On 13/07/2021 11:03, jean-frederic clere wrote:
On 09/07/2021 18:40, Rainer Jung wrote:
Hi Jean-Frederic,
how do you make sure, that your tests actually land in the correct
SSLHost? You are using the same server certificate, so a check on the
client side might not be easy. I would find a test more convincing, if
the three TLS hosts would use three different certificates and you
could check on the TLS client, that it actually gets the right server
certificate.
Yes I have retested with 3 different certificates
localhost gets the localhost certificate and the TLSv1.1 protocol
server1 gets the server1 certificate but the TLSv1.1 protocol
server2 gets the server2 certificate but the TLSv1.1 protocol...
Use nio/nio2 the protocol is the expected one.
https://github.com/apache/tomcat-native/pull/10 the fix for it.
Best regards,
Rainer
Am 09.07.2021 um 15:33 schrieb jean-frederic clere:
On 09/07/2021 15:15, Christopher Schultz wrote:
Jean-Ferderic,
On 7/9/21 07:55, jean-frederic clere wrote:
On 09/07/2021 12:38, Mark Thomas wrote:
On 09/07/2021 11:08, jean-frederic clere wrote:
Hi,
I think we need the same fix in tomcat or I missed something?
If we need it I will work on it next week ;-)
To clarify, you mean checking Tomcat can (and implementing if it
can't) the ability to configure supported SSL protocols per
virtual host.
Yes.
We should have most of this in SSLHostConfig but I don't recall
ever testing this behaviour specifically.
Just as a reminder, both <Host .../> elements and <SSLHostConfig
.../> are likely to be required as the are configured separately.
Quick test and code review seems to show it is not working (I
tested the apr connector and 9.0.x).
Can you post a sample config?
I assume you mean:
1. Define two <Host>, configure for TLS
a. One attempting to use e.g. only TLSv1
b. One attempting to use e.g. only TLSv1.2
2. Run a protocol-checker against both hosts
Result is that host (a) supports not-only TLSv1 and/or host (b)
supports not-only TLSv1.2?
Yes that is what I am testing, actually Nio and Nio2 are working Apr
isn't...
The configuration is something like:
+++
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1">
<Certificate
certificateFile="conf/localhost.server.cert.pem"
certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
</SSLHostConfig>
<SSLHostConfig hostName="server1" protocols="TLSv1.2">
<Certificate
certificateFile="conf/localhost.server.cert.pem"
certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
</SSLHostConfig>
<SSLHostConfig hostName="server2" protocols="TLSv1.3">
<Certificate
certificateFile="conf/localhost.server.cert.pem"
certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
</SSLHostConfig>
</Connector>
+++
and I have the 3 corresponding <Host/>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
