Mark, Thanks for the weekend reply.
Too bad SNI in Java 7 is only client side for the time being. So it looks like: 1. Wildcard certs and restrict server architecture 2. Apache mod_ssl SNI / mod_jk and restrict clients (may not be possible) 3. Traditional one cert per IP-based virtual host on Apache HTTPD and chew up IP address space. . . . . just my two cents. /mde/ ( a new record in short messages from me ;-) ) ----- Original Message ----- > From: Mark Thomas <ma...@apache.org> > To: Tomcat Users List <users@tomcat.apache.org> > Cc: > Sent: Saturday, October 15, 2011 1:32 PM > Subject: Re: Virtual Hosts, SSL, Tomcat > > On 15/10/2011 21:26, Mark Eggers wrote: >> I potentially have the need to support multiple virtual hosts with SSL >> on a single IP address / port combination. >> >> This is called named virtual hosts on Apache HTTPD, and virtual hosts >> with a single connector on Tomcat. >> >> With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can >> accomplish this using SNI ( server name indication - RFC 4366). IE (7 >> and 8) will fail on Windows/XP, but all other reasonable browser / OS >> combinations are reported to work. I can then tie these named virtual >> hosts to the appropriate Tomcat virtual hosts via mod_jk. > > That is the way I would recommend right now. > >> I'm also trying to do this natively on Tomcat (either 6.0.33 or >> 7.0.22). Unfortunately this doesn't look to be easily possible. >> >> Based on the brief discussions on the mailing list and some other >> reading, I've come up with the following possible solutions. >> >> 1. Use the APR connector for SSL >> >> This will get me the OpenSSL support for SNI. Unfortunately there >> doesn't seem to be a way to enter more than one certificate file. > > Correct. There is no code in the APR/native connector to handle this. It > should be possible to implement but it isn't there yet. > >> 2. Use Java 7 >> >> Java 7 has support for SNI. > > Only on the client side, not the server side so this is not an option. > >> 3. Use wildcard certificates >> >> If I restrict the virtual hosts on a physical host to a single domain >> or subdomain, I should be able to use *.some.domain.com as a way of >> providing a certificate. > > Yep, that should work. > >> The easiest (and most generally usable) mechanisms still seem to be >> the standard unique address/port combination or a wildcard >> certificate. >> >> Have I missed (or misunderstood) the current state of SSL affairs? > > They are a little worse than you thought. > >> Are >> there other practical solutions for running Tomcat virtual hosts with >> SSL? > > Not that I can think of. > > Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
