tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <>
Subject Re: Better SSL connector setup
Date Sun, 07 Apr 2013 18:40:24 GMT
Some notes from October 2011 referenced below:

On 4/7/2013 8:47 AM, Christopher Schultz wrote:
> Hash: SHA256
> Kevin,
> On 4/6/13 10:10 PM, Kevin Jenkins wrote:
>> I have a server that has two hosts: First:
>> Second (using alias)
>> <>
>> I would like have access be on these specific URLS. Right now you
>> can use untrusted URLs, such as
>> Additionally, I would like to access on
>> port 443 rather than 444 (so that 443 does not display a warning
>> like it does now).
>> I setup two connectors because I did not know how else to specify
>> there are two ssl certificate files
> If you want two separate hostnames served under HTTPS and you:
> a. Don't have a wildcard or other special type of certificate
> or
> b. Don't have Server Name Indication capabilities

 From the list archives:

Wildcard certificates would work in this case because the hosts are part 
of the same domain.

SNI is apparently client-side only for Java.

> ...then you will need to configure a <Connector> for each hostname on
> a separate interface/port combination with separate certificates.
> The easiest way to do this is to set up a second interface with a
> separate IP address. This is usually trivial to do, and it doesn't
> really interfere with networking on the server. Just create a second
> interface with a second IP address, map DNS properly, and then set up
> your web server to bind specifically to the second IP address for the
> second hostname's SSL virtual host.

In a Tomcat-only setup this is the way to go. Secondary or virtual IP 
addresses are easy to set up.

> Your <Connectors> look just fine (other than the use of port 444, of
> course). Once you have a second interface/IP, you'll want to use the
> "address" attribute of the <Connector> to choose the interface to
> listen on. I would choose one <Connector> to listen on *all*
> interfaces to be a catch-all in case your IP address(es) change(s) and
> you forget to re-configure everything: a security warning due to a
> mismatched-host is better for users than an unreachable host.
> - -chris

The other solution is to front the Tomcat systems with an Apache HTTPD 
server and use named virtual hosts in SSL. Apparently the configuration 
checking routine throws a warning on startup, but the actual 
configuration works (on Apache HTTPD 2.2, I've not tried 2.4).

. . . . just my two cents.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message