You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Eggers <it...@yahoo.com> on 2011/10/15 22:26:34 UTC
Virtual Hosts, SSL, Tomcat
I potentially have the need to support multiple virtual hosts with SSL
on a single IP address / port combination.
This is called named virtual hosts on Apache HTTPD, and virtual hosts
with a single connector on Tomcat.
With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can
accomplish this using SNI ( server name indication - RFC 4366). IE (7
and 8) will fail on Windows/XP, but all other reasonable browser / OS
combinations are reported to work. I can then tie these named virtual
hosts to the appropriate Tomcat virtual hosts via mod_jk.
I'm also trying to do this natively on Tomcat (either 6.0.33 or
7.0.22). Unfortunately this doesn't look to be easily possible.
Based on the brief discussions on the mailing list and some other
reading, I've come up with the following possible solutions.
1. Use the APR connector for SSL
This will get me the OpenSSL support for SNI. Unfortunately there
doesn't seem to be a way to enter more than one certificate file.
2. Use Java 7
Java 7 has support for SNI. I think I would have to do the following
in order to be successful. Please correct me if I'm wrong.
a. Build the appropriate Tomcat using Java 7 JDK
b. Replace Eclipse JDT with Java 7 JDK
c. Build web applications with Java 7 JDK
d. Run Tomcat under Java 7 JRE
e. Ensure that JSSE is being used
f. Add multiple certificates to the keystore
3. Use wildcard certificates
If I restrict the virtual hosts on a physical host to a single domain
or subdomain, I should be able to use *.some.domain.com as a way of
providing a certificate.
The easiest (and most generally usable) mechanisms still seem to be
the standard unique address/port combination or a wildcard
certificate.
Have I missed (or misunderstood) the current state of SSL affairs? Are
there other practical solutions for running Tomcat virtual hosts with
SSL?
Thanks in advance.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Virtual Hosts, SSL, Tomcat
Posted by Mark Eggers <it...@yahoo.com>.
Mark,
Thanks for the weekend reply.
Too bad SNI in Java 7 is only client side for the time being.
So it looks like:
1. Wildcard certs and restrict server architecture
2. Apache mod_ssl SNI / mod_jk and restrict clients (may not be possible)
3. Traditional one cert per IP-based virtual host on Apache HTTPD and chew up IP address space.
. . . . just my two cents.
/mde/
( a new record in short messages from me ;-) )
----- Original Message -----
> From: Mark Thomas <ma...@apache.org>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc:
> Sent: Saturday, October 15, 2011 1:32 PM
> Subject: Re: Virtual Hosts, SSL, Tomcat
>
> On 15/10/2011 21:26, Mark Eggers wrote:
>> I potentially have the need to support multiple virtual hosts with SSL
>> on a single IP address / port combination.
>>
>> This is called named virtual hosts on Apache HTTPD, and virtual hosts
>> with a single connector on Tomcat.
>>
>> With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can
>> accomplish this using SNI ( server name indication - RFC 4366). IE (7
>> and 8) will fail on Windows/XP, but all other reasonable browser / OS
>> combinations are reported to work. I can then tie these named virtual
>> hosts to the appropriate Tomcat virtual hosts via mod_jk.
>
> That is the way I would recommend right now.
>
>> I'm also trying to do this natively on Tomcat (either 6.0.33 or
>> 7.0.22). Unfortunately this doesn't look to be easily possible.
>>
>> Based on the brief discussions on the mailing list and some other
>> reading, I've come up with the following possible solutions.
>>
>> 1. Use the APR connector for SSL
>>
>> This will get me the OpenSSL support for SNI. Unfortunately there
>> doesn't seem to be a way to enter more than one certificate file.
>
> Correct. There is no code in the APR/native connector to handle this. It
> should be possible to implement but it isn't there yet.
>
>> 2. Use Java 7
>>
>> Java 7 has support for SNI.
>
> Only on the client side, not the server side so this is not an option.
>
>> 3. Use wildcard certificates
>>
>> If I restrict the virtual hosts on a physical host to a single domain
>> or subdomain, I should be able to use *.some.domain.com as a way of
>> providing a certificate.
>
> Yep, that should work.
>
>> The easiest (and most generally usable) mechanisms still seem to be
>> the standard unique address/port combination or a wildcard
>> certificate.
>>
>> Have I missed (or misunderstood) the current state of SSL affairs?
>
> They are a little worse than you thought.
>
>> Are
>> there other practical solutions for running Tomcat virtual hosts with
>> SSL?
>
> Not that I can think of.
>
> Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Virtual Hosts, SSL, Tomcat
Posted by Mark Thomas <ma...@apache.org>.
On 15/10/2011 21:26, Mark Eggers wrote:
> I potentially have the need to support multiple virtual hosts with SSL
> on a single IP address / port combination.
>
> This is called named virtual hosts on Apache HTTPD, and virtual hosts
> with a single connector on Tomcat.
>
> With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can
> accomplish this using SNI ( server name indication - RFC 4366). IE (7
> and 8) will fail on Windows/XP, but all other reasonable browser / OS
> combinations are reported to work. I can then tie these named virtual
> hosts to the appropriate Tomcat virtual hosts via mod_jk.
That is the way I would recommend right now.
> I'm also trying to do this natively on Tomcat (either 6.0.33 or
> 7.0.22). Unfortunately this doesn't look to be easily possible.
>
> Based on the brief discussions on the mailing list and some other
> reading, I've come up with the following possible solutions.
>
> 1. Use the APR connector for SSL
>
> This will get me the OpenSSL support for SNI. Unfortunately there
> doesn't seem to be a way to enter more than one certificate file.
Correct. There is no code in the APR/native connector to handle this. It
should be possible to implement but it isn't there yet.
> 2. Use Java 7
>
> Java 7 has support for SNI.
Only on the client side, not the server side so this is not an option.
> 3. Use wildcard certificates
>
> If I restrict the virtual hosts on a physical host to a single domain
> or subdomain, I should be able to use *.some.domain.com as a way of
> providing a certificate.
Yep, that should work.
> The easiest (and most generally usable) mechanisms still seem to be
> the standard unique address/port combination or a wildcard
> certificate.
>
> Have I missed (or misunderstood) the current state of SSL affairs?
They are a little worse than you thought.
> Are
> there other practical solutions for running Tomcat virtual hosts with
> SSL?
Not that I can think of.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org