tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ogn...@etf.bg.ac.rs>
Subject Re: SSL Using IP Addresses
Date Fri, 14 Aug 2009 09:37:54 GMT
(IANA certificate expert)

It is not clear to me do you have control over Glassfish server or not.

If you do, just generate self-signed certificate for the Glassfish one 
more time, giving IP address instead of FQDN for CN.

If you don't, than you need to check does certifiate have altSubjectNames:

   openssl x509 -in my.crt -noout -text

Here is the example of certifcate that does have them:

----
Certificate:
         [snip]
         Subject: CN=test.eonis.net,
             [snip]
             X509v3 Subject Alternative Name:
                 DNS:test.eonis.net, DNS:test.eonis.org, DNS:*.co.uk
                 [snip]
----

Again, if there are alternative names in the sertificate, check if the 
IP address of the server is listed. But, according to your previous 
posts, I beleive it is not.

If there are not alternative names (host names or IP addresses), than if 
you can't use CN in your URL, your last resort is to try to force your 
client to use that certificate even though that is problematic from 
security standpoint.

Read this document for example how to do that:

 
http://www.contentroller.com/c/view/7236/no_subject_alternative_names_matching_ip_address_no_name_matching_found.html

Regards,
Ognjen



Jeff Sexton wrote:
> Hello -
> 
> We do not have permission to create a hosts file entry (that was my
> first idea).
> 
> We also do not need both IP address and host name to work at the same
> time, just the IP address.  Our problem seems to be that the Tomcat
> client wants to find a certificate by hostname, even when the URL
> requested is by IP address, and a certificate has been imported with
> an alias of that IP address.
> 
> I looked at the "a1as" certificate extracted from Glassfish and it
> does indeed have a host name in the CN field.  If this is when it can
> not be used to validate a call by IP address, then why does importing
> it with an alias of the IP address not work for us?
> 
> 
> Thank you, my understanding of this is still weak.
> 
> 
> On Thu, Aug 13, 2009 at 8:47 AM, Ognjen Blagojevic<ognjen@etf.bg.ac.rs> wrote:
>> Jeff Sexton wrote:
>>> We have a situation where we need to call a SOAP service in a
>>> Glassfish server via HTTPS from a servlet in Tomcat.  We extract a
>>> self-signed certificate from Glassfish and imported it on the Tomcat
>>> server.  It all works in situations where we can use the
>>> fully-qualified host name in the request and in the alias of the
>>> certificate when importing on the Tomcat server.
>>>
>>> But we need to operate in an environment with a name service.  When we
>>> try to use the IP address of the Glassfish server in the HTTPS call
>>> and in the certificate alias, the call fails with a "no subject
>>> alternate name" exception.
>>>
>>> In Glassfish to Glassfish calls, using the IP address works fine.
>>>
>>> Does anyone know how to make an SSL call from a Tomcat server using
>>> the IP address only?  Is it even possible?
>> I'm not 100% sure, but I think it is not possible.
>>
>> Your server certificate have Common Name (CN) which can match either FQDN
>> (server.company.com) or IP (123.123.123.123) - not both.
>>
>> You can, however, try to workaround your inability to contact DNS server by
>> manually inserting the adress to the "hosts" file, if you have permission to
>> do that.
>>
>> Regards,
>> Ognjen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message