[Bug 57108] Implement multiple sslcontext SNI (server name indication) dispatch

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=57108

--- Comment #12 from Mark Thomas <ma...@apache.org> ---
Keeping the config at the connector level is probably the way to go. There are
weird and wonderful configuration possibilities like one Connector on one
interface with one set of certs for internal users and another connector on
another interface with another set of certs for external users that share the
same hosts.

I think we should keep the TLS cert <-> host name mapping completely
independent from the Host <-> host name mapping. Most folks will have them
aligned but some will want to do soemthign different. Using <Alias>...</Alias>
should allow some config copy/paste for those that want to.

SNI is mandatory for HTTP/2 so this has just jumped to the top of my TODO list.

I'm thinking along the lines of the the configuration style in comment#7.

I've also been thinking about trying to merge the JSSE and OpenSSL
configuration attributes. I'm not sure if it will work but the idea is to
deprecate setting these on the connector and add a defaultTLSAlias="" element
to the Connector that references the cert to use if nothing else matches. If
the existing configuration attributes are used on the Connector then they are
mapped to a TLSAlias element with a pre-defined name (probably default or
something similar), along with a deprecated config warning.

I don't know how feasible this merging plan is but if it works, in addition to
simpler config, it should allow further simplification of the Http11*Protocol
implementations.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org