Tomcat9 brings bunch of new features of which support for HTTP/2 and multiple certificates per Virtual Host via SNI extension are most important ones. This needs Java 1.8, the latest APR/TC (Tomcat Native) release 1.2.x, since SNI support in current Java 1.8 is useless, which in turn requires OpenSSL version 1.0.2g installed. Early users of HTTP/2, according to one of the main Tomcat developers Mark Thomas, reported improvement of up to 20% in page speed due to its benefits like multiplexing, header compression and server push (servlet 4.0 API needed). By default HTTP/2 (h2) protocol is SSL, as expected the whole internet to be over https only in near future, but there is a clear-text version as well called h2c.
By default Tomcat will ignore all trailer headers when processing HTTP/2 connections. For a header to be processed, it must be added to this comma-separated list of header names. CompressibleMimeType: The value is a comma separated list of MIME types for which HTTP compression may be used. Achieve the highest HTTP/2 performance with these 7 tips so you can focus on creating fast, effective, secure applications that are easy to maintain.
The ECDSA certificates are smaller, meaning faster processing time on the server and less CPU usage which in term means less latency and more security. It's in the early day of adoption by the clients though so for some time we will need to support both certificate types, ECDSA and RSA.
Nice things to have so I setup a test Tomcat9 server on Ubunut 14.04.
We start by installing and setup of the prerequisites mentioned in the Introduction.
Standard compile procedure, we start by installing some needed packages:
and then downloading and extracting the source:
Next we change to the source directory and create the openssl.ld file:
and finally compile and install the software:
This will set OpenSSL 1.0.2g under /opt/openssl directory:
Tomcat 9 Enable Http2
One liner installation:
This will add the needed Ubuntu ppa, install the latest Oracle 1.8 JDK and set it as default Java environment.
Get and unpack the latest Tomcat9 release, alfa version v9.0.0.M4 at the moment of this writing, and setup tomcat user:
We install the needed packages first:
and then we download and etract the tcnative source, xtract and build it against oopenssl-1.0.2g we installed previously:
We check that tcnative is properly linked to the right openssl version (in case you have more than one installed):
Config and SSL setup
Tomcat 9 Http2
I wanted to test the ECDSA certificate type and multi-certificate support in tomcat9. First create ECC cert and install it so tomcat can find it:
Then created a standard RSA one too:
Now we can configure tomcat9's SSL/TLS connector with HTTP/2 support. Replace the default
<Connector> section in the tomcat's server.xml file, in our case
/etc/tomcat9/server.xml, with the one below:
Now we can start the server:
and check for the features we need in the log file:
We can see the APR connector, the correct OpenSSL version and the h2 protocol available via ALPN (Application-Layer Protocol Negotiation).
To test the server I used the trusted curl. It came up it was little bit painful to set it up due to lot of prerequisites but since I've done it I might show it here as well. There are some other HTTP/2 testing tools available that you can use in case you have domain name registered with proper DNS resolution setup.
First the SPDY (Google extension which is now becoming obsolete with http2) support:
Tomcat 9 Http2 Without Ssl
Next is nghhtp2:
Finally checking the versions installed:
We can use this tool as SSL proxy if needed (nothing to do with the test, just mentioning):
Or turn it into service:
And finally CuRL:
Now we set the correct binary and library paths so curl can find them:
Check the openssl and curl binaries and their features:
From the above output we can confirm that curl has http2 support.
With all this done we can run the test. I tested for both when we have only ECDSA/ECC certificate configured in tomcat, since I wanted to see this cert in action:
and when both cert types are configured as per our example above:
in which case the server sends the RSA type (notice the different start and expire dates). In both cases we can see HTTP/2 connection being established.