I potentially have the need to support multiple virtual hosts with SSL on a single IP address / port combination.
This is called named virtual hosts on Apache HTTPD, and virtual hosts with a single connector on Tomcat. With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can accomplish this using SNI ( server name indication - RFC 4366). IE (7 and 8) will fail on Windows/XP, but all other reasonable browser / OS combinations are reported to work. I can then tie these named virtual hosts to the appropriate Tomcat virtual hosts via mod_jk. I'm also trying to do this natively on Tomcat (either 6.0.33 or 7.0.22). Unfortunately this doesn't look to be easily possible. Based on the brief discussions on the mailing list and some other reading, I've come up with the following possible solutions. 1. Use the APR connector for SSL This will get me the OpenSSL support for SNI. Unfortunately there doesn't seem to be a way to enter more than one certificate file. 2. Use Java 7 Java 7 has support for SNI. I think I would have to do the following in order to be successful. Please correct me if I'm wrong. a. Build the appropriate Tomcat using Java 7 JDK b. Replace Eclipse JDT with Java 7 JDK c. Build web applications with Java 7 JDK d. Run Tomcat under Java 7 JRE e. Ensure that JSSE is being used f. Add multiple certificates to the keystore 3. Use wildcard certificates If I restrict the virtual hosts on a physical host to a single domain or subdomain, I should be able to use *.some.domain.com as a way of providing a certificate. The easiest (and most generally usable) mechanisms still seem to be the standard unique address/port combination or a wildcard certificate. Have I missed (or misunderstood) the current state of SSL affairs? Are there other practical solutions for running Tomcat virtual hosts with SSL? Thanks in advance. /mde/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
