Thank you Mark! From: Mark Thomas <ma...@apache.org> Sent: Monday, December 2, 2024 2:02 AM To: users@tomcat.apache.org Subject: Re: SSLHostConfig and <Host question
On 02/12/2024 05: 24, Mcalexander, Jon J. wrote: > Good evening all, > > Is there any relationship between the Connector and SSLHostConfig if you set the DefaultSSLHostConfigName in the connector and hostName in the SSLHostConfig, to On 02/12/2024 05:24, Mcalexander, Jon J. wrote: > Good evening all, > > Is there any relationship between the Connector and SSLHostConfig if you set > the DefaultSSLHostConfigName in the connector and hostName in the > SSLHostConfig, to the <Host name= within the <Engine section of the > server.xml? Do these need to match if you are going to specify the names in > the connector to the virtual host, or are the 2 groups unrelated? If you have multiple <SSLHostConfig> elements then SNI will be used to select the certificate presented. If no SNI is provided by the client or the host indicated in SNI doesn't match any <SSLHostConfig> then the default <SSLHostConfig> will be used. If you have multiple <Host> elements then the HTTP Host header will be used to match the request to the <Host>. If no matching <Host> element is found for a given Host header then the default <Host> will be used. Generally, there is going to be a mapping but it needn't be one-to-one. For example, you could have a wildcard SSL cert but individual <Host> elements. There isn't any requirement for the host name on the TLS certificate to match the HTTP host header so, in theory, the host names could be completely different between the two. Practically, that doesn't happen very often as browsers expect them to be consistent. Mark > > Thank you, > > Dream * Excel * Explore * Inspire > Jon McAlexander | Senior Infrastructure Engineer | Middleware/App Hosting | > FHP | CTO | Wells Fargo Technology > 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 | +1 515 988 2508 | > jonmcalexan...@gmail.com<mailto:jonmcalexan...@gmail.com<mailto:jonmcalexan...@gmail.com%3cmailto:jonmcalexan...@gmail.com>> > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
