Identification of keys and supported ciphers are an important for Key Exchange But before that happensThe certificates attributes are the only means the CA-Authority can verify the the name in the cert The certificate attributes should contain 1)1 and only 1 Hostname to contact 2)Identification information from a DN in LDAP or a suitably unique Name Service Server (ADS)allowing verification of client to a 'Name Service'http://docs.oracle.com/cd/E19575-01/820-3885/gimog/index.html
Allowing your cert to authenticate to n hosts invites 2n as many potential DOS attacks Not requiring DN would negate the CA-Authority ability to verify DN CN == SSL-Host. Think of online banking and clients need to circumvent forged sites as 'The official bank site' to send your money If you are FE with Apache you will want to configure in mod-sslhttp://www.modssl.org/ Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > Date: Sun, 7 Apr 2013 11:40:24 -0700 > From: its_toas...@yahoo.com > To: users@tomcat.apache.org > Subject: Re: Better SSL connector setup > > Some notes from October 2011 referenced below: > > On 4/7/2013 8:47 AM, Christopher Schultz wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Kevin, > > > > On 4/6/13 10:10 PM, Kevin Jenkins wrote: > >> I have a server that has two hosts: First: > >> http://masterserver2.raknet.com/ > >> > >> Second (using alias) https://lobby3.raknet.com > >> <https://milestone.lobby3.raknet.com:444/> > >> https://milestone.lobby3.raknet.com:444/ > >> > >> I would like have access be on these specific URLS. Right now you > >> can use untrusted URLs, such as https://masterserver2.raknet.com/ > >> https://milestone.lobby3.raknet.com/ > >> > >> Additionally, I would like to access milestone.lobby3.raknet.com on > >> port 443 rather than 444 (so that 443 does not display a warning > >> like it does now). > >> > >> I setup two connectors because I did not know how else to specify > >> there are two ssl certificate files > > > > If you want two separate hostnames served under HTTPS and you: > > > > a. Don't have a wildcard or other special type of certificate > > or > > b. Don't have Server Name Indication capabilities > > > > From the list archives: > > http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3c1318710394.66976.yahoomail...@web125511.mail.ne1.yahoo.com%3E > > Wildcard certificates would work in this case because the hosts are part > of the same domain. > > SNI is apparently client-side only for Java. > > > ...then you will need to configure a <Connector> for each hostname on > > a separate interface/port combination with separate certificates. > > > > The easiest way to do this is to set up a second interface with a > > separate IP address. This is usually trivial to do, and it doesn't > > really interfere with networking on the server. Just create a second > > interface with a second IP address, map DNS properly, and then set up > > your web server to bind specifically to the second IP address for the > > second hostname's SSL virtual host. > > > > In a Tomcat-only setup this is the way to go. Secondary or virtual IP > addresses are easy to set up. > > > Your <Connectors> look just fine (other than the use of port 444, of > > course). Once you have a second interface/IP, you'll want to use the > > "address" attribute of the <Connector> to choose the interface to > > listen on. I would choose one <Connector> to listen on *all* > > interfaces to be a catch-all in case your IP address(es) change(s) and > > you forget to re-configure everything: a security warning due to a > > mismatched-host is better for users than an unreachable host. > > > > - -chris > > The other solution is to front the Tomcat systems with an Apache HTTPD > server and use named virtual hosts in SSL. Apparently the configuration > checking routine throws a warning on startup, but the actual > configuration works (on Apache HTTPD 2.2, I've not tried 2.4). > > . . . . just my two cents. > /mde/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
