[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wsf-javascript-dev
Subject:    Re: [Dev] Supporting Secured connection to virtual host in tomcat
From:       Reka Thirunavukkarasu <reka () wso2 ! com>
Date:       2012-04-30 9:58:19
Message-ID: CAFhGutK74OM9yr5BqhMp4ndgkAoFOE1xwonGDhc_bVn2dLkd6w () mail ! gmail ! com
[Download RAW message or body]

Hi all,

Server Name Indication(SNI) is not a preferred option, since it is not
yet supported by all the clients (IE (7 and 8) will fail on
Windows/XP) [1]. Also, SNI is supported by Java 7. So we need to
switch to Java 7 to support SNI in tomcat.

As the offline discussion with Azzez, we will use wild card (Eg:
*.Stratoslive) to the virtual host to get the context mapping as of
now based on the above clarifications until the SNI stabilizes with
tomcat and client.

[1]. http://tomcat.markmail.org/thread/q6d5czzlgih3r2ys

Thanks,
Reka

On Thu, Apr 26, 2012 at 11:25 AM, Reka Thirunavukkarasu <reka@wso2.com> wro=
te:
> Hi,
>
> Since we are going to support virtual host in tomcat, we need to provide
> $subject when the user want to have secured connection. At the moment, all
> our webaps are deployed under localhost.
>
> Eg: if the virtual host is=A0wso2app.com, when user access
> "https://wso2app.com", we should provide associated certificate of that
> virtual host.
> FYI: we support named base virtual host that means all hosts associates w=
ith
> one ip.
>
> The default SSL connection is installed with the CA for localhost in the
> product and installed a CA for a wild card (Eg: *.Stratoslive) in stratos.
> If we try to access the virtual host with this SSL connection,=A0browser =
fails
> to identify the CA of the virtual host. Because, at the negotiation to
> present the certificate, no host name is sent to the browser rather virtu=
al
> host sends to the brwoser with the HTTP header after the negotiation of
> certificate. Only if the hostname in the browser and the certificate
> matches, browser would be able to continue. Otherwise, browser warnings a=
re
> displayed [1].
>
> So, using one SSL to support multiple hosts is a limitation in tomcat. But
> if we go for supporting ip based virtual host, then creating different
> connectors per host basis, we would be able to provide the CA of particul=
ar
> virtual host. But that wouldn't be much effective to utilize one ip for e=
ach
> virtual host that needs SSL.
>
> To overcome this issue, we would support appending a wild card always with
> the hostname that needs SSL [3] similarly we did for Stratos. But that wi=
ll
> restrict the user having own name for a virtual host.=A0Another solution =
is to
> support SNI (Server Name Indication) [2], [4] in browser and server.=A0Ar=
e we
> currently supporting SNI?=A0In such case, we can't make sure with the bro=
wser
> as well.
>
> Please share your thoughts regarding the $subject.
>
> [1].=A0http://www.mail-archive.com/users@tomcat.apache.org/msg50892.html
> [2].=A0http://www.mail-archive.com/users@tomcat.apache.org/msg93384.html
> [3].=A0http://stackoverflow.com/questions/10173265/using-multiple-ssl-cer=
tificates-in-single-tomcat-instance
> [4].=A0http://en.wikipedia.org/wiki/Server_Name_Indication
>
>
> Thanks,
> Reka
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]