Re: SSLHostConfig and

Mon, 02 Dec 2024 00:01:39 -0800 



On 02/12/2024 05:24, Mcalexander, Jon J. wrote:

Good evening all,

Is there any relationship between the Connector and SSLHostConfig if you set the 
DefaultSSLHostConfigName in the connector and hostName in the SSLHostConfig, to the 
<Host name= within the <Engine section of the server.xml? Do these need to 
match if you are going to specify the names in the connector to the virtual host, or 
are the 2 groups unrelated?



If you have multiple <SSLHostConfig> elements then SNI will be used to 
select the certificate presented.



If no SNI is provided by the client or the host indicated in SNI doesn't 
match any <SSLHostConfig> then the default <SSLHostConfig> will be used.



If you have multiple <Host> elements then the HTTP Host header will be 
used to match the request to the <Host>.



If no matching <Host> element is found for a given Host header then the 
default <Host> will be used.



Generally, there is going to be a mapping but it needn't be one-to-one. 
For example, you could have a wildcard SSL cert but individual <Host> 
elements.



There isn't any requirement for the host name on the TLS certificate to 
match the HTTP host header so, in theory, the host names could be 
completely different between the two. Practically, that doesn't happen 
very often as browsers expect them to be consistent.


Mark




Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander | Senior Infrastructure Engineer | Middleware/App Hosting | FHP 
| CTO | Wells Fargo Technology
8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010  | +1 515 988 2508 | 
jonmcalexan...@gmail.com<mailto:jonmcalexan...@gmail.com>
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to