Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
From: "Steffen Heil" <lists@steffen-heil.de>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
References: <48D75DF1.8010705@ice-sa.com>
 <000201c91c9c$6939ee90$0300000a@animal>
 <6715CF65287F8F408DA109EC03AC6C0D07E72896E4@puma.melandra.net>
 <004701c91cac$775dfa10$0300000a@animal>
 <6715CF65287F8F408DA109EC03AC6C0D07E72896EC@puma.melandra.net>
 <009801c91cb3$71a740c0$0300000a@animal>
In-Reply-To: <009801c91cb3$71a740c0$0300000a@animal>
Subject: Re: HTTPS and Virtual Hosts
Date: Thu, 25 Sep 2008 01:02:40 +0200
Message-ID: <00ac01c91e99$a62aeb70$f280c250$@de>
MIME-Version: 1.0
Thread-Index: AckctBsIMFFFYaKETiKpAyWqUdbgbgB5IAjQ
Content-Language: de
Content-Type: multipart/signed;
	protocol="application/x-pkcs7-signature";
	micalg=SHA1;
	boundary="----=_NextPart_000_00A8_01C91EAA.5B5042B0"

------=_NextPart_000_00A8_01C91EAA.5B5042B0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi

Actually, most answers in this thread are more or less outdated.
It IS possible to use one IP with multiple certificates, just not with
tomcat to far.

There IS (since June 2003, that is more than 5 years!) a TLS extension =
SNI
(server name indication) that does the trick: It sends Information about =
the
requested hostname to the server during ClientHello handshake.
It IS supported by almost all browsers in their current versions.

See:
http://www.ietf.org/rfc/rfc3546.txt, Section 3.1

See:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-h=
ost
s-with-mod_gnutls/

I hope this will find it's way into java/tomat soon.

Regards,
  Steffen


-----Urspr=FCngliche Nachricht-----
Von: Johnny Kewl [mailto:john@kewlstuff.co.za]=20
Gesendet: Montag, 22. September 2008 15:02
An: Tomcat Users List
Betreff: Re: [OT] RE: HTTPS and Virtual Hosts


----- Original Message -----=20
From: "Peter Crowther" <Peter.Crowther@melandra.com>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Sent: Monday, September 22, 2008 2:30 PM
Subject: [OT] RE: HTTPS and Virtual Hosts


[Marked OT as this is not even remotely about Tomcat]

> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> http://support.microsoft.com/kb/257591

... OK...

> If it send the HOST info in step one....

... which it doesn't as far as I can see...

> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)

Yes, exactly.  So anything sent across the wire (such as the host =
header) is

subject to eavesdropping.

The URL, in particular, MUST NOT be sent in cleartext - consider a URL =
of=20
the form=20
https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *.  =
The

user would no doubt expect SSL to defend his/her access to that URL from =

eavesdropping :-).

The case for not sending the host header in cleartext is weaker, but =
still=20
present.  Consider a blog site such as LiveJournal, for example.  It =
hosts a

range of content, separated onto one hostname per blog.  Some of that=20
content is pretty explicit, and some people might get rather upset if =
they=20
knew that *even though they thought they were on a secure channel* then=20
others could eavesdrop on the mere fact that they were reading *that*=20
content, rather than some other innocent content that happened to be on =
the=20
same IP.  So I consider that the ID vul is still present, even via=20
disclosure of just the host header.

> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)

You're thinking about ID vuls from the side of the server admin.  =
Broaden=20
your thinking - what might a *client* get upset about?

                - Peter

Ok... its off thread, but I disagree.... the secure session doesnt start =
out

secure... even a certificate is clear text, dont see the big deal... =
once=20
you in a session, different story...
I guess this means you not going to help me with my new book ;)
    Curve Ball technology for biz sake... ha ha

-------------------------------------------------------------------------=
--
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
-------------------------------------------------------------------------=
--


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

------=_NextPart_000_00A8_01C91EAA.5B5042B0
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7zCCAncw
ggHgoAMCAQICEEt292HILvH8EThLvhmj1LwwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDkyMzIwMzY1M1oXDTA5MDkyMzIwMzY1
M1owXjENMAsGA1UEBBMESGVpbDEQMA4GA1UEKhMHU3RlZmZlbjEVMBMGA1UEAxMMU3RlZmZlbiBI
ZWlsMSQwIgYJKoZIhvcNAQkBFhVsaXN0c0BzdGVmZmVuLWhlaWwuZGUwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMYJZ0AGDXOn4S5RQ1XJ9OSru5MBAWpcRRrEWxd3+4TEEHDB4/FN6faOfmlT
hWxHl7Ew/rMCYclGfdHHLjqj8IitFbp72corCeMUwd5wwT2j2hbzTiV/MFautFR2nmCM82K8RwU6
4wG1b5sb+OgBpoaOxIFR8fVHwQ2lvw/sxak7AgMBAAGjMjAwMCAGA1UdEQQZMBeBFWxpc3RzQHN0
ZWZmZW4taGVpbC5kZTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAJUq/BkgSig0t35v
KjUKGCzUFqbppZ9aRirba7AahHzTeAuoZIJQry/d9UT9dRokIWFWXEMFZ2n6voBHwDUhkkXuaGYA
Y7P5jYMPb3ok7jewjeqZZ+7G7QlYCg8QpEg3h59iyk72pHxqg0CK6CfMTm0F77/pNsaSKJaSc6Se
PLrAMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29u
c3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE
AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1m
cmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG
A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3
DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G6qPd
uc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56aJtVq
uzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wXD/S6ZJwX
rEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl8uac
LxXK/qarigd1iwzdUYRr5PjRzneigTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdEx
CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj
ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0x
MzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo
UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9Vvy
Gna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0D
viv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNV
HRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9U
aGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEa
MBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNm
rGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQ
lGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11f
ZU8xggL4MIIC9AIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu
ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QQIQS3b3Ycgu8fwROEu+GaPUvDAJBgUrDgMCGgUAoIIB2DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wODA5MjQyMzAyMThaMCMGCSqGSIb3DQEJBDEWBBT8PDMvMASv
AU4zczaeyzpG0xWp+jBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG
9w0CBTCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz
c3VpbmcgQ0ECEEt292HILvH8EThLvhmj1LwwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQG
EwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEEt292HILvH8EThLvhmj1LwwDQYJKoZI
hvcNAQEBBQAEgYCfBag4CT76zQ7+94lkmT43VG4KoEe8CXA8825Yk6DEOni7Tcusoa/1JrhAKC6a
nI74IpGo0d5/DXSyyqAPP4SB4EhHHmfQSBEfX8qExHw7UR3zToIjDwGtc2dak0PX4rvEI4vWttmi
aere2FsXWTFPWE2KZ77mEna29SjZVLv8GwAAAAAAAA==

------=_NextPart_000_00A8_01C91EAA.5B5042B0--