Hi all, Server Name Indication(SNI) is not a preferred option, since it is not yet supported by all the clients (IE (7 and 8) will fail on Windows/XP) [1]. Also, SNI is supported by Java 7. So we need to switch to Java 7 to support SNI in tomcat.
As the offline discussion with Azzez, we will use wild card (Eg: *.Stratoslive) to the virtual host to get the context mapping as of now based on the above clarifications until the SNI stabilizes with tomcat and client. [1]. http://tomcat.markmail.org/thread/q6d5czzlgih3r2ys Thanks, Reka On Thu, Apr 26, 2012 at 11:25 AM, Reka Thirunavukkarasu <[email protected]> wrote: > Hi, > > Since we are going to support virtual host in tomcat, we need to provide > $subject when the user want to have secured connection. At the moment, all > our webaps are deployed under localhost. > > Eg: if the virtual host is wso2app.com, when user access > "https://wso2app.com";, we should provide associated certificate of that > virtual host. > FYI: we support named base virtual host that means all hosts associates with > one ip. > > The default SSL connection is installed with the CA for localhost in the > product and installed a CA for a wild card (Eg: *.Stratoslive) in stratos. > If we try to access the virtual host with this SSL connection, browser fails > to identify the CA of the virtual host. Because, at the negotiation to > present the certificate, no host name is sent to the browser rather virtual > host sends to the brwoser with the HTTP header after the negotiation of > certificate. Only if the hostname in the browser and the certificate > matches, browser would be able to continue. Otherwise, browser warnings are > displayed [1]. > > So, using one SSL to support multiple hosts is a limitation in tomcat. But > if we go for supporting ip based virtual host, then creating different > connectors per host basis, we would be able to provide the CA of particular > virtual host. But that wouldn't be much effective to utilize one ip for each > virtual host that needs SSL. > > To overcome this issue, we would support appending a wild card always with > the hostname that needs SSL [3] similarly we did for Stratos. But that will > restrict the user having own name for a virtual host. Another solution is to > support SNI (Server Name Indication) [2], [4] in browser and server. Are we > currently supporting SNI? In such case, we can't make sure with the browser > as well. > > Please share your thoughts regarding the $subject. > > [1]. http://www.mail-archive.com/[email protected]/msg50892.html > [2]. http://www.mail-archive.com/[email protected]/msg93384.html > [3]. http://stackoverflow.com/questions/10173265/using-multiple-ssl-certificates-in-single-tomcat-instance > [4]. http://en.wikipedia.org/wiki/Server_Name_Indication > > > Thanks, > Reka _______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
