The HTTP Connector

Table of Contents

Introduction

The HTTP Connector element represents a Connector component that supports the HTTP/1.1 protocol. It enables Catalina to function as a stand-alone web server, in addition to its ability to execute servlets and JSP pages. A particular instance of this component listens for connections on a specific TCP port number on the server. One or more such Connectors can be configured as part of a single Service, each forwarding to the associated Engine to perform request processing and create the response.

If you wish to configure the Connector that is used for connections to web servers using the AJP protocol (such as the mod_jk 1.2.x connector for Apache 1.3), please refer to the AJP Connector documentation.

Each incoming, non-asynchronous request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the configured maximum (the value of the maxThreads attribute). If still more simultaneous requests are received, Tomcat will accept new connections until the current number of connections reaches maxConnections. Connections are queued inside the server socket created by the Connector until a thread becomes available to process the connection. Once maxConnections has been reached the operating system will queue further connections. The size of the operating system provided connection queue may be controlled by the acceptCount attribute. If the operating system queue fills, further connection requests may be refused or may time out.

Attributes

Common Attributes

All implementations of Connector support the following attributes:

Attribute Description
allowTrace

A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false. As per RFC 7231 section 4.3.8, cookie and authorization headers will be excluded from the response to the TRACE request. If you wish to include these, you can implement the doTrace() method for the target Servlet and gain full control over the response.

asyncTimeout

The default timeout for asynchronous requests in milliseconds. If not specified, this attribute is set to the Servlet specification default of 30000 (30 seconds).

discardFacades

A boolean value which can be used to enable or disable the recycling of the facade objects that isolate the container internal request processing objects. If set to true the facades will be set for garbage collection after every request, otherwise they will be reused. This setting has no effect when the security manager is enabled. If not specified, this attribute is set to the value of the org.apache.catalina.connector.RECYCLE_FACADES system property, or true if not set.

enableLookups

Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are disabled.

encodedSolidusHandling

When set to reject request paths containing a %2f sequence will be rejected with a 400 response. When set to decode request paths containing a %2f sequence will have that sequence decoded to / at the same time other %nn sequences are decoded. When set to passthrough request paths containing a %2f sequence will be processed with the %2f sequence unchanged. If not specified the default value is reject. This default may be modified if the deprecated system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH is set.

maxCookieCount

The maximum number of cookies that are permitted for a request. A value of less than zero means no limit. If not specified, a default value of 200 will be used.

maxParameterCount

The maximum total number of request parameters (including uploaded files) obtained from the query string and, for POST requests, the request body if the content type is application/x-www-form-urlencoded or multipart/form-data. Request parameters beyond this limit will be ignored. A value of less than 0 means no limit. If not specified, a default of 10000 is used. Note that FailedRequestFilter filter can be used to reject requests that exceed the limit.

maxPostSize

The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The limit can be disabled by setting this attribute to a value less than zero. If not specified, this attribute is set to 2097152 (2 MiB). Note that the FailedRequestFilter can be used to reject requests that exceed this limit.

maxSavePostSize

The maximum size in bytes of the request body which will be saved/buffered by the container during FORM or CLIENT-CERT authentication or during HTTP/1.1 upgrade. For both types of authentication, the request body will be saved/buffered before the user is authenticated. For CLIENT-CERT authentication, the request body is buffered for the duration of the SSL handshake and the buffer emptied when the request is processed. For FORM authentication the POST is saved whilst the user is re-directed to the login form and is retained until the user successfully authenticates or the session associated with the authentication request expires. For HTTP/1.1 upgrade, the request body is buffered for the duration of the upgrade process. The limit can be disabled by setting this attribute to -1. Setting the attribute to zero will disable the saving of the request body data during authentication and HTTP/1.1 upgrade. If not specified, this attribute is set to 4096 (4 kilobytes).

parseBodyMethods

A comma-separated list of HTTP methods for which request bodies using application/x-www-form-urlencoded will be parsed for request parameters identically to POST. This is useful in RESTful applications that want to support POST-style semantics for PUT requests. Note that any setting other than POST causes Tomcat to behave in a way that goes against the intent of the servlet specification. The HTTP method TRACE is specifically forbidden here in accordance with the HTTP specification. The default is POST

port

The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address. If the special value of 0 (zero) is used, then Tomcat will select a free port at random to use for this connector. This is typically only useful in embedded and testing applications.

protocol

Sets the protocol to handle incoming traffic. The default value is HTTP/1.1 which uses an auto-switching mechanism to select either a Java NIO based connector or an APR/native based connector. If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment variables contain the Tomcat native library, and the AprLifecycleListener that is used to initialize APR has its useAprConnector attribute set to true, the APR/native connector will be used. If the native library cannot be found or the attribute is not configured, the Java NIO based connector will be used. Note that the APR/native connector has different settings for HTTPS than the Java connectors.
To use an explicit protocol rather than rely on the auto-switching mechanism described above, the following values may be used:
org.apache.coyote.http11.Http11NioProtocol - non blocking Java NIO connector
org.apache.coyote.http11.Http11Nio2Protocol - non blocking Java NIO2 connector
org.apache.coyote.http11.Http11AprProtocol - the APR/native connector.
Custom implementations may also be used.
Take a look at our Connector Comparison chart. The configuration for both Java connectors is identical, for http and https.
For more information on the APR connector and APR specific SSL settings please visit the APR documentation

proxyName

If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName(). See Proxy Support for more information.

proxyPort

If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort(). See Proxy Support for more information.

redirectPort

If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.

scheme

Set this attribute to the name of the protocol you wish to have returned by calls to request.getScheme(). For example, you would set this attribute to "https" for an SSL Connector. The default value is "http".

secure

Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received by this Connector. You would want this on an SSL Connector or a non SSL connector that is receiving data from a SSL accelerator, like a crypto card, an SSL appliance or even a webserver. The default value is false.

URIEncoding

This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. The default value is UTF-8.

useBodyEncodingForURI

This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding specified in the contentType, or explicitly set using Request.setCharacterEncoding method was also used for the parameters from the URL. The default value is false.

Notes: 1) This setting is applied only to the query string of a request. Unlike URIEncoding it does not affect the path portion of a request URI. 2) If request character encoding is not known (is not provided by a browser and is not set by SetCharacterEncodingFilter or a similar filter using Request.setCharacterEncoding method), the default encoding is always "ISO-8859-1". The URIEncoding setting has no effect on this default.

useIPVHosts

Set this attribute to true to cause Tomcat to use the IP address that the request was received on to determine the Host to send the request to. The default value is false.

xpoweredBy

Set this attribute to true to cause Tomcat to advertise support for the Servlet specification using the header recommended in the specification. The default value is false.

Standard Implementation

The standard HTTP connectors (NIO, NIO2 and APR/native) all support the following attributes in addition to the common Connector attributes listed above.

Attribute Description
acceptCount

The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached. The operating system may ignore this setting and use a different size for the queue. When this queue is full, the operating system may actively refuse additional connections or those connections may time out. The default value is 100.

acceptorThreadPriority

The priority of the acceptor thread. The thread used to accept new connections. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means.

address

For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, the connector will listen all local addresses. Unless the JVM is configured otherwise using system properties, the Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or ::. The APR/native connector will only listen on IPv4 addresses if configured with 0.0.0.0 and will listen on IPv6 addresses (and optionally IPv4 addresses depending on the setting of ipv6v6only) if configured with ::.

allowHostHeaderMismatch

By default Tomcat will reject requests that specify a host in the request line but specify a different host in the host header. This check can be disabled by setting this attribute to true. If not specified, the default is false.
This setting will be removed in Tomcat 11 onwards where it will be hard-coded to false.

allowedTrailerHeaders

By default Tomcat will ignore all trailer headers when processing chunked input. For a header to be processed, it must be added to this comma-separated list of header names.

bindOnInit

Controls when the socket used by the connector is bound. If set to true it is bound when the connector is initiated and unbound when the connector is destroyed. If set to false, the socket will be bound when the connector is started and unbound when it is stopped. If not specified, the default is true.

clientCertProvider

When client certificate information is presented in a form other than instances of java.security.cert.X509Certificate it needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the AJP connectors, the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If not specified, the default provider will be used.

compressibleMimeType

The value is a comma separated list of MIME types for which HTTP compression may be used. The default value is text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml . If you specify a type explicitly, the default is over-ridden.

compression

The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth. The acceptable values for the parameter is "off" (disable compression), "on" (allow compression, which causes text data to be compressed), "force" (forces compression in all cases), or a numerical integer value (which is equivalent to "on", but specifies the minimum amount of data before the output is compressed). If the content-length is not known and compression is set to "on" or more aggressive, the output will also be compressed. If not specified, this attribute is set to "off".

Note: There is a tradeoff between using compression (saving your bandwidth) and using the sendfile feature (saving your CPU cycles). If the connector supports the sendfile feature, e.g. the NIO connector, using sendfile will take precedence over compression. The symptoms will be that static files greater that 48 KiB will be sent uncompressed. You can turn off sendfile by setting useSendfile attribute of the connector, as documented below, or change the sendfile usage threshold in the configuration of the DefaultServlet in the default conf/web.xml or in the web.xml of your web application.

compressionMinSize

If compression is set to "on" then this attribute may be used to specify the minimum amount of data before the output is compressed. If not specified, this attribute is defaults to "2048". Units are in bytes.

connectionLinger

The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.

connectionTimeout

The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented. Use a value of -1 to indicate no (i.e. infinite) timeout. The default value is 60000 (i.e. 60 seconds) but note that the standard server.xml that ships with Tomcat sets this to 20000 (i.e. 20 seconds). Unless disableUploadTimeout is set to false, this timeout will also be used when reading the request body (if any).

connectionUploadTimeout

Specifies the timeout, in milliseconds, to use while a data upload is in progress. This only takes effect if disableUploadTimeout is set to false.

continueResponseTiming

When to respond with a 100 intermediate response code to a request containing an Expect: 100-continue header. The following values may used:

  • immediately - an intermediate 100 status response will be returned as soon as practical
  • onRead - an intermediate 100 status response will be returned only when the Servlet reads the request body, allowing the servlet to inspect the headers and possibly respond before the user agent sends a possibly large request body.

defaultSSLHostConfigName

The name of the default SSLHostConfig that will be used for secure connections (if this connector is configured for secure connections) if the client connection does not provide SNI or if the SNI is provided but does not match any configured SSLHostConfig. If not specified the default value of _default_ will be used. Provided values are always converted to lower case.

disableUploadTimeout

This flag allows the servlet container to use a different, usually longer connection timeout during data upload. If not specified, this attribute is set to true which disables this longer timeout.

executor

A reference to the name in an Executor element. If this attribute is set, and the named executor exists, the connector will use the executor, and all the other thread attributes will be ignored. Note that if a shared executor is not specified for a connector then the connector will use a private, internal executor to provide the thread pool.

executorTerminationTimeoutMillis

The time that the private internal executor will wait for request processing threads to terminate before continuing with the process of stopping the connector. If not set, the default is 5000 (5 seconds).

keepAliveTimeout

The number of milliseconds this Connector will wait for another HTTP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute. Use a value of -1 to indicate no (i.e. infinite) timeout.

maxConnections

The maximum number of connections that the server will accept and process at any given time. When this number has been reached, the server will accept, but not process, one further connection. This additional connection be blocked until the number of connections being processed falls below maxConnections at which point the server will start accepting and processing new connections again. Note that once the limit has been reached, the operating system may still accept connections based on the acceptCount setting. The default value is 8192.

For NIO/NIO2 only, setting the value to -1, will disable the maxConnections feature and connections will not be counted.

maxExtensionSize

Limits the total length of chunk extensions in chunked HTTP requests. If the value is -1, no limit will be imposed. If not specified, the default value of 8192 will be used.

maxHeaderCount

The maximum number of headers in a request that are allowed by the container. A request that contains more headers than the specified limit will be rejected. A value of less than 0 means no limit. If not specified, a default of 100 is used.

maxHttpHeaderSize

Provides the default value for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize. If not specified, this attribute is set to 8192 (8 KiB).

maxHttpRequestHeaderSize

The maximum permitted size of the request line and headers associated with an HTTP request, specified in bytes. This is compared to the number of bytes received so includes line terminators and whitespace as well as the request line, header names and header values. If not specified, this attribute is set to the value of the maxHttpHeaderSize attribute.

If you see "Request header is too large" errors you can increase this, but be aware that Tomcat will allocate the full amount you specify for every request. For example, if you specify a maxHttpRequestHeaderSize of 1 MB and your application handles 100 concurrent requests, you will see 100 MB of heap consumed by request headers.

maxHttpResponseHeaderSize

The maximum permitted size of the response line and headers associated with an HTTP response, specified in bytes. This is compared to the number of bytes written so includes line terminators and whitespace as well as the status line, header names and header values. If not specified, this attribute is set to the value of the maxHttpHeaderSize attribute.

maxKeepAliveRequests

The maximum number of HTTP requests which can be pipelined until the connection is closed by the server. Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests. If not specified, this attribute is set to 100.

maxQueueSize

(int) The maximum number of runnable tasks that can queue up awaiting execution before they are rejected. The default value is Integer.MAX_VALUE

maxSwallowSize

The maximum number of request body bytes (excluding transfer encoding overhead) that will be swallowed by Tomcat for an aborted upload. An aborted upload is when Tomcat knows that the request body is going to be ignored but the client still sends it. If Tomcat does not swallow the body the client is unlikely to see the response. If not specified the default of 2097152 (2 MiB) will be used. A value of less than zero indicates that no limit should be enforced.

maxThreads

The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled. If not specified, this attribute is set to 200. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.

maxTrailerSize

Limits the total length of trailing headers in the last chunk of a chunked HTTP request. If the value is -1, no limit will be imposed. If not specified, the default value of 8192 will be used.

minSpareThreads

The minimum number of threads always kept running. This includes both active and idle threads. If not specified, the default of 10 is used. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.

noCompressionStrongETag

This flag configures whether resources with a strong ETag will be considered for compression. If true, resources with a strong ETag will not be compressed. The default value is true.

This attribute is deprecated. It will be removed in Tomcat 10 onwards where it will be hard-coded to true.

noCompressionUserAgents

The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients for which compression should not be used, because these clients, although they do advertise support for the feature, have a broken implementation. The default value is an empty String (regexp matching disabled).

processorCache

The protocol handler caches Processor objects to speed up performance. This setting dictates how many of these objects get cached. -1 means unlimited, default is 200. 0 means no request processor reuse. This has a very significant impact on performance and garbage collection depending on the workload, but provides additional security guarantees by avoiding reuse of all request processing objects. If not using Servlet 3.0 asynchronous processing, an appropriate value is to use the same as the maxThreads setting. If using Servlet 3.0 asynchronous processing, an appropriate value is to use the larger of maxThreads and the maximum number of expected concurrent requests (synchronous and asynchronous).

rejectIllegalHeader

If an HTTP request is received that contains an illegal header name or value (e.g. the header name is not a token) this setting determines if the request will be rejected with a 400 response (true) or if the illegal header be ignored (false). The default value is true which will cause the request to be rejected.
This setting will be removed in Tomcat 11 onwards where it will be hard-coded to true.

rejectIllegalHeaderName

This attribute is deprecated. It will be removed in Tomcat 10 onwards. It is now an alias for rejectIllegalHeader.

relaxedPathChars

The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI paths. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ \ ] ^ ` { | } . Any other characters present in the value will be ignored.

relaxedQueryChars

The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI query strings. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ \ ] ^ ` { | } . Any other characters present in the value will be ignored.

restrictedUserAgents

The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features. The default value is an empty String (regexp matching disabled).

server

Overrides the Server header for the http response. If set, the value for this attribute overrides any Server header set by a web application. If not set, any value specified by the application is used. If the application does not specify a value then no Server header is set.

serverRemoveAppProvidedValues

If true, any Server header set by a web application will be removed. Note that if server is set, this attribute is effectively ignored. If not set, the default value of false will be used.

SSLEnabled

Use this attribute to enable SSL traffic on a connector. To turn on SSL handshake/encryption/decryption on a connector set this value to true. The default value is false. When turning this value true you will want to set the scheme and the secure attributes as well to pass the correct request.getScheme() and request.isSecure() values to the servlets See SSL Support for more information.

tcpNoDelay

If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances. This is set to true by default.

threadPriority

The priority of the request processing threads within the JVM. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.

threadsMaxIdleTime

The amount of time in milliseconds that threads will be kept alive by the thread pool, if there are more than minSpareThreads threads in the executor. If not specified, the default of 60000 milliseconds is used. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.

throwOnFailure

If the Connector experiences an Exception during a Lifecycle transition should the Exception be rethrown or logged? If not specified, the default of false will be used. Note that the default can be changed by the org.apache.catalina.startup.EXIT_ON_INIT_FAILURE system property.

useAsyncIO

(bool) Use this attribute to enable or disable usage of the asynchronous IO API. The default value is true except when using the APR connector due to low performance.

useKeepAliveResponseHeader

(bool) Use this attribute to enable or disable the addition of the Keep-Alive HTTP response header as described in this Internet-Draft. The default value is true.

useVirtualThreads

(bool) Use this attribute to enable or disable usage of virtual threads with the internal executor. If an executor is associated with this connector, this attribute is ignored. The default value is false.

Java TCP socket attributes

The NIO and NIO2 implementation support the following Java TCP socket attributes in addition to the common Connector and HTTP attributes listed above.

Attribute Description
socket.rxBufSize

(int)The socket receive buffer (SO_RCVBUF) size in bytes. JVM default used if not set.

socket.txBufSize

(int)The socket send buffer (SO_SNDBUF) size in bytes. JVM default used if not set. Care should be taken if explicitly setting this value. Very poor performance has been observed on some JVMs with values less than ~8k.

socket.tcpNoDelay

(bool)This is equivalent to standard attribute tcpNoDelay.

socket.soKeepAlive

(bool)Boolean value for the socket's keep alive setting (SO_KEEPALIVE). JVM default used if not set.

socket.ooBInline

(bool)Boolean value for the socket OOBINLINE setting. JVM default used if not set.

socket.soReuseAddress

(bool)Boolean value for the sockets reuse address option (SO_REUSEADDR). JVM default used if not set.

socket.soLingerOn

(bool)Boolean value for the sockets so linger option (SO_LINGER). A value for the standard attribute connectionLinger that is >=0 is equivalent to setting this to true. A value for the standard attribute connectionLinger that is <0 is equivalent to setting this to false. Both this attribute and soLingerTime must be set else the JVM defaults will be used for both.

socket.soLingerTime

(int)Value in seconds for the sockets so linger option (SO_LINGER). This is equivalent to standard attribute connectionLinger. Both this attribute and soLingerOn must be set else the JVM defaults will be used for both.

socket.soTimeout

This is equivalent to standard attribute connectionTimeout.

socket.performanceConnectionTime

(int)The first value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three.

socket.performanceLatency

(int)The second value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three.

socket.performanceBandwidth

(int)The third value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three.

socket.unlockTimeout

(int) The timeout for a socket unlock. When a connector is stopped, it will try to release the acceptor thread by opening a connector to itself. The default value is 250 and the value is in milliseconds. This vaoue must be positive. Negative or zero values will be ignored.

NIO specific configuration

The following attributes are specific to the NIO connector.

Attribute Description
pollerThreadPriority

(int)The priority of the poller threads. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means.

selectorTimeout

(int)The time in milliseconds to timeout on a select() for the poller. This value is important, since connection clean up is done on the same thread, so do not set this value to an extremely high one. The default value is 1000 milliseconds.

useSendfile

(bool)Use this attribute to enable or disable sendfile capability. The default value is true. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.

socket.directBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Sun's JDK that would be something like -XX:MaxDirectMemorySize=256m.

socket.directSslBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers for the SSL buffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Oracle's JDK that would be something like -XX:MaxDirectMemorySize=256m.

socket.appReadBufSize

(int)Each connection that is opened up in Tomcat get associated with a read ByteBuffer. This attribute controls the size of this buffer. By default this read buffer is sized at 8192 bytes. For lower concurrency, you can increase this to buffer more data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.

socket.appWriteBufSize

(int)Each connection that is opened up in Tomcat get associated with a write ByteBuffer. This attribute controls the size of this buffer. By default this write buffer is sized at 8192 bytes. For low concurrency you can increase this to buffer more response data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.
The default value here is pretty low, you should up it if you are not dealing with tens of thousands concurrent connections.

socket.bufferPool

(int)The NIO connector uses a class called NioChannel that holds elements linked to a socket. To reduce garbage collection, the NIO connector caches these channel objects. This value specifies the size of this cache. The default value is 500, and represents that the cache will hold 500 NioChannel objects. Other values are -1 for unlimited cache and 0 for no cache.

socket.bufferPoolSize

(int)The NioChannel pool can also be size based, not used object based. The size is calculated as follows:
NioChannel buffer size = read buffer size + write buffer size
SecureNioChannel buffer size = application read buffer size + application write buffer size + network read buffer size + network write buffer size
The value is in bytes, the default value is 1024*1024*100 (100MB).

socket.processorCache

(int)Tomcat will cache SocketProcessor objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.

socket.keyCache

(int)Tomcat will cache KeyAttachment objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.

socket.eventCache

(int)Tomcat will cache PollerEvent objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.

unixDomainSocketPath

Where supported, the path to a Unix Domain Socket that this Connector will create and await incoming connections. When this is specified, the otherwise mandatory port attribute may be omitted.

unixDomainSocketPathPermissions

Where supported, the posix permissions that will be applied to the to the Unix Domain Socket specified with unixDomainSocketPath above. The permissions are specified as a string of nine characters, in three sets of three: (r)ead, (w)rite and e(x)ecute for owner, group and others respectively. If a permission is not granted, a hyphen is used. If unspecified, the permissions default to rw-rw-rw-.

useInheritedChannel

(bool)Defines if this connector should inherit an inetd/systemd network socket. Only one connector can inherit a network socket. This can option can be used to automatically start Tomcat once a connection request is made to the systemd super daemon's port. The default value is false. See the JavaDoc for the java.nio.channels.spi.SelectorProvider class for more details.

NIO2 specific configuration

The following attributes are specific to the NIO2 connector.

Attribute Description
useSendfile

(bool)Use this attribute to enable or disable sendfile capability. The default value is true. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.

socket.directBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Sun's JDK that would be something like -XX:MaxDirectMemorySize=256m.

socket.directSslBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers for the SSL buffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Oracle's JDK that would be something like -XX:MaxDirectMemorySize=256m.

socket.appReadBufSize

(int)Each connection that is opened up in Tomcat get associated with a read ByteBuffer. This attribute controls the size of this buffer. By default this read buffer is sized at 8192 bytes. For lower concurrency, you can increase this to buffer more data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.

socket.appWriteBufSize

(int)Each connection that is opened up in Tomcat get associated with a write ByteBuffer. This attribute controls the size of this buffer. By default this write buffer is sized at 8192 bytes. For low concurrency you can increase this to buffer more response data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.
The default value here is pretty low, you should up it if you are not dealing with tens of thousands concurrent connections.

socket.bufferPool

(int)The NIO2 connector uses a class called Nio2Channel that holds elements linked to a socket. To reduce garbage collection, the NIO2 connector caches these channel objects. This value specifies the size of this cache. The default value is 500, and represents that the cache will hold 500 Nio2Channel objects. Other values are -1 for unlimited cache and 0 for no cache.

socket.processorCache

(int)Tomcat will cache SocketProcessor objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.

APR/native specific configuration

The following attributes are specific to the APR/native connector.

Attribute Description
deferAccept

Sets the TCP_DEFER_ACCEPT flag on the listening socket for this connector. The default value is true where TCP_DEFER_ACCEPT is supported by the operating system, otherwise it is false.

ipv6v6only

If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present.

pollerThreadCount

Number of threads used to poll kept alive connections. On Windows the default is chosen so that the sockets managed by each thread is less than 1024. For Linux the default is 1. Changing the default on Windows is likely to have a negative performance impact.

pollTime

Duration of a poll call in microseconds. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (2ms).

sendfileSize

Amount of sockets that the poller responsible for sending static files asynchronously can hold at a given time. Extra connections will be closed right away without any data being sent (resulting in a zero length file on the client side). Note that in most cases, sendfile is a call that will return right away (being taken care of "synchronously" by the kernel), and the sendfile poller will not be used, so the amount of static files which can be sent concurrently is much larger than the specified amount. The default value is 1024.

threadPriority

(int)The priority of the acceptor and poller threads. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means.

useSendfile

(bool)Use this attribute to enable or disable sendfile capability. The default value is true. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.

Nested Components

First implemented in Tomcat 9 and back-ported to 8.5, Tomcat now supports Server Name Indication (SNI). This allows multiple SSL configurations to be associated with a single secure connector with the configuration used for any given connection determined by the host name requested by the client. To facilitate this, the SSLHostConfig element was added which can be used to define one of these configurations. Any number of SSLHostConfig may be nested in a Connector. At the same time, support was added for multiple certificates to be associated with a single SSLHostConfig. Each SSL certificate is therefore configured in a Certificate element with in an SSLHostConfig. For further information, see the SSL Support section below.

When OpenSSL is providing the TLS implementation, one or more OpenSSLConfCmd elements may be nested inside a OpenSSLConf element to configure OpenSSL via OpenSSL's SSL_CONF API. A single OpenSSLConf element may be nested in a SSLHostConfig element. For further information, see the SSL Support section below

Special Features

HTTP/1.1 and HTTP/1.0 Support

This Connector supports all of the required features of the HTTP/1.1 protocol, as described in RFCs 7230-7235, including persistent connections, pipelining, expectations and chunked encoding. If the client supports only HTTP/1.0 or HTTP/0.9, the Connector will gracefully fall back to supporting this protocol as well. No special configuration is required to enable this support. The Connector also supports HTTP/1.0 keep-alive.

RFC 7230 requires that HTTP servers always begin their responses with the highest HTTP version that they claim to support. Therefore, this Connector will always return HTTP/1.1 at the beginning of its responses.

HTTP/2 Support

HTTP/2 support is provided for TLS (h2), non-TLS via HTTP upgrade (h2c) and direct HTTP/2 (h2c) connections. To enable HTTP/2 support for an HTTP connector the following UpgradeProtocol element must be nested within the Connector with a className attribute of org.apache.coyote.http2.Http2Protocol.

<Connector ... >
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector.

Additional configuration attributes are available. See the HTTP/2 Upgrade Protocol documentation for details.

Proxy Support

The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.

For more information, see the Proxy Support How-To.

Unix Domain Socket Support

When the unixDomainSocketPath attribute is used, connectors that support Unix Domain Sockets will bind to the socket at the given path.

For users of Java 16 and higher, support is provided within the NIO connectors. For users of Java earlier than 16, support is provided by the org.apache.coyote.http11.Http11AprProtocol connector when used with the Apache Tomcat Native library v1.2.26 and up, along with Apache Portable Runtime v1.6 and higher.

The socket path is created with read and write permissions for all users. To protect this socket, place it in a directory with suitable permissions appropriately configured to restrict access as required. Alternatively, on platforms that support posix permissions, the permissions on the socket can be set directly with the unixDomainSocketPathPermissions option.

Tomcat will automatically remove the socket on server shutdown. If the socket already exists startup will fail. Care must be taken by the administrator to remove the socket after verifying that the socket isn't already being used by an existing Tomcat process.

The Unix Domain Socket can be accessed using the --unix-socket option of the curl command line client, and the Unix Domain Socket support in Apache HTTP server's mod_proxy module.

SSL Support

You can enable SSL support for a particular instance of this Connector by setting the SSLEnabled attribute to true.

You will also need to set the scheme and secure attributes to the values https and true respectively, to pass correct information to the servlets.

The NIO and NIO2 connectors use either the JSSE Java SSL implementation or an OpenSSL implementation, whereas the APR/native connector uses OpenSSL only. Prior to Tomcat 8.5, different configuration attributes were used for JSSE and OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common configuration attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL implementation, configuration can be set using either the JSSE or APR attributes (note: but not both types within the same configuration). This is to aid simpler switching between connector implementations for SSL connectors.

Each secure connector must define at least one SSLHostConfig. The names of the SSLHostConfig elements must be unique and one of them must match the defaultSSLHostConfigName attribute of the Connector.

Each SSLHostConfig must in turn define at least one Certificate. The types of the Certificates must be unique.

As of Tomcat 8.5, the majority of the SSL configuration attributes in the Connector are deprecated. If specified, they will be used to configure a SSLHostConfig and Certificate for the defaultSSLHostConfigName. Note that if an explicit SSLHostConfig element also exists for the defaultSSLHostConfigName then that will be treated as a configuration error. It is expected that Tomcat 10 will drop support for the SSL configuration attributes in the Connector.

In addition to the standard TLS related request attributes defined in section 3.10 of the Servlet specification, Tomcat supports a number of additional TLS related attributes. The full list may be found in the SSLSupport Javadoc.

For more information, see the SSL Configuration How-To.

SSL Support - SSLHostConfig

Attribute Description
certificateRevocationListFile

Name of the file that contains the concatenated certificate revocation lists for the certificate authorities. The format is PEM-encoded. If not defined, client certificates will not be checked against a certificate revocation list (unless an OpenSSL based connector is used and certificateRevocationListPath is defined). Relative paths will be resolved against $CATALINA_BASE. JSSE based connectors may also specify a URL for this attribute.

certificateRevocationListPath

OpenSSL only.

Name of the directory that contains the certificate revocation lists for the certificate authorities. The format is PEM-encoded. Relative paths will be resolved against $CATALINA_BASE.

certificateVerification

Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. If optionalNoCA is configured then OCSP will also be disabled. none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

certificateVerificationDepth

The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used.

caCertificateFile

OpenSSL only.

Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded.

caCertificatePath

OpenSSL only.

Name of the directory that contains the certificates for the trusted certificate authorities. The format is PEM-encoded.

ciphers

The ciphers to enable using the OpenSSL syntax. (See the OpenSSL documentation for the list of ciphers supported and the syntax). Alternatively, a comma separated list of ciphers using the standard OpenSSL cipher names or the standard JSSE cipher names may be used.

Different versions of OpenSSL may interpret the same cipher string differently. For example, the CCM8 ciphers were moved from HIGH to MEDIUM in OpenSSL 3.2. Regardless of the OpenSSL or JSSE version used, Tomcat converts the provided cipher value to a list of ciphers in a manner consistent with the latest OpenSSL development branch. This list of ciphers is then passed to the SSL implementation.

Only the ciphers that are supported by the SSL implementation will be used. Any ciphers in the list derived from a non-default cipher string that are not supported by the SSL implementation will be logged in a WARNING message when the Connector starts. The warning can be avoided by providing an explicit list of ciphers that are supported by the configured SSL implementation.

If not specified, a default (using the OpenSSL notation) of HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA will be used.

Note that, by default, the order in which ciphers are defined is treated as an order of preference. See honorCipherOrder.

disableCompression

OpenSSL only.

Configures if compression is disabled. The default is true. If the OpenSSL version used does not support disabling compression then the default for that OpenSSL version will be used.

disableSessionTickets

OpenSSL only.

Disables use of TLS session tickets (RFC 5077) if set to true. Default is false. Note that when TLS session tickets are in use, the full peer certificate chain will only be available on the first connection. Subsequent connections (that use a ticket to estrablish the TLS session) will only have the peer certificate, not the full chain.

honorCipherOrder

Set to true to enforce the server's cipher order (from the ciphers setting) instead of allowing the client to choose the cipher. The default is false.

hostName

The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used. Provided values are always converted to lower case.

insecureRenegotiation

OpenSSL only.

Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used.

keyManagerAlgorithm

JSSE only.

The KeyManager algorithm to be used. This defaults to KeyManagerFactory.getDefaultAlgorithm() which returns SunX509 for Sun JVMs. IBM JVMs return IbmX509. For other vendors, consult the JVM documentation for the default value.

protocols

The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:

  • SSLv2Hello
  • SSLv3
  • TLSv1
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
  • all

Each token in the list can be prefixed with a plus sign ("+") or a minus sign ("-"). A plus sign adds the protocol, a minus sign removes it form the current list. The list is built starting from an empty list.

The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.

Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.

Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.

Note that SSLv2 and SSLv3 are inherently unsafe.

If not specified, the default value of all will be used.

revocationEnabled

JSSE only.

Should the JSSE provider enable certificate revocation checks? If certificateRevocationListFile is set then this attribute is ignored and revocation checks are always enabled. This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used.

sessionCacheSize

The number of SSL sessions to maintain in the session cache. Specify -1 to use the implementation default. Values of zero and above are passed to the implementation. Zero is used to specify an unlimited cache size and is not recommended. If not specified, a default of -1 is used.

sessionTimeout

The time, in seconds, after the creation of an SSL session that it will timeout. Specify -1 to use the implementation default. Values of zero and above are passed to the implementation. Zero is used to specify an unlimited timeout and is not recommended. If not specified, a default of 86400 (24 hours) is used.

sslProtocol

JSSE only.

The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance e.g. Oracle Java 7. Note: There is overlap between this attribute and protocols.

trustManagerClassName

JSSE only.

The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust store attributes may be ignored.

truststoreAlgorithm

JSSE only.

The algorithm to use for truststore. If not specified, the default value returned by javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() is used.

truststoreFile

JSSE only.

The trust store file to use to validate client certificates. The default is the value of the javax.net.ssl.trustStore system property. If neither this attribute nor the default system property is set, no trust store will be configured. Relative paths will be resolved against $CATALINA_BASE. A URL may also be used for this attribute.

truststorePassword

JSSE only.

The password to access the trust store. The default is the value of the javax.net.ssl.trustStorePassword system property. If that property is null, no trust store password will be configured. If an invalid trust store password is specified, a warning will be logged and an attempt will be made to access the trust store without a password which will skip validation of the trust store contents.

truststoreProvider

JSSE only.

The name of the truststore provider to be used for the server certificate. The default is the value of the javax.net.ssl.trustStoreProvider system property. If that property is null, the value of keystoreProvider is used as the default. If neither this attribute, the default system property nor keystoreProvider is set, the list of registered providers is traversed in preference order and the first provider that supports the truststoreType is used.

truststoreType

JSSE only.

The type of key store used for the trust store. The default is the value of the javax.net.ssl.trustStoreType system property. If that property is null, a single certificate has been configured for this TLS virtual host and that certificate has a keystoreType that is not PKCS12 then the default will be the keystoreType of the single certificate. If none of these identify a default, the default will be JKS. See the notes on key store types below.

SSL Support - Certificate

Attribute Description
certificateFile

Name of the file that contains the server certificate. The format is PEM-encoded. Relative paths will be resolved against $CATALINA_BASE.

In addition to the certificate, the file can also contain as optional elements DH parameters and/or an EC curve name for ephemeral keys, as generated by openssl dhparam and openssl ecparam, respectively. The output of the respective OpenSSL command can simply be concatenated to the certificate file.

This attribute is required unless certificateKeystoreFile is specified.

certificateChainFile

Name of the file that contains the certificate chain associated with the server certificate used. The format is PEM-encoded. Relative paths will be resolved against $CATALINA_BASE.

The certificate chain used for Tomcat should not include the server certificate as its first element.

Note that when using more than one certificate for different types, they all must use the same certificate chain.

certificateKeyAlias

JSSE only.

The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.

certificateKeyFile

Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of certificateFile and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). Relative paths will be resolved against $CATALINA_BASE.

certificateKeyPassword

The password used to access the private key associated with the server certificate from the specified file.

If not specified, the default behaviour for JSSE is to use the certificateKeystorePassword. For OpenSSL the default behaviour is not to use a password, but OpenSSL will prompt for one, if required.

certificateKeyPasswordFile

The password file used to access the private key associated with the server certificate from the specified file. This attribute takes precedence over certificateKeyPassword.

If not specified, the default behaviour for JSSE is to use the certificateKeystorePasswordFile. For OpenSSL the default behaviour is not to use a password (file), but OpenSSL will prompt for one, if required.

certificateKeystoreFile

JSSE only.

The pathname of the keystore file where you have stored the server certificate and key to be loaded. By default, the pathname is the file .keystore in the operating system home directory of the user that is running Tomcat. If your keystoreType doesn't need a file use "" (empty string) or NONE for this parameter. Relative paths will be resolved against $CATALINA_BASE. A URI may also be used for this attribute. When using a domain keystore (keystoreType of DKS), this parameter should be the URI to the domain keystore.

This attribute is required unless certificateFile is specified.

certificateKeystorePassword

JSSE only.

The password to use to access the keystore containing the server's private key and certificate. If not specified, a default of changeit will be used.

certificateKeystorePasswordFile

JSSE only.

The password file to use to access the keystore containing the server's private key and certificate. This attribute takes precedence over certificateKeystorePassword.

certificateKeystoreProvider

JSSE only.

The name of the keystore provider to be used for the server certificate. If not specified, the value of the system property javax.net.ssl.keyStoreProvider is used. If neither this attribute nor the system property are set, the list of registered providers is traversed in preference order and the first provider that supports the keystoreType is used.

certificateKeystoreType

JSSE only.

The type of keystore file to be used for the server certificate. If not specified, the value of the system property javax.net.ssl.keyStoreType is used. If neither this attribute nor the system property are set, a default value of "JKS". is used. See the notes on key store types below.

type

The type of certificate. This is used to identify the ciphers that are compatible with the certificate. It must be one of UNDEFINED, RSA, DSA or EC. If only one Certificate is nested within a SSLHostConfig then this attribute is not required and will default to UNDEFINED. If multiple Certificates are nested within a SSLHostConfig then this attribute is required and each Certificate must have a unique type.

SSL Support - Connector - NIO and NIO2

When APR/native is enabled, the connectors will default to using OpenSSL through JSSE, which may be more optimized than the JSSE Java implementation depending on the processor being used, and can be complemented with many commercial accelerator components.

The following NIO and NIO2 SSL configuration attributes are not specific to a virtual host and, therefore, must be configured on the connector.

Attribute Description
sniParseLimit

In order to implement SNI support, Tomcat has to parse the first TLS message received on a new TLS connection (the client hello) to extract the requested server name. The message needs to be buffered so it can then be passed to the JSSE implementation for normal TLS processing. In theory, this first message could be very large although in practice it is typically a few hundred bytes. This attribute sets the maximum message size that Tomcat will buffer. If a message exceeds this size, the connection will be configured as if no server name was indicated by the client. If not specified a default of 65536 (64k) will be used.

sslImplementationName

The class name of the SSL implementation to use. If not specified and the tomcat-native library is not installed, the default of org.apache.tomcat.util.net.jsse.JSSEImplementation will be used which wraps JVM's default JSSE provider. Note that the JVM can be configured to use a different JSSE provider as the default. Tomcat also bundles a special SSL implementation for JSSE that is backed by OpenSSL. To enable it, the native library should be enabled as if intending to use the APR connector, and Tomcat will automatically enable it and the default value of this attribute becomes org.apache.tomcat.util.net.openssl.OpenSSLImplementation. In that case, the attributes from either JSSE and OpenSSL configuration styles can be used, as long as the two types are not mixed (for example, it is not allowed to define use of a Java keystore and specify a separate pem private key using the OpenSSL attribute).

SSL Support - OpenSSL's SSL_CONF API

When OpenSSL is providing the TLS implementation, one or more OpenSSLConfCmd elements may be nested inside a OpenSSLConf element to configure OpenSSL via OpenSSL's SSL_CONF API. A single OpenSSLConf element may be nested in a SSLHostConfig element.

The set of configuration file commands available depends on the OpenSSL version being used. For a list of supported command names and values, see the section Supported configuration file commands in the SSL_CONF_cmd(3) manual page for OpenSSL. Some of the configuration file commands can be used as alternatives to SSLHostConfig attributes. It is recommended that configuration file commands are only used where the feature cannot be configured using SSLHostConfig attributes.

The OpenSSLConf element does not support any attributes.

The OpenSSLConfCmd element supports the following attributes.

Attribute Description
name

The name of the configuration file command.

value

The value to use for the configuration file command.

Key store types

In addition to the standard key store types (JKS and PKCS12), most Java runtimes support additional key store types such as Windows-ROOT, Windows-My, DKS as well as hardware security modules. Generally, to use these additional keystore types with a TLS Connector in Tomcat:

  • Set the certificateKeystoreType and/or truststoreType Connector attribute (as appropriate) to the necessary type
  • If a configuration file is required, set the certificateKeystoreFile and/or truststoreFile Connector attribute (as appropriate) to point to the file
  • If no configuration file is required then you will almost certainly need to explicitly set the certificateKeystoreFile and/or truststoreFile Connector attribute (as appropriate) to the empty string ("")
  • If a password is required, set the certificateKeystorePassword and/or truststorePassword Connector attribute (as appropriate) to the required password
  • If no password is required then you will almost certainly need to explicitly set the certificateKeystorePassword and/or truststorePassword Connector attribute (as appropriate) to the empty string ("")

Variations in key store implementations, combined with the key store manipulation Tomcat does in the background to allow interoperability between JSSE and OpenSSL configuration styles, means that some keystores may need slightly different configuration. Assistance is always available from the Apache Tomcat users mailing list. We aim to document any key stores that vary from the above advice here. Currently there are none we are aware of.

SSL Support - Connector - NIO and NIO2 (deprecated)

The following NIO and NIO2 SSL configuration attributes have been deprecated in favor of the default SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created..

Attribute Description
algorithm

This is an alias for the keyManagerAlgorithm attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

ciphers

This is an alias for the ciphers attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

clientAuth

This is an alias for the certificateVerification attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

crlFile

This is an alias for the certificateRevocationListFile attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

keyAlias

This is an alias for the certificateKeyAlias attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

keyPass

This is an alias for the certificateKeyPassword attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

keystoreFile

This is an alias for the certificateKeystoreFile attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

keystorePass

This is an alias for the certificateKeystorePassword attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

keystoreProvider

This is an alias for the certificateKeystoreProvider attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

keystoreType

This is an alias for the certificateKeystoreType attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

sessionCacheSize

This is an alias for the sessionCacheSize attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

sessionTimeout

This is an alias for the sessionTimeout attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

sslEnabledProtocols

This is an alias for the protocols attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

sslProtocol

This is an alias for the sslProtocol attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

trustManagerClassName

This is an alias for the trustManagerClassName attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

trustMaxCertLength

This is an alias for the certificateVerificationDepth attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

truststoreAlgorithm

This is an alias for the truststoreAlgorithm attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

truststoreFile

This is an alias for the truststoreFile attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

truststorePass

This is an alias for the truststorePassword attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

truststoreProvider

This is an alias for the truststoreProvider attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

truststoreType

This is an alias for the truststoreType attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

useServerCipherSuitesOrder

This is an alias for the honorCipherOrder attribute of the SSLHostConfig element with hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSL Support - Connector - APR/Native (deprecated)

When APR/native is enabled, the HTTPS connector will use a socket poller for keep-alive, increasing scalability of the server. It also uses OpenSSL, which may be more optimized than JSSE depending on the processor being used, and can be complemented with many commercial accelerator components. Unlike the HTTP connector, the HTTPS connector cannot use sendfile to optimize static file processing.

The HTTPS APR/native connector has the same attributes than the HTTP APR/native connector, but adds OpenSSL specific ones. For the full details on using OpenSSL, please refer to OpenSSL documentations and the many books available for it (see the Official OpenSSL website). The SSL specific attributes for the APR/native connector are:

Attribute Description
SSLCACertificateFile

This is an alias for the caCertificateFile attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLCACertificatePath

This is an alias for the caCertificatePath attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLCARevocationFile

This is an alias for the certificateRevocationListFile attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLCARevocationPath

This is an alias for the certificateRevocationListPath attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLCertificateFile

This is an alias for the certificateFile attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

SSLCertificateKeyFile

This is an alias for the certificateKeyFile attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

SSLCipherSuite

This is an alias for the ciphers attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLDisableCompression

This is an alias for the disableCompression attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLHonorCipherOrder

This is an alias for the honorCipherOrder attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLPassword

This is an alias for the certificateKeyPassword attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.

SSLProtocol

This is an alias for the protocols attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLVerifyClient

This is an alias for the certificateVerification attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLVerifyDepth

This is an alias for the certificateVerificationDepth attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

SSLDisableSessionTickets

This is an alias for the disableSessionTickets attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.

Connector Comparison

Below is a small chart that shows how the connectors differ.

Java Nio Connector
NIO
Java Nio2 Connector
NIO2
APR/native Connector
APR
Classname Http11NioProtocol Http11Nio2Protocol Http11AprProtocol
Tomcat Version since 6.0.x since 8.0.x since 5.5.x
Support Polling YES YES YES
Polling Size maxConnections maxConnections maxConnections
Read Request Headers Non Blocking Non Blocking Non Blocking
Read Request Body Blocking Blocking Blocking
Write Response Headers and Body Blocking Blocking Blocking
Wait for next Request Non Blocking Non Blocking Non Blocking
SSL Support Java SSL or OpenSSL Java SSL or OpenSSL OpenSSL
SSL Handshake Non blocking Non blocking Blocking
Max Connections maxConnections maxConnections maxConnections