On 15/10/2011 21:26, Mark Eggers wrote: > I potentially have the need to support multiple virtual hosts with SSL > on a single IP address / port combination. > > This is called named virtual hosts on Apache HTTPD, and virtual hosts > with a single connector on Tomcat. > > With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can > accomplish this using SNI ( server name indication - RFC 4366). IE (7 > and 8) will fail on Windows/XP, but all other reasonable browser / OS > combinations are reported to work. I can then tie these named virtual > hosts to the appropriate Tomcat virtual hosts via mod_jk.
That is the way I would recommend right now. > I'm also trying to do this natively on Tomcat (either 6.0.33 or > 7.0.22). Unfortunately this doesn't look to be easily possible. > > Based on the brief discussions on the mailing list and some other > reading, I've come up with the following possible solutions. > > 1. Use the APR connector for SSL > > This will get me the OpenSSL support for SNI. Unfortunately there > doesn't seem to be a way to enter more than one certificate file. Correct. There is no code in the APR/native connector to handle this. It should be possible to implement but it isn't there yet. > 2. Use Java 7 > > Java 7 has support for SNI. Only on the client side, not the server side so this is not an option. > 3. Use wildcard certificates > > If I restrict the virtual hosts on a physical host to a single domain > or subdomain, I should be able to use *.some.domain.com as a way of > providing a certificate. Yep, that should work. > The easiest (and most generally usable) mechanisms still seem to be > the standard unique address/port combination or a wildcard > certificate. > > Have I missed (or misunderstood) the current state of SSL affairs? They are a little worse than you thought. > Are > there other practical solutions for running Tomcat virtual hosts with > SSL? Not that I can think of. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
