tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steffen Heil" <li...@steffen-heil.de>
Subject AW: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Date Tue, 08 Mar 2011 14:39:21 GMT
Hi

> If you have only 1 ip address then you might have a problem. The problem
> with name based virtual hosts under https/ssl is that ssl handshake (which
> involves server sending a certificate for some
> domain) happens after tcp/ip connection is established - before the HOST
> part of the http request can be read. So if you would have 2 different https
> virtual domains on same ip:port, the server wouldn't know which certificate
> to send just after a tcp/ip connection was established, because it must
> decide what certificate to send based on information which is inside the HTTP
> request, which can be read only after establishing a ssl connection. This is a
> general problem, not just Tomcat specific.

While this is true for the outdated SSL, it is not true for "current" TLS.
There is an TLS extension around (since 2003) that allows multiple certificates on one ip.
That are 8 years by now! (rfc3546, ยง3.1)

Some https server support it. Sadly java / tomcat don't.

And that IS a tomcat problem. Yet not a bug, but a missing feature.

Regards,
  Steffen


Mime
View raw message