tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <>
Subject Re: HTTPS and Virtual Hosts
Date Mon, 22 Sep 2008 12:11:27 GMT

----- Original Message ----- 
From: "Peter Crowther" <>
To: "'Tomcat Users List'" <>
Sent: Monday, September 22, 2008 12:19 PM
Subject: RE: HTTPS and Virtual Hosts

> From: Johnny Kewl []
> I actually cant see any
> reason why the hand shake couldnt be extended to look at the
> incoming URL...

Because the URL (or at least the host header) would have to be sent over the 
wire in cleartext, as it's before the encrypted connection is negotiated. 
This is an information disclosure vulnerability.

                - Peter

If it send the HOST info in step one.... and the server chose the correct 
cert.... I see no problem, the secure session hasnt even kicked in yet ;)

So what are they not allowing?
I think the only vulnerability is to the CA's biz model ;)
If not what is the vulnerability? Whatever cert is sent what oput there by 
the admin dudes, and will be checked client side anyway ;)

The most powerful application server on earth.
The only real POJO Application Server.
See it in Action :

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message