Steffen Heil wrote: > Hi > > Actually, most answers in this thread are more or less outdated. > It IS possible to use one IP with multiple certificates, just not with > tomcat to far. > > There IS (since June 2003, that is more than 5 years!) a TLS extension SNI > (server name indication) that does the trick: It sends Information about the > requested hostname to the server during ClientHello handshake. > It IS supported by almost all browsers in their current versions. > > See: > http://www.ietf.org/rfc/rfc3546.txt, Section 3.1
RFC3546 is a proposed standard. There are many standards in this state and it can be hard to determine which are de facto standards (eg the cookie ones) and which are still works in progress. Based on the limited support, RFC3546 appears to be more of a work in progress. Browser support is still limited. For example, all the references I could find require IE7 on Vista, FF2, Opera 7.6+ The lack of support on IE < 7 and WinOS != Vista significantly reduces the number of users that could use this. I am not sure how a browser that doesn't support SNI would behave. I suspect it would have to be redirected to some default (which would probably cause the browser to complain about an invalid certificate). > I hope this will find it's way into java/tomat soon. Now support exists for this in OpenSSL it should be possible to add this to the APR connector. I'm not sure what the take up would be given the browser support picture but if someone wants to provide a proposed patch then I am sure it would be looked at. For the other Tomcat connectors, this needs to find its way into JSSE first. At the moment, I don't see any sign of that. Finally, with support for SNI in httpd, you could front Tomcat with httpd to get this functionality. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
