On Wed, Apr 07, 2004 at 02:39:27PM -0700, Jochen Schaefer wrote: > I want to establish a SSL connection between 2 tomcat web server where > both have the possibility to access each other. One has a static ip the > other one a dynamic ip.
How about using a wildcard cert for the dynamic IP guy? Something like this: 1. Create a cert CN = "*.dyn.my.dom" for the server using dynamic IP. 2. Set up DNS such that all dynamic IPs that can be possibly used by the server PTRs to your_server.dyn.my.dom. 3. Set up that SSL server to identify itself as your_server.dyn.my.dom, so that it satisfies the wildcard CN. Modern browsers accept wildcard CN certs. You may have to configure/hack your static IP Tomcat server to do the same. BTW, I believe this technique works for multiple servers on dynamic IPs. Each server can have a different keypair. Unless the peer's SSL library enforces a 1-1 mapping between a CN (including a wildcard one) and the keypair, so if it sees the wildcard CN with a particular keypair it will reject other keypairs with the same wildcard CN. I wonder if OpenSSL does this. The 1-1 mapping I mean. Cheers. -- Ng Pheng Siong <[EMAIL PROTECTED]> http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
