attribute is set to the value of
the |
maxKeepAliveRequests |
The maximum number of HTTP requests which can be pipelined until the connection is closed by the server. Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests. If not specified, this attribute is set to 100. |
maxSwallowSize |
The maximum number of request body bytes (excluding transfer encoding overhead) that will be swallowed by Tomcat for an aborted upload. An aborted upload is when Tomcat knows that the request body is going to be ignored but the client still sends it. If Tomcat does not swallow the body the client is unlikely to see the response. If not specified the default of 2097152 (2 megabytes) will be used. A value of less than zero indicates that no limit should be enforced. |
maxThreads |
The maximum number of request processing threads to be created
by this Connector, which therefore determines the
maximum number of simultaneous requests that can be handled. If
not specified, this attribute is set to 200. If an executor is associated
with this connector, this attribute is ignored as the connector will
execute tasks using the executor rather than an internal thread pool. Note
that if an executor is configured any value set for this attribute will be
recorded correctly but it will be reported (e.g. via JMX) as
|
maxTrailerSize |
Limits the total length of trailing headers in the last chunk of
a chunked HTTP request. If the value is |
minSpareThreads |
The minimum number of threads always kept running. This includes both
active and idle threads. If not specified, the default of |
noCompressionStrongETag |
This flag configures whether resources with a strong ETag will be
considered for compression. If This attribute is deprecated. It will be removed in Tomcat 10 onwards
where it will be hard-coded to |
noCompressionUserAgents |
The value is a regular expression (using |
processorCache |
The protocol handler caches Processor objects to speed up performance.
This setting dictates how many of these objects get cached.
|
rejectIllegalHeader |
If an HTTP request is received that contains an illegal header name or
value (e.g. the header name is not a token) this setting determines if the
request will be rejected with a 400 response ( |
rejectIllegalHeaderName |
This attribute is deprecated. It will be removed in Tomcat 10 onwards. It is now an alias for rejectIllegalHeader. |
relaxedPathChars |
The HTTP/1.1
specification requires that certain characters are %nn encoded when
used in URI paths. Unfortunately, many user agents including all the major
browsers are not compliant with this specification and use these
characters in unencoded form. To prevent Tomcat rejecting such requests,
this attribute may be used to specify the additional characters to allow.
If not specified, no additional characters will be allowed. The value may
be any combination of the following characters:
|
relaxedQueryChars |
The HTTP/1.1
specification requires that certain characters are %nn encoded when
used in URI query strings. Unfortunately, many user agents including all
the major browsers are not compliant with this specification and use these
characters in unencoded form. To prevent Tomcat rejecting such requests,
this attribute may be used to specify the additional characters to allow.
If not specified, no additional characters will be allowed. The value may
be any combination of the following characters:
|
restrictedUserAgents |
The value is a regular expression (using |
server |
Overrides the Server header for the http response. If set, the value for this attribute overrides any Server header set by a web application. If not set, any value specified by the application is used. If the application does not specify a value then no Server header is set. |
serverRemoveAppProvidedValues |
If |
SSLEnabled |
Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
set this value to |
tcpNoDelay |
If set to |
threadPriority |
The priority of the request processing threads within the JVM.
The default value is |
throwOnFailure |
If the Connector experiences an Exception during a Lifecycle transition
should the Exception be rethrown or logged? If not specified, the default
of |
useAsyncIO |
(bool) Use this attribute to enable or disable usage of the
asynchronous IO API. The default value is |
useKeepAliveResponseHeader |
(bool) Use this attribute to enable or disable the addition of the
|
Java TCP socket attributes
The NIO and NIO2 implementation support the following Java TCP socket attributes in addition to the common Connector and HTTP attributes listed above.
Attribute | Description |
---|---|
socket.rxBufSize |
(int)The socket receive buffer (SO_RCVBUF) size in bytes. JVM default used if not set. |
socket.txBufSize |
(int)The socket send buffer (SO_SNDBUF) size in bytes. JVM default used if not set. Care should be taken if explicitly setting this value. Very poor performance has been observed on some JVMs with values less than ~8k. |
socket.tcpNoDelay |
(bool)This is equivalent to standard attribute tcpNoDelay. |
socket.soKeepAlive |
(bool)Boolean value for the socket's keep alive setting (SO_KEEPALIVE). JVM default used if not set. |
socket.ooBInline |
(bool)Boolean value for the socket OOBINLINE setting. JVM default used if not set. |
socket.soReuseAddress |
(bool)Boolean value for the sockets reuse address option (SO_REUSEADDR). JVM default used if not set. |
socket.soLingerOn |
(bool)Boolean value for the sockets so linger option (SO_LINGER).
A value for the standard attribute connectionLinger
that is >=0 is equivalent to setting this to |
socket.soLingerTime |
(int)Value in seconds for the sockets so linger option (SO_LINGER).
This is equivalent to standard attribute
connectionLinger.
Both this attribute and |
socket.soTimeout |
This is equivalent to standard attribute connectionTimeout. |
socket.performanceConnectionTime |
(int)The first value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three. |
socket.performanceLatency |
(int)The second value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three. |
socket.performanceBandwidth |
(int)The third value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three. |
socket.unlockTimeout |
(int) The timeout for a socket unlock. When a connector is stopped, it will try to release the acceptor thread by opening a connector to itself.
The default value is |
NIO specific configuration
The following attributes are specific to the NIO connector.
Attribute | Description |
---|---|
pollerThreadPriority |
(int)The priority of the poller threads.
The default value is |
selectorTimeout |
(int)The time in milliseconds to timeout on a select() for the
poller. This value is important, since connection clean up is done on
the same thread, so do not set this value to an extremely high one. The
default value is |
useSendfile |
(bool)Use this attribute to enable or disable sendfile capability.
The default value is |
socket.directBuffer |
(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers. If |
socket.directSslBuffer |
(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers for the SSL buffers. If |
socket.appReadBufSize |
(int)Each connection that is opened up in Tomcat get associated with
a read ByteBuffer. This attribute controls the size of this buffer. By
default this read buffer is sized at |
socket.appWriteBufSize |
(int)Each connection that is opened up in Tomcat get associated with
a write ByteBuffer. This attribute controls the size of this buffer. By
default this write buffer is sized at |
socket.bufferPool |
(int)The NIO connector uses a class called NioChannel that holds
elements linked to a socket. To reduce garbage collection, the NIO
connector caches these channel objects. This value specifies the size of
this cache. The default value is |
socket.bufferPoolSize |
(int)The NioChannel pool can also be size based, not used object
based. The size is calculated as follows: |
socket.processorCache |
(int)Tomcat will cache SocketProcessor objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
socket.keyCache |
(int)Tomcat will cache KeyAttachment objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
socket.eventCache |
(int)Tomcat will cache PollerEvent objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
unixDomainSocketPath |
Where supported, the path to a Unix Domain Socket that this
Connector will create and await incoming connections.
When this is specified, the otherwise mandatory |
unixDomainSocketPathPermissions |
Where supported, the posix permissions that will be applied to the
to the Unix Domain Socket specified with
|
useInheritedChannel |
(bool)Defines if this connector should inherit an inetd/systemd network socket.
Only one connector can inherit a network socket. This can option can be
used to automatically start Tomcat once a connection request is made to
the systemd super daemon's port.
The default value is |
NIO2 specific configuration
The following attributes are specific to the NIO2 connector.
Attribute | Description |
---|---|
useSendfile |
(bool)Use this attribute to enable or disable sendfile capability.
The default value is |
socket.directBuffer |
(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers. If |
socket.directSslBuffer |
(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers for the SSL buffers. If |
socket.appReadBufSize |
(int)Each connection that is opened up in Tomcat get associated with
a read ByteBuffer. This attribute controls the size of this buffer. By
default this read buffer is sized at |
socket.appWriteBufSize |
(int)Each connection that is opened up in Tomcat get associated with
a write ByteBuffer. This attribute controls the size of this buffer. By
default this write buffer is sized at |
socket.bufferPool |
(int)The NIO2 connector uses a class called Nio2Channel that holds
elements linked to a socket. To reduce garbage collection, the NIO2
connector caches these channel objects. This value specifies the size of
this cache. The default value is |
socket.processorCache |
(int)Tomcat will cache SocketProcessor objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
APR/native specific configuration
The following attributes are specific to the APR/native connector.
Attribute | Description |
---|---|
deferAccept |
Sets the |
ipv6v6only |
If listening on an IPv6 address on a dual stack system, should the
connector only listen on the IPv6 address? If not specified the default
is |
pollerThreadCount |
Number of threads used to poll kept alive connections. On Windows the default is chosen so that the sockets managed by each thread is less than 1024. For Linux the default is 1. Changing the default on Windows is likely to have a negative performance impact. |
pollTime |
Duration of a poll call in microseconds. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (2ms). |
sendfileSize |
Amount of sockets that the poller responsible for sending static files asynchronously can hold at a given time. Extra connections will be closed right away without any data being sent (resulting in a zero length file on the client side). Note that in most cases, sendfile is a call that will return right away (being taken care of "synchronously" by the kernel), and the sendfile poller will not be used, so the amount of static files which can be sent concurrently is much larger than the specified amount. The default value is 1024. |
threadPriority |
(int)The priority of the acceptor and poller threads.
The default value is |
useSendfile |
(bool)Use this attribute to enable or disable sendfile capability.
The default value is |
Nested Components
First implemented in Tomcat 9 and back-ported to 8.5, Tomcat now supports Server Name Indication (SNI). This allows multiple SSL configurations to be associated with a single secure connector with the configuration used for any given connection determined by the host name requested by the client. To facilitate this, the SSLHostConfig element was added which can be used to define one of these configurations. Any number of SSLHostConfig may be nested in a Connector. At the same time, support was added for multiple certificates to be associated with a single SSLHostConfig. Each SSL certificate is therefore configured in a Certificate element with in an SSLHostConfig. For further information, see the SSL Support section below.
When OpenSSL is providing the TLS implementation, one or more
OpenSSLConfCmd elements may be nested inside a
OpenSSLConf element to configure OpenSSL via OpenSSL's
SSL_CONF
API. A single OpenSSLConf element may
be nested in a SSLHostConfig element. For further
information, see the SSL Support section below
Special Features
HTTP/1.1 and HTTP/1.0 Support
This Connector supports all of the required features of the HTTP/1.1 protocol, as described in RFCs 7230-7235, including persistent connections, pipelining, expectations and chunked encoding. If the client supports only HTTP/1.0 or HTTP/0.9, the Connector will gracefully fall back to supporting this protocol as well. No special configuration is required to enable this support. The Connector also supports HTTP/1.0 keep-alive.
RFC 7230 requires that HTTP servers always begin their responses with
the highest HTTP version that they claim to support. Therefore, this
Connector will always return HTTP/1.1
at
the beginning of its responses.
HTTP/2 Support
HTTP/2 is support is provided for TLS (h2), non-TLS via HTTP upgrade (h2c)
and direct HTTP/2 (h2c) connections. To enable HTTP/2 support for an HTTP
connector the following UpgradeProtocol element must be
nested within the Connector with a
className attribute of
org.apache.coyote.http2.Http2Protocol
.
<Connector ... >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
Because Java 8's TLS implementation does not support ALPN (which is
required for HTTP/2 over TLS), you must be using an OpenSSL based TLS
implementation to enable HTTP/2 support. See the
sslImplementationName
attribute of the
Connector.
Additional configuration attributes are available. See the HTTP/2 Upgrade Protocol documentation for details.
Proxy Support
The proxyName
and proxyPort
attributes can
be used when Tomcat is run behind a proxy server. These attributes
modify the values returned to web applications that call the
request.getServerName()
and request.getServerPort()
methods, which are often used to construct absolute URLs for redirects.
Without configuring these attributes, the values returned would reflect
the server name and port on which the connection from the proxy server
was received, rather than the server name and port to whom the client
directed the original request.
For more information, see the Proxy Support How-To.
Unix Domain Socket Support
When the unixDomainSocketPath
attribute is used, connectors
that support Unix Domain Sockets will bind to the socket at the given path.
For users of Java 16 and higher, support is provided within the NIO
connectors. For users of Java earlier than 16, support is provided by
the org.apache.coyote.http11.Http11AprProtocol
connector when
used with the Apache Tomcat Native library v1.2.26 and up, along with
Apache Portable Runtime v1.6 and higher.
The socket path is created with read and write permissions for all
users. To protect this socket, place it in a directory with suitable
permissions appropriately configured to restrict access as required.
Alternatively, on platforms that support posix permissions, the
permissions on the socket can be set directly with the
unixDomainSocketPathPermissions
option.
Tomcat will automatically remove the socket on server shutdown. If the socket already exists startup will fail. Care must be taken by the administrator to remove the socket after verifying that the socket isn't already being used by an existing Tomcat process.
The Unix Domain Socket can be accessed using the
--unix-socket
option of the curl
command line
client, and the Unix Domain Socket support in Apache HTTP server's
mod_proxy
module.
SSL Support
You can enable SSL support for a particular instance of this
Connector by setting the SSLEnabled
attribute to
true
.
You will also need to set the scheme
and secure
attributes to the values https
and true
respectively, to pass correct information to the servlets.
The NIO and NIO2 connectors use either the JSSE Java SSL implementation or an OpenSSL implementation, whereas the APR/native connector uses OpenSSL only. Prior to Tomcat 8.5, different configuration attributes were used for JSSE and OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common configuration attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL implementation, configuration can be set using either the JSSE or APR attributes (note: but not both types within the same configuration). This is to aid simpler switching between connector implementations for SSL connectors.
Each secure connector must define at least one
SSLHostConfig. The names of the
SSLHostConfig elements must be unique and one of them must
match the defaultSSLHostConfigName
attribute of the
Connector.
Each SSLHostConfig must in turn define at least one Certificate. The types of the Certificates must be unique.
As of Tomcat 8.5, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to
configure a SSLHostConfig and Certificate
for the defaultSSLHostConfigName
. Note that if an explicit
SSLHostConfig element also exists for the
defaultSSLHostConfigName
then that will be treated as a configuration
error. It is expected that Tomcat 10 will drop support for the SSL
configuration attributes in the Connector.
In addition to the standard TLS related request attributes defined in section 3.10 of the Servlet specification, Tomcat supports a number of additional TLS related attributes. The full list may be found in the SSLSupport Javadoc.
For more information, see the SSL Configuration How-To.
SSL Support - SSLHostConfig
Attribute | Description |
---|---|
certificateRevocationListFile |
Name of the file that contains the concatenated certificate revocation
lists for the certificate authorities. The format is PEM-encoded. If not
defined, client certificates will not be checked against a certificate
revocation list (unless an OpenSSL based connector is used and
certificateRevocationListPath is defined). Relative paths
will be resolved against |
certificateRevocationListPath |
OpenSSL only. Name of the directory that contains the certificate revocation lists
for the certificate authorities. The format is PEM-encoded. Relative paths
will be resolved against |
certificateVerification |
Set to |
certificateVerificationDepth |
The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used. |
caCertificateFile |
OpenSSL only. Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded. |
caCertificatePath |
OpenSSL only. Name of the directory that contains the certificates for the trusted certificate authorities. The format is PEM-encoded. |
ciphers |
The ciphers to enable using the OpenSSL syntax. (See the OpenSSL documentation for the list of ciphers supported and the syntax). Alternatively, a comma separated list of ciphers using the standard OpenSSL cipher names or the standard JSSE cipher names may be used. When converting from OpenSSL syntax to JSSE ciphers for JSSE based connectors, the behaviour of the OpenSSL syntax parsing is kept aligned with the behaviour of the OpenSSL 1.1.0 development branch. Only the ciphers that are supported by the SSL implementation will be used. If not specified, a default (using the OpenSSL notation) of
Note that, by default, the order in which ciphers are defined is
treated as an order of preference. See |
disableCompression |
OpenSSL only. Configures if compression is disabled. The default is
|
disableSessionTickets |
OpenSSL only. Disables use of TLS session tickets (RFC 5077) if set to
|
honorCipherOrder |
Set to |
hostName |
The name of the SSL Host. This should either be the fully qualified
domain name (e.g. |
insecureRenegotiation |
OpenSSL only. Configures if insecure renegotiation is allowed. The default is
|
keyManagerAlgorithm |
JSSE only. The |
protocols |
The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:
Each token in the list can be prefixed with a plus sign ("+") or a minus sign ("-"). A plus sign adds the protocol, a minus sign removes it form the current list. The list is built starting from an empty list. The token Note that Note that Note that If not specified, the default value of |
revocationEnabled |
JSSE only. Should the JSSE provider enable certificate revocation checks? If
certificateRevocationListFile is set then this attribute
is ignored and revocation checks are always enabled. This attribute is
intended to enable revocation checks that have been configured for the
current JSSE provider via other means. If not specified, a default of
|
sessionCacheSize |
The number of SSL sessions to maintain in the session cache. Specify
|
sessionTimeout |
The time, in seconds, after the creation of an SSL session that it will
timeout. Specify |
sslProtocol |
JSSE only. The SSL protocol(s) to use (a single value may enable multiple
protocols - see the JVM documentation for details). If not specified, the
default is |
trustManagerClassName |
JSSE only. The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must
also implement |
truststoreAlgorithm |
JSSE only. The algorithm to use for truststore. If not specified, the default
value returned by
|
truststoreFile |
JSSE only. The trust store file to use to validate client certificates. The
default is the value of the |
truststorePassword |
JSSE only. The password to access the trust store. The default is the value of the
|
truststoreProvider |
JSSE only. The name of the truststore provider to be used for the server
certificate. The default is the value of the
|
truststoreType |
JSSE only. The type of key store used for the trust store. The default is the
value of the |
SSL Support - Certificate
Attribute | Description |
---|---|
certificateFile |
Name of the file that contains the server certificate. The format is
PEM-encoded. Relative paths will be resolved against
In addition to the certificate, the file can also contain as optional
elements DH parameters and/or an EC curve name for ephemeral keys, as
generated by |
certificateChainFile |
Name of the file that contains the certificate chain associated with
the server certificate used. The format is
PEM-encoded. Relative paths will be resolved against
The certificate chain used for Tomcat should not include the server certificate as its first element. Note that when using more than one certificate for different types, they all must use the same certificate chain. |
certificateKeyAlias |
JSSE only. The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used. |
certificateKeyFile |
Name of the file that contains the server private key. The format is
PEM-encoded. The default value is the value of
certificateFile and in this case both certificate and
private key have to be in this file (NOT RECOMMENDED). Relative paths will
be resolved against |
certificateKeyPassword |
The password used to access the private key associated with the server certificate from the specified file. If not specified, the default behaviour for JSSE is to use the certificateKeystorePassword. For OpenSSL the default behaviour is not to use a password. |
certificateKeystoreFile |
JSSE only. The pathname of the keystore file where you have stored the server
certificate and key to be loaded. By default, the pathname is the file
|
certificateKeystorePassword |
JSSE only. The password to use to access the keystore containing the server's
private key and certificate. If not specified, a default of
|
certificateKeystoreProvider |
JSSE only. The name of the keystore provider to be used for the server
certificate. If not specified, the value of the system property
|
certificateKeystoreType |
JSSE only. The type of keystore file to be used for the server certificate.
If not specified, the value of the system property
|
type |
The type of certificate. This is used to identify the ciphers that are
compatible with the certificate. It must be one of |
SSL Support - Connector - NIO and NIO2
When APR/native is enabled, the connectors will default to using OpenSSL through JSSE, which may be more optimized than the JSSE Java implementation depending on the processor being used, and can be complemented with many commercial accelerator components.
The following NIO and NIO2 SSL configuration attributes are not specific to a virtual host and, therefore, must be configured on the connector.
Attribute | Description |
---|---|
sniParseLimit |
In order to implement SNI support, Tomcat has to parse the first TLS
message received on a new TLS connection (the client hello) to extract the
requested server name. The message needs to be buffered so it can then be
passed to the JSSE implementation for normal TLS processing. In theory,
this first message could be very large although in practice it is
typically a few hundred bytes. This attribute sets the maximum message
size that Tomcat will buffer. If a message exceeds this size, the
connection will be configured as if no server name was indicated by the
client. If not specified a default of |
sslImplementationName |
The class name of the SSL implementation to use. If not specified and
the tomcat-native library is not installed, the
default of |
SSL Support - OpenSSL's SSL_CONF API
When OpenSSL is providing the TLS implementation, one or more
OpenSSLConfCmd elements may be nested inside a
OpenSSLConf element to configure OpenSSL via OpenSSL's
SSL_CONF
API. A single OpenSSLConf element may
be nested in a SSLHostConfig element.
The set of configuration file commands available depends on the OpenSSL version being used. For a list of supported command names and values, see the section Supported configuration file commands in the SSL_CONF_cmd(3) manual page for OpenSSL. Some of the configuration file commands can be used as alternatives to SSLHostConfig attributes. It is recommended that configuration file commands are only used where the feature cannot be configured using SSLHostConfig attributes.
The OpenSSLConf element does not support any attributes.
The OpenSSLConfCmd element supports the following attributes.
Attribute | Description |
---|---|
name |
The name of the configuration file command. |
value |
The value to use for the configuration file command. |
Key store types
In addition to the standard key store types (JKS and PKCS12), most Java runtimes support additional key store types such as Windows-ROOT, Windows-My, DKS as well as hardware security modules. Generally, to use these additional keystore types with a TLS Connector in Tomcat:
- Set the certificateKeystoreType and/or truststoreType Connector attribute (as appropriate) to the necessary type
- If a configuration file is required, set the certificateKeystoreFile and/or truststoreFile Connector attribute (as appropriate) to point to the file
- If no configuration file is required then you will almost certainly need to explicitly set the certificateKeystoreFile and/or truststoreFile Connector attribute (as appropriate) to the empty string ("")
- If a password is required, set the certificateKeystorePassword and/or truststorePassword Connector attribute (as appropriate) to the required password
- If no password is required then you will almost certainly need to explicitly set the certificateKeystorePassword and/or truststorePassword Connector attribute (as appropriate) to the empty string ("")
Variations in key store implementations, combined with the key store manipulation Tomcat does in the background to allow interoperability between JSSE and OpenSSL configuration styles, means that some keystores may need slightly different configuration. Assistance is always available from the Apache Tomcat users mailing list. We aim to document any key stores that vary from the above advice here. Currently there are none we are aware of.
SSL Support - Connector - NIO and NIO2 (deprecated)
The following NIO and NIO2 SSL configuration attributes have been
deprecated in favor of the default
SSLHostConfig element with
the hostName
of _default_
. If this
SSLHostConfig element is not
explicitly defined, it will be created..
Attribute | Description |
---|---|
algorithm |
This is an alias for the |
ciphers |
This is an alias for the |
clientAuth |
This is an alias for the |
crlFile |
This is an alias for the |
keyAlias |
This is an alias for the |
keyPass |
This is an alias for the |
keystoreFile |
This is an alias for the |
keystorePass |
This is an alias for the |
keystoreProvider |
This is an alias for the |
keystoreType |
This is an alias for the |
sessionCacheSize |
This is an alias for the |
sessionTimeout |
This is an alias for the |
sslEnabledProtocols |
This is an alias for the |
sslProtocol |
This is an alias for the |
trustManagerClassName |
This is an alias for the |
trustMaxCertLength |
This is an alias for the |
truststoreAlgorithm |
This is an alias for the |
truststoreFile |
This is an alias for the |
truststorePass |
This is an alias for the |
truststoreProvider |
This is an alias for the |
truststoreType |
This is an alias for the |
useServerCipherSuitesOrder |
This is an alias for the |
SSL Support - Connector - APR/Native (deprecated)
When APR/native is enabled, the HTTPS connector will use a socket poller for keep-alive, increasing scalability of the server. It also uses OpenSSL, which may be more optimized than JSSE depending on the processor being used, and can be complemented with many commercial accelerator components. Unlike the HTTP connector, the HTTPS connector cannot use sendfile to optimize static file processing.
The HTTPS APR/native connector has the same attributes than the HTTP APR/native connector, but adds OpenSSL specific ones. For the full details on using OpenSSL, please refer to OpenSSL documentations and the many books available for it (see the Official OpenSSL website). The SSL specific attributes for the APR/native connector are:
Attribute | Description |
---|---|
SSLCACertificateFile |
This is an alias for the |
SSLCACertificatePath |
This is an alias for the |
SSLCARevocationFile |
This is an alias for the |
SSLCARevocationPath |
This is an alias for the |
SSLCertificateFile |
This is an alias for the |
SSLCertificateKeyFile |
This is an alias for the |
SSLCipherSuite |
This is an alias for the |
SSLDisableCompression |
This is an alias for the |
SSLHonorCipherOrder |
This is an alias for the |
SSLPassword |
This is an alias for the |
SSLProtocol |
This is an alias for the |
SSLVerifyClient |
This is an alias for the |
SSLVerifyDepth |
This is an alias for the |
SSLDisableSessionTickets |
This is an alias for the |
Connector Comparison
Below is a small chart that shows how the connectors differ.
Java Nio Connector NIO |
Java Nio2 Connector NIO2 |
APR/native Connector APR |
|
---|---|---|---|
Classname | Http11NioProtocol |
Http11Nio2Protocol |
Http11AprProtocol |
Tomcat Version | since 6.0.x | since 8.0.x | since 5.5.x |
Support Polling | YES | YES | YES |
Polling Size | maxConnections |
maxConnections |
maxConnections |
Read Request Headers | Non Blocking | Non Blocking | Non Blocking |
Read Request Body | Blocking | Blocking | Blocking |
Write Response Headers and Body | Blocking | Blocking | Blocking |
Wait for next Request | Non Blocking | Non Blocking | Non Blocking |
SSL Support | Java SSL or OpenSSL | Java SSL or OpenSSL | OpenSSL |
SSL Handshake | Non blocking | Non blocking | Blocking |
Max Connections | maxConnections |
maxConnections |
maxConnections |