Hi, Since we are going to support virtual host in tomcat, we need to provide $subject when the user want to have secured connection. At the moment, all our webaps are deployed under localhost.
Eg: if the virtual host is wso2app.com, when user access " https://wso2app.com";, we should provide associated certificate of that virtual host. FYI: we support named base virtual host that means all hosts associates with one ip. The default SSL connection is installed with the CA for localhost in the product and installed a CA for a wild card (Eg: *.Stratoslive) in stratos. If we try to access the virtual host with this SSL connection, browser fails to identify the CA of the virtual host. Because, at the negotiation to present the certificate, no host name is sent to the browser rather virtual host sends to the brwoser with the HTTP header after the negotiation of certificate. Only if the hostname in the browser and the certificate matches, browser would be able to continue. Otherwise, browser warnings are displayed [1]. So, using one SSL to support multiple hosts is a limitation in tomcat. But if we go for supporting ip based virtual host, then creating different connectors per host basis, we would be able to provide the CA of particular virtual host. But that wouldn't be much effective to utilize one ip for each virtual host that needs SSL. To overcome this issue, we would support appending a wild card always with the hostname that needs SSL [3] similarly we did for Stratos. But that will restrict the user having own name for a virtual host. Another solution is to support SNI (Server Name Indication) [2], [4] in browser and server. Are we currently supporting SNI? In such case, we can't make sure with the browser as well. Please share your thoughts regarding the $subject. [1]. http://www.mail-archive.com/[email protected]/msg50892.html [2]. http://www.mail-archive.com/[email protected]/msg93384.html [3]. http://stackoverflow.com/questions/10173265/using-multiple-ssl-certificates-in-single-tomcat-instance [4]. http://en.wikipedia.org/wiki/Server_Name_Indication Thanks, Reka
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
