What is the difference between APR implementation of SSL and JSSE implementation of SSL on TOMCAT5.5

I'm configuring SSL to support HTTPS on TOMCAT 5.5, so I referred to http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, which elaborates on how to implement SSL.

This doc开发者_开发百科ument describes two ways to implement SSL, namely the APR implementation and the JSSE implementation. I wonder what the difference between them is, including their shortcomings and advantages.

The difference is that the JDK is using it's own SSL implementation, while the APR it's using what's installed on the computer, i.e. OpenSSL in most cases.

If you have low to medium traffic for https, the Java solution is just fine, but for very heavy loading (e.g. when most pages run on https), the OpenSSL native solution is much better, and it can be recompiled and optimized, so it will run even faster and consume less resources. The main disadvantage of APR+OpenSSL however is that it requires more configuration and tuning + testing, the Java version working simply out-of-the box.

What I usually do, is to always use the default Java SSL solution together with monitoring tools, and if the traffic turns heavy, then, and only then spend the effort to tune the APR solution.

The following table, taken from Tomcat official documents shows how connectors relate to each other. The most important differences depicted in the table are:

• APR has been supported since Tomcat 5.5.x, NIO was added in Tomcat 6.x, and NIO2 is added in Tomcat 8.x.
• APR can only use OpenSSL, but NIO and NIO2 can use either JSSE or OpenSSL.
• APR blocks while performing SSL handshake, while the other two don't.

Also note this statement, which shows a great compatibility between configuration attributes of JSSE and OpenSSL since Tomcat 8.5:

The NIO and NIO2 connectors use either the JSSE Java SSL implementation or an OpenSSL implementation, whereas the APR/native connector uses OpenSSL only. Prior to Tomcat 8.5, different configuration attributes were used for JSSE and OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common configuration attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL implementation, configuration can be set using either the JSSE or APR attributes (note: but not both types within the same configuration). This is to aid simpler switching between connector implementations for SSL connectors.

Tomcat SSL how-to has a section which digs deeper into the relationship between connectors. Here's how to force NIO or NIO2 to use JSSE:

<!-- Define an HTTP/1.1 Connector on port 8443, JSSE NIO implementation -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           port="8443" .../>

<!-- Define an HTTP/1.1 Connector on port 8443, JSSE NIO2 implementation -->
<Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           port="8443" .../>

And here's how to configure NIO to use OpenSSL (similarly for NIO2):

<!-- Define an HTTP/1.1 Connector on port 8443, JSSE NIO implementation and OpenSSL -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
           sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
           .../>

Finally, to configure APR:

<!-- Define an HTTP/1.1 Connector on port 8443, APR implementation -->
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" .../>

When using APR, Tomcat might use an OpenSSL engine that is vulnerable to the Heartbleed bug (http://heartbleed.com). Then you can simply switch in your server.xml from APR:

<-- Define a APR SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" .../>

To the Java SSL implementation that is not vulnerable by this bug:

<-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" .../>

Or if you would like to use APR anyways, make sure you use the Tomcat Native library that has been compiled with the OpenSSL version that is not vulnerable to Heartbleed (OpenSSL 1.0.1g or higher) see https://issues.apache.org/bugzilla/show_bug.cgi?id=56363.

Tomcat version less than 5.5.29 does not support new connector attribute "allowUnsafeLegacyRenegotiation" and if you using old java machine (jvm 1.6 or earlier without security patches) and do not want to update nor java neither Tomcat the only way - is to use APR. See:

About security patches against RFC 5746 CVE-2009-3555

About Tomcat patches

About MITM vulnerability