RE: Issue with SSL server/ network configuration
Peter Crowther wrote: From: i_am_superman [mailto:ee...@objectivation.nl] is there a simple way to map one domain name to two different SSL connectors? I don't think there is, unless you want part of your application to be accessible from a different port. So the part that doesn't need certs might be at https://www.example.com (implicitly on port 443) and the part that does need certs might be at https://www.example.com:8443. You could then set up two different connectors, with different hosts and the different security constraints. Hi Peter, Thanks for the swift reply. I agree that this will probably work, but I don't think my client will allow me to run a public SSL website any port but 443 (firewalls). But your reply confirms my hunch that there is no other way but to buy extra certificates (400 EUR for a 800 byte file That's 50 EUR cents per byte! More expensive than champagne. :-)) Thanks again, If anyone else has another idea, please respond. Eelco - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618310.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
From: i_am_superman [mailto:ee...@objectivation.nl] is there a simple way to map one domain name to two different SSL connectors? I don't think there is, unless you want part of your application to be accessible from a different port. So the part that doesn't need certs might be at https://www.example.com (implicitly on port 443) and the part that does need certs might be at https://www.example.com:8443. You could then set up two different connectors, with different hosts and the different security constraints. I *think* this would allow you to re-use your existing server certificate; browsers check the cert based on the domain name excluding the port, so as long as www.example.com matched you'd be OK. You could probably get away with just the single keystore, too. But you'd need appropriate code (or vanilla HTML) in the applications to direct the user to the other app at the appropriate time! Does this help, or have I answered the wrong question? - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
Gregor Schneider wrote: How about a self-seigned cert? A nasty browser-window will pop up once, however, the users could import the server-cert into their browser, and then they#re done It's gonna be a public government website, so a self-signed certificate will not be an option :-) (it's tempting though) And firefox tends to be very annoying with self-signed certificates lately -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618647.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
i_am_superman wrote: It's gonna be a public government website, so a self-signed certificate will not be an option :-) Considering the amount of taxpayer money that governments are currently pumping into failed financial institutions and car makers, I'm sure they could afford a 400 € certificate, no ? Or is it that bad ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
From: i_am_superman [mailto:ee...@objectivation.nl] I don't think my client will allow me to run a public SSL website any port but 443 (firewalls). Then you'll also need a second IP address on the server, as I'm sure you've already realised. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
awarnier wrote: i_am_superman wrote: It's gonna be a public government website, so a self-signed certificate will not be an option :-) Considering the amount of taxpayer money that governments are currently pumping into failed financial institutions and car makers, I'm sure they could afford a 400 € certificate, no ? Or is it that bad ? :-) No it's not that bad, but we have 3 environment (test, accept, prod) so we need 3 extra certificates. No big deal indeed, but I need to be sure that I really need them. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618849.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
Why not opt for a wildcard certificate for the domain, if that's applicable (e.g. *.yourcompany.com) -Original Message- From: i_am_superman [mailto:ee...@objectivation.nl] Sent: 20 March 2009 11:52 To: users@tomcat.apache.org Subject: Re: Issue with SSL server/ network configuration awarnier wrote: i_am_superman wrote: It's gonna be a public government website, so a self-signed certificate will not be an option :-) Considering the amount of taxpayer money that governments are currently pumping into failed financial institutions and car makers, I'm sure they could afford a 400 € certificate, no ? Or is it that bad ? :-) No it's not that bad, but we have 3 environment (test, accept, prod) so we need 3 extra certificates. No big deal indeed, but I need to be sure that I really need them. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618849.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Connaught plc is one of the UK's top 250 companies on the London Stock Exchange and the leading provider of integrated services operating in the compliance, social housing and public sector markets. Please visit our website to see a full list of Connaught's Registered Companies http://www.connaught.plc.uk/group/aboutconnaught/registeredcompanies Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this message. Connaught plc, Head Office 01392 444546
Re: Issue with SSL server/ network configuration
On Fri, Mar 20, 2009 at 12:10 PM, i_am_superman ee...@objectivation.nl wrote: If anyone else has another idea, please respond. How about a self-seigned cert? A nasty browser-window will pop up once, however, the users could import the server-cert into their browser, and then they#re done Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
Darren Kukulka wrote: Why not opt for a wildcard certificate for the domain, if that's applicable (e.g. *.yourcompany.com) Hi Darren, Interesting idea! What are the restrictions on wildcard certificates? If I have two subdomains with one wildcard certificate, do I still need the two IP addresses? Or is the IP address tied to the (wildcard) certificate? Best regards, Eelco -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22619652.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
From: i_am_superman [mailto:ee...@objectivation.nl] we have 3 environment (test, accept, prod) so we need 3 extra certificates. No big deal indeed, but I need to be sure that I really need them. Get a wildcard certificate? They're about 3 times the price of a regular cert, and can authenticate *.example.com (for example). - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
From: i_am_superman [mailto:ee...@objectivation.nl] What are the restrictions on wildcard certificates? Some very old browsers don't understand them. Probably not a problem in your environment, but check your client's browser support requirements. If I have two subdomains with one wildcard certificate, do I still need the two IP addresses? Not sure. I'll leave that to the more experienced folks on the list to answer! Or is the IP address tied to the (wildcard) certificate? IP addresses are never tied to certificates. Certificates allow browsers to authenticate based on the common name in the certificate, and the hostname that the browser is using to access the site. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
Peter Crowther wrote: Or is the IP address tied to the (wildcard) certificate? IP addresses are never tied to certificates. Certificates allow browsers to authenticate based on the common name in the certificate, and the hostname that the browser is using to access the site. Yep, I know, I just want to be sure whether I have the same 'two certificates two IP address' issue. I know about this issue, I just don't understand it; how do hosting companies host 2 sites on one box with a certificate each? That'll be a lot of IP address juggling.. But let's not get carried away, this is a Tomcat mailing list :-) -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22619885.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
On Fri, Mar 20, 2009 at 12:36 PM, André Warnier a...@ice-sa.com wrote: Considering the amount of taxpayer money that governments are currently pumping into failed financial institutions and car makers, I'm sure they could afford a 400 € certificate, no ? Or is it that bad ? +1 Cheers Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
Peter, On Fri, Mar 20, 2009 at 2:05 PM, i_am_superman ee...@objectivation.nl wrote: I just don't understand it; how do hosting companies host 2 sites on one box with a certificate each? That'll be a lot of IP address juggling.. Well, we f.e. do have a box 8ok, actually two boxes behind a loadbalancer), each having 8 different IP-addresses - one for each site I guess that's no uncommon setup. Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org