Re: TomCat multiple ssl support

Tue, 29 Dec 2009 06:54:22 -0800 

Peter Crowther wrote:

2009/12/29 DOrlov <dor...@redaril.com>


Hello, I have TomCat 6 server and I have 3 SSL sertificates for:

1. p.domain.com
2. p1.domain.com
3. p2.domain.com

I would like to use all 3 on 1 SSL connector (Don't create 3 SSL
connectors)
I'm using keytool app and kestore SSL logic for TomCat SSL configuration.

As far as I know, the HTTP spec doesn't allow this.  The certificate must

be chosen and sent by the server to encrypt the connection before the host
header is sent by the browser over the encrypted connection.  Therefore, the
server cannot choose the certificate to send.  You'll need different
connectors, either on different IP addresses or different ports.

Happy to be corrected if someone knows better!


With pleasure ! ;-)
Actually, HTTP (RFC 2616) is pretty much silent about this.
One has to consult RFC 2818 and RFC 2817 for information on the subject.
What you indicate above as the technical reason is generally correct however, as far as HTTP servers are concerned. The Java Servlet Specification, also applicable in Tomcat's case, may however have more to say about this. 

For the OP, since you mentioned this possibility :
If you are using a front-end Apache httpd anyway, and if the connection between this front-end Apache and the back-end Tomcat can generally be considered as secure (for example, it happens within the same host, or over a reasonably secure LAN), then it would make sense to "terminate" the SSL part at the front-end level, and use a non-encrypted protocol between Apache and Tomcat (because Apache has to decrypt anyway, and then it has to re-encrypt everything for Tomcat otherwise, and vice-versa).
This being said, by doing this you have just moved the issue to the Apache httpd level, and it will be submitted to the same limitations as indicated above.
Except that, if I remember correctly, there is now support in Apache httpd for the TLS and SNI extensions, and possibly in some browsers also. Very roughly, TLS with SNI allows a browser to start a connection with a HTTP host using normal (unencrypted) TCP, and then request an "upgrade" of the connection to SSL. This should theoretically allow for the kind of thing you seem to want. 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to