tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Borut Hadžialić <borut.hadzia...@gmail.com>
Subject Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Date Tue, 08 Mar 2011 13:51:10 GMT
Hi Nikko,

I asume that you really want 2 connectors with 2 different key stores,
not 2 different trust stores.

If you have 2 ip addresses then its easy - define 2 connectors and use
their address attribute to assign each connector one ip address.

If you have only 1 ip address then you might have a problem. The
problem with name based virtual hosts under https/ssl is that ssl
handshake (which involves server sending a certificate for some
domain) happens after tcp/ip connection is established - before the
HOST part of the http request can be read. So if you would have 2
different https virtual domains on same ip:port, the server wouldn't
know which certificate to send just after a tcp/ip connection was
established, because it must decide what certificate to send based on
information which is inside the HTTP request, which can be read only
after establishing a ssl connection. This is a general problem, not
just Tomcat specific.

Maybe if your domains are really similar to host1.myhost.com and
host2.myhost.com you could use a wildcard certificate (*.myhost.com)
or if you are using a self-signed certificate and want just https
encryption and not server verification - then you could use 1 Tomcat
connector.

And btw if you are defining a https connector in tomcat you are using
a key store - a trust store is used when you verify client
certificates when you set clientAuth="true" which is rare.


On Tue, Mar 8, 2011 at 1:57 PM, Nikko Nikko <nikk.sun@gmail.com> wrote:
> Hi,
>
>
>
>   Is It possible to define 2 SSL connectors for 2 different virtual domain
> domains? For example I want to define 2 virtual hosts:  “host1.myhost.com”
> and “host2.myhost.com” and want to have different trust store  for each of
> them. I want to run them in one and the same Tomcat instance.
>
>
>
> Best regards,
>
>  Nikko.
>



-- 
Why?
Because YES!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message