tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steffen Heil" <>
Subject Re: HTTPS and Virtual Hosts
Date Wed, 24 Sep 2008 23:02:40 GMT

Actually, most answers in this thread are more or less outdated.
It IS possible to use one IP with multiple certificates, just not with
tomcat to far.

There IS (since June 2003, that is more than 5 years!) a TLS extension SNI
(server name indication) that does the trick: It sends Information about the
requested hostname to the server during ClientHello handshake.
It IS supported by almost all browsers in their current versions.

See:, Section 3.1


I hope this will find it's way into java/tomat soon.


-----Urspr√ľngliche Nachricht-----
Von: Johnny Kewl [] 
Gesendet: Montag, 22. September 2008 15:02
An: Tomcat Users List
Betreff: Re: [OT] RE: HTTPS and Virtual Hosts

----- Original Message ----- 
From: "Peter Crowther" <>
To: "'Tomcat Users List'" <>
Sent: Monday, September 22, 2008 2:30 PM
Subject: [OT] RE: HTTPS and Virtual Hosts

[Marked OT as this is not even remotely about Tomcat]

> From: Johnny Kewl []

... OK...

> If it send the HOST info in step one....

... which it doesn't as far as I can see...

> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)

Yes, exactly.  So anything sent across the wire (such as the host header) is

subject to eavesdropping.

The URL, in particular, MUST NOT be sent in cleartext - consider a URL of 
the form *.  The

user would no doubt expect SSL to defend his/her access to that URL from 
eavesdropping :-).

The case for not sending the host header in cleartext is weaker, but still 
present.  Consider a blog site such as LiveJournal, for example.  It hosts a

range of content, separated onto one hostname per blog.  Some of that 
content is pretty explicit, and some people might get rather upset if they 
knew that *even though they thought they were on a secure channel* then 
others could eavesdrop on the mere fact that they were reading *that* 
content, rather than some other innocent content that happened to be on the 
same IP.  So I consider that the ID vul is still present, even via 
disclosure of just the host header.

> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)

You're thinking about ID vuls from the side of the server admin.  Broaden 
your thinking - what might a *client* get upset about?

                - Peter

Ok... its off thread, but I disagree.... the secure session doesnt start out

secure... even a certificate is clear text, dont see the big deal... once 
you in a session, different story...
I guess this means you not going to help me with my new book ;)
    Curve Ball technology for biz sake... ha ha

The most powerful application server on earth.
The only real POJO Application Server.
See it in Action :

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message