tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Better SSL connector setup
Date Tue, 09 Apr 2013 00:25:53 GMT
Identification of keys and supported ciphers are an important for Key Exchange
But before that happensThe certificates attributes are the only means the CA-Authority can
verify the the name in the cert
The certificate attributes should contain
1)1 and only 1 Hostname to contact
2)Identification information from a DN in LDAP or a suitably unique Name Service Server (ADS)allowing
verification of client to a 'Name Service'http://docs.oracle.com/cd/E19575-01/820-3885/gimog/index.html

Allowing your cert  to authenticate to n hosts invites 2n as many potential DOS attacks
Not requiring DN would negate the CA-Authority ability to verify DN CN == SSL-Host.
Think of online banking and clients need to circumvent forged sites as 'The official bank
site' to send your money
If you are FE with Apache you will want to configure in mod-sslhttp://www.modssl.org/

Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.


 > Date: Sun, 7 Apr 2013 11:40:24 -0700
> From: its_toasted@yahoo.com
> To: users@tomcat.apache.org
> Subject: Re: Better SSL connector setup
> 
> Some notes from October 2011 referenced below:
> 
> On 4/7/2013 8:47 AM, Christopher Schultz wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Kevin,
> >
> > On 4/6/13 10:10 PM, Kevin Jenkins wrote:
> >> I have a server that has two hosts: First:
> >> http://masterserver2.raknet.com/
> >>
> >> Second (using alias) https://lobby3.raknet.com
> >> <https://milestone.lobby3.raknet.com:444/>
> >> https://milestone.lobby3.raknet.com:444/
> >>
> >> I would like have access be on these specific URLS. Right now you
> >> can use untrusted URLs, such as https://masterserver2.raknet.com/
> >> https://milestone.lobby3.raknet.com/
> >>
> >> Additionally, I would like to access milestone.lobby3.raknet.com on
> >> port 443 rather than 444 (so that 443 does not display a warning
> >> like it does now).
> >>
> >> I setup two connectors because I did not know how else to specify
> >> there are two ssl certificate files
> >
> > If you want two separate hostnames served under HTTPS and you:
> >
> > a. Don't have a wildcard or other special type of certificate
> > or
> > b. Don't have Server Name Indication capabilities
> >
> 
>  From the list archives:
> 
> http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3C1318710394.66976.YahooMailNeo@web125511.mail.ne1.yahoo.com%3E
> 
> Wildcard certificates would work in this case because the hosts are part 
> of the same domain.
> 
> SNI is apparently client-side only for Java.
> 
> > ...then you will need to configure a <Connector> for each hostname on
> > a separate interface/port combination with separate certificates.
> >
> > The easiest way to do this is to set up a second interface with a
> > separate IP address. This is usually trivial to do, and it doesn't
> > really interfere with networking on the server. Just create a second
> > interface with a second IP address, map DNS properly, and then set up
> > your web server to bind specifically to the second IP address for the
> > second hostname's SSL virtual host.
> >
> 
> In a Tomcat-only setup this is the way to go. Secondary or virtual IP 
> addresses are easy to set up.
> 
> > Your <Connectors> look just fine (other than the use of port 444, of
> > course). Once you have a second interface/IP, you'll want to use the
> > "address" attribute of the <Connector> to choose the interface to
> > listen on. I would choose one <Connector> to listen on *all*
> > interfaces to be a catch-all in case your IP address(es) change(s) and
> > you forget to re-configure everything: a security warning due to a
> > mismatched-host is better for users than an unreachable host.
> >
> > - -chris
> 
> The other solution is to front the Tomcat systems with an Apache HTTPD 
> server and use named virtual hosts in SSL. Apparently the configuration 
> checking routine throws a warning on startup, but the actual 
> configuration works (on Apache HTTPD 2.2, I've not tried 2.4).
> 
> . . . . just my two cents.
> /mde/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message