SNI (Server Name Indication) supports in Tomcat (7.0.27)

[Reka Thirunavukkarasu <rt...@gmail.com>]

Hi

I'm having virtual hosts as named based virtual host in tomcat and
deploying webapps inside that virtual host. I want to provide secured
connection to access particular virtual hosts (not all) based on user
requirement. I went through the mailing list to get the idea. But
mostly, it was suggested to go for ip basis or using wild card to
support SSL in virtual host. FYI: we want to use only tomcat to
support such feature.

ip basis won't be much effective to us, since we plan to use one ip
for all the virtual host. Using wild card will degrade the performance
from user, since we ask the user to choose his own virtual host name
in our implementation.

Does there any solution exist to support SSL for named based virtual
host?  [1] suggested that tomcat is supporting SNI. But i couldn't
find any materials regarding that. Can you please provide any material
to got through to support SNI?

[1]. http://en.wikipedia.org/wiki/Server_Name_Indication#Support


Thanks,
Reka.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SNI (Server Name Indication) supports in Tomcat (7.0.27)

[Reka Thirunavukkarasu <rt...@gmail.com>]

On Mon, Apr 30, 2012 at 9:12 PM, Mark Eggers <it...@yahoo.com> wrote:
> ----- Original Message -----
>
>> From: Reka Thirunavukkarasu <rt...@gmail.com>
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Cc:
>> Sent: Monday, April 30, 2012 4:19 AM
>> Subject: Re: SNI (Server Name Indication) supports in Tomcat (7.0.27)
>>
>>T hanks. I could see all the clarifications there.
>>
>> Reka
>>
>> On Mon, Apr 30, 2012 at 2:34 PM, Mark Thomas <ma...@apache.org> wrote:
>>>  On 30/04/2012 09:58, Reka Thirunavukkarasu wrote:
>>>>  Can you please provide any material
>>>>  to got through to support SNI?
>>>
>>>  http://tomcat.markmail.org/thread/q6d5czzlgih3r2ys
>>>
>>>  Mark
>
>
> Reka,
>
> Another wrinkle, but I've not tried this with Tomcat . . .
>
> You could look at a SAN cert. I'm currently using a SAN cert in Apache HTTPD with named virtual hosts and SSL. The configuration check complains, but that complaint is apparently a bug since the actual feature is supported.
>
> I don't know what the performance impact would be with many hosts. I also don't know how this would work since you let your users choose virtual host names. The SAN cert would have to be updated for each host name, which might also be an issue for you.

Since we are dynamically handling the hosts, SAN is again an issue.
The eventual approach is using wild card for the host names to
overcome the issues with other approaches. Since we are using java 6,
using SNI at the moment is not much stable for us.
>
> . . . . just my two cents.
> /mde/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Reka.

-- 
Regards,
Reka
:)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SNI (Server Name Indication) supports in Tomcat (7.0.27)

[Mark Eggers <it...@yahoo.com>]

----- Original Message -----

> From: Reka Thirunavukkarasu <rt...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: 
> Sent: Monday, April 30, 2012 4:19 AM
> Subject: Re: SNI (Server Name Indication) supports in Tomcat (7.0.27)
> 
>T hanks. I could see all the clarifications there.
> 
> Reka
> 
> On Mon, Apr 30, 2012 at 2:34 PM, Mark Thomas <ma...@apache.org> wrote:
>>  On 30/04/2012 09:58, Reka Thirunavukkarasu wrote:
>>>  Can you please provide any material
>>>  to got through to support SNI?
>> 
>>  http://tomcat.markmail.org/thread/q6d5czzlgih3r2ys
>> 
>>  Mark


Reka,

Another wrinkle, but I've not tried this with Tomcat . . .

You could look at a SAN cert. I'm currently using a SAN cert in Apache HTTPD with named virtual hosts and SSL. The configuration check complains, but that complaint is apparently a bug since the actual feature is supported.

I don't know what the performance impact would be with many hosts. I also don't know how this would work since you let your users choose virtual host names. The SAN cert would have to be updated for each host name, which might also be an issue for you.

. . . . just my two cents.
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SNI (Server Name Indication) supports in Tomcat (7.0.27)

[Reka Thirunavukkarasu <rt...@gmail.com>]

Thanks. I could see all the clarifications there.

Reka

On Mon, Apr 30, 2012 at 2:34 PM, Mark Thomas <ma...@apache.org> wrote:
> On 30/04/2012 09:58, Reka Thirunavukkarasu wrote:
>> Can you please provide any material
>> to got through to support SNI?
>
> http://tomcat.markmail.org/thread/q6d5czzlgih3r2ys
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>



-- 
Regards,
Reka
:)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: SNI (Server Name Indication) supports in Tomcat (7.0.27)

[Mark Thomas <ma...@apache.org>]

On 30/04/2012 09:58, Reka Thirunavukkarasu wrote:
> Can you please provide any material
> to got through to support SNI?

http://tomcat.markmail.org/thread/q6d5czzlgih3r2ys

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org