You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/03/24 17:14:37 UTC

[Bug 59233] New: support unlimited SSL certificates stored in database or file system without server restart

https://bz.apache.org/bugzilla/show_bug.cgi?id=59233

            Bug ID: 59233
           Summary: support unlimited SSL certificates stored in database
                    or file system without server restart
           Product: Tomcat 9
           Version: 9.0.0.M4
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: javaone9@gmail.com

For a web application that allows users to create business websites and bind
their own domains. All the domains will be mapped to the same IP address, and
one port is used for all. For example,

       https://mydomain1.com
       https://mydomain2.com
       https://mydomain3.com

The number of domains is unlimited.

Each user should be able to upload a SSL certificate for his/her own domain,
and the certificate can be stored in database or file system. Many users are
using the web application at the time, and thus server restart is not
acceptable. 

Tomcat9 can provide a SSL provider interface like: getCertificate(domain). How
to get the certificate is up to the provider implementation. SSL should be
configured dynamically at the run time without server restart.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59233] support unlimited SSL certificates stored in database or file system without server restart

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59233

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Tomcat doesn't want to get into the details of where the meta-data is stored.

It is already possible to add virtual hosts dynamically. What isn't currently
possible is adding an SSLHostConfig to an Endpoint. That doesn't look too
tricky. I'll take a look.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59233] support unlimited SSL certificates stored in database or file system without server restart

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59233

--- Comment #3 from javaone9@gmail.com ---
From the following example from Tomcat9 migration guide:

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150"
           SSLEnabled="true"
           defaultSSLHostConfigName="openoffice.apache.org" >
    <SSLHostConfig hostName="openoffice.apache.org" >
        <Certificate
certificateKeyFile="conf/openoffice.apache.org-rsa-key.pem"
                     certificateFile="conf/openoffice.apache.org-rsa-cert.pem"
                     type="RSA" />
        <Certificate certificateKeyFile="conf/openoffice.apache.org-ec-key.pem"
                     certificateFile="conf/openoffice.apache.org-ec-cert.pem"
                     type="EC" />
    </SSLHostConfig>
    <SSLHostConfig hostName="www.openoffice.org" >
        <Certificate certificateKeyFile="conf/www.openoffice.org-rsa-key.pem"
                     certificateFile="conf/www.openoffice.org-rsa-cert.pem"
                     type="RSA" />
        <Certificate certificateKeyFile="conf/www.openoffice.org-ec-key.pem"
                     certificateFile="conf/www.openoffice.org-ec-cert.pem"
                     type="EC" />
    </SSLHostConfig>
</Connector>

Does it require server restart after adding a new domain and its certificate?
Can it be scaled to thousands of domains?  The use case is that a web app
allows users (thousands or millions) to bind their own domains and upload SSL
certificates. Can Tomcat9 handle the use case? Thanks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59233] support unlimited SSL certificates stored in database or file system without server restart

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59233

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Adding TLS virtual hosts (or in implementation terms SSLHostConfigs to an
Endpoint) dynamically will be supported in 9.0.0.M9 and 8.5.4 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org