tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: TomCat multiple ssl support
Date Tue, 29 Dec 2009 14:53:31 GMT
Peter Crowther wrote:
> 2009/12/29 DOrlov <>
>> Hello, I have TomCat 6 server and I have 3 SSL sertificates for:
>> 1.
>> 2.
>> 3.
>> I would like to use all 3 on 1 SSL connector (Don't create 3 SSL
>> connectors)
>> I'm using keytool app and kestore SSL logic for TomCat SSL configuration.
>> As far as I know, the HTTP spec doesn't allow this.  The certificate must
> be chosen and sent by the server to encrypt the connection before the host
> header is sent by the browser over the encrypted connection.  Therefore, the
> server cannot choose the certificate to send.  You'll need different
> connectors, either on different IP addresses or different ports.
> Happy to be corrected if someone knows better!
With pleasure ! ;-)
Actually, HTTP (RFC 2616) is pretty much silent about this.
One has to consult RFC 2818 and RFC 2817 for information on the subject.

What you indicate above as the technical reason is generally correct 
however, as far as HTTP servers are concerned.
The Java Servlet Specification, also applicable in Tomcat's case, may 
however have more to say about this.

For the OP, since you mentioned this possibility :
If you are using a front-end Apache httpd anyway, and if the connection 
between this front-end Apache and the back-end Tomcat can generally be 
considered as secure (for example, it happens within the same host, or 
over a reasonably secure LAN), then it would make sense to "terminate" 
the SSL part at the front-end level, and use a non-encrypted protocol 
between Apache and Tomcat (because Apache has to decrypt anyway, and 
then it has to re-encrypt everything for Tomcat otherwise, and vice-versa).

This being said, by doing this you have just moved the issue to the 
Apache httpd level, and it will be submitted to the same limitations as 
indicated above.

Except that, if I remember correctly, there is now support in Apache 
httpd for the TLS and SNI extensions, and possibly in some browsers also.
Very roughly, TLS with SNI allows a browser to start a connection with a 
HTTP host using normal (unencrypted) TCP, and then request an "upgrade" 
of the connection to SSL.  This should theoretically allow for the kind 
of thing you seem to want.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message