tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: HTTPS and Virtual Hosts
Date Thu, 25 Sep 2008 08:45:37 GMT
Steffen Heil wrote:
> Hi
> Actually, most answers in this thread are more or less outdated.
> It IS possible to use one IP with multiple certificates, just not with
> tomcat to far.
> There IS (since June 2003, that is more than 5 years!) a TLS extension SNI
> (server name indication) that does the trick: It sends Information about the
> requested hostname to the server during ClientHello handshake.
> It IS supported by almost all browsers in their current versions.
> See:
>, Section 3.1

RFC3546 is a proposed standard. There are many standards in this state and
it can be hard to determine which are de facto standards (eg the cookie
ones) and which are still works in progress. Based on the limited support,
RFC3546 appears to be more of a work in progress.

Browser support is still limited. For example, all the references I could
find require IE7 on Vista, FF2, Opera 7.6+

The lack of support on IE < 7 and WinOS != Vista significantly reduces the
number of users that could use this. I am not sure how a browser that
doesn't support SNI would behave. I suspect it would have to be redirected
to some default (which would probably cause the browser to complain about
an invalid certificate).

> I hope this will find it's way into java/tomat soon.

Now support exists for this in OpenSSL it should be possible to add this to
the APR connector. I'm not sure what the take up would be given the browser
support picture but if someone wants to provide a proposed patch then I am
sure it would be looked at.

For the other Tomcat connectors, this needs to find its way into JSSE
first. At the moment, I don't see any sign of that.

Finally, with support for SNI in httpd, you could front Tomcat with httpd
to get this functionality.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message