https Connector SSL Support

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

 

AttributeDescription

algorithm	The certificate encoding algorithm to be used. This defaults toKeyManagerFactory.getDefaultAlgorithm() which returns SunX509 for Sun JVMs. IBM JVMs return IbmX509. For other vendors, consult the JVM documentation for the default value.
clientAuth	Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. See theSSL HowTo for an example.
clientCertProvider	When client certificate information is presented in a form other than instances ofjava.security.cert.X509Certificate it needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the AJP connectors, the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If not specified, the default provider will be used.
keystoreFile	The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file ".keystore" in the operating system home directory of the user that is running Tomcat. If your keystoreType doesn't need a file use "" (empty string) for this parameter.
keystorePass	The password used to access the server certificate from the specified keystore file. The default value is "changeit".
keystoreType	The type of keystore file to be used for the server certificate. If not specified, the default value is "JKS".
keystoreProvider	The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports thekeystoreType is used.
sslProtocol	The version of the SSL protocol to use. If not specified, the default is "TLS".
ciphers	The comma separated list of encryption ciphers that this socket is allowed to use. By default, the default ciphers for the JVM will be used. Note that this usually means that the weak export grade ciphers will be included in the list of available ciphers. The ciphers are specified using the JSSE cipher naming convention.
keyAlias	The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.
trustManagerClassName	The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust store attributes may be ignored.
truststoreFile	The trust store file to use to validate client certificates. The default is the value of thejavax.net.ssl.trustStore system property. If neither this attribute nor the default system property is set, no trust store will be configured.
truststorePass	The password to access the trust store. The default is the value of thejavax.net.ssl.trustStorePassword system property. If that property is null, the value ofkeystorePass is used as the default. If an invalid trust store password is specified, a warning will be logged and an attempt will be made to access the trust store without a password which will skip validation of the trust store contents. If the trust store password is defined as "" then no password will be used to access the store which will also skip validation of the trust store contents.
truststoreType	The type of key store used for the trust store. The default is the value of thejavax.net.ssl.trustStoreType system property. If that property is null, the value ofkeystoreType is used as the default.
truststoreProvider	The name of the truststore provider to be used for the server certificate. The default is the value of thejavax.net.ssl.trustStoreProvider system property. If that property is null, the value ofkeystoreProvider is used as the default. If neither this attribute, the default system property norkeystoreProvideris set, the list of registered providers is traversed in preference order and the first provider that supports the truststoreType is used.
sessionCacheSize	The number of SSL sessions to maintain in the session cache. Use 0 to specify an unlimited cache size. If not specified, a default of 0 is used.
sessionTimeout	The time, in seconds, after the creation of an SSL session that it will timeout. Use 0 to specify an unlimited timeout. If not specified, a default of 86400 (24 hours) is used.
crlFile	The certificate revocation list file to use to validate client certificates.
allowUnsafeLegacyRenegotiation	Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default of false is used. This attribute only has an effect if the JVM does not support RFC 5746 as indicated by the presence of the pseudo-ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22 onwards. Where RFC 5746 is supported the renegotiation - including support for unsafe legacy renegotiation - is controlled by the JVM configuration.