tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57108] Implement multiple sslcontext SNI (server name indication) dispatch
Date Mon, 23 Mar 2015 19:54:44 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57108

--- Comment #10 from Unlogic <unlogic@unlogic.se> ---
Well this is a bit tricky because there is two sides to this coin.

In some cases you have a wildcard certificates or subject alternative name
certificates the cover lots of domains. In those cases the current connector
based approach works fine fine.

But if you turn things around and have lets say 50 domains all with their own
host and certificate and maybe even a few aliases for some hosts that in turn
also require separate certificates. In that case the host based approach would
make things simpler since you can put everything inside the hosts element.

A trade off between the two solutions could be to define the keystores using a
separate element in the config like when you define a connection pool. And then
make it possible for both the connectors, hosts and aliases to refer back to
the defined keystores depending on the use case.

Here's an example:

   <Keystore
         name="firstKeystore"
         truststoreFile="..." (and other truststore attributes)
         keystoreFile="..." (and other keystore attributes)
         [other allowed configuration attributes]>

   <Keystore
         name="secondKeystore"
         truststoreFile="..." (and other truststore attributes)
         keystoreFile="..." (and other keystore attributes)
         [other allowed configuration attributes]>

   <Keystore 
         name="thirdKeystore"
         truststoreFile="..." (and other truststore attributes)
         keystoreFile="..." (and other keystore attributes)
         [other allowed configuration attributes]>

   <Connector ... /> (a generic https connector not bound to any particular
keystore that instead looks up the keystore based on the host/alias)

   <Connector keystoreRef="firstKeystore" ... /> (a https connector bound to
the specified keystore like current tomcat versions)

   <Host name="hostone.com"... /> (a host not bound to any particular keystore)

   <Host name="hosttwo.net" keystoreRef="secondKeystore" ... />

   <Host name="hostthree.net" keystoreRef="secondKeystore" ...>

       <Alias keystoreRef="thirdKeystore">foo.com</Alias>

       <Alias keystoreRef="firstKeystore">boo.com</Alias>

       <Alias>moo.com</Alias>

   </Host>

I hope that my example makes sense. It would make the keystore/certificate
configuration a bit more flexible and support "both sides of the coin".

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message