https://bz.apache.org/bugzilla/show_bug.cgi?id=57953
Bug ID: 57953
Summary: Support multiple TLS certificate types for a single
TLS virtual host
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Mac OS X 10.4
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
httpd allows multiple certificates (RSA, DSA & ECC) for a single TLS virtual
host. It would be extremely useful to add this feature to Tomcat.
We could easily extend the hack we used for SNI as follows:
1. When parsing the client hello, remember the cipher suites the client asked
for (currently we just skip over them).
2. Filter the server supported cipher suites for each SSLHostConfig based on
which certificate types are available.
3. When doing selecting the SSLHostConfig and more than one certificate is
present identify the preferred cipher suite (if server order: first cipher in
server list that client supports; if client order: first cipher in client list
that server supports) and from that select the appropriate certificate.
And bingo, we can support RSA, DSA, ECC and whatever is next type certs in
parallel.
Configuration wise I think the certificate attributes would need to move to a
nested <Certificate .../> element within the <SSLHostConfig .../>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
