All geek questions in one place

How to configure Tomcat serving two SSL certificates using SNI?

According to these two answers (1) (2), it is possible to have two ssl certificates serving the same tomcatserver using a server name pointer (SNI).

My question is how to configure this? I could configure two virtual hosts, but I only have one connector that presents the specified ssl certificate to the client. In the connector, you can specify the keystore and alias for use in the certificate, but there is no argument as to which virtual host this connector is used for or what certificate it should provide to the client according to the domain used.

How can I tell tomcat which ssl certificate (or rather, it is a keystore) that it should use when using SNI?

(1) https://stackoverflow.com/questions/958770/...2 .

+6
source share
3 answers

You need to re-read the answers to these questions. SNI is not supported on the server side until Java 8. The minimum version of Java that Tomcat 8 must support is Java 7, so there is currently no Tomcat SNI support.

It may be possible to support SNI if Tomcat runs on Java 8 or later, but Tomcat will require code changes for which there are currently no plans.

December 2014 update:

Adding SNI support is in TODO for Tomcat 9. This TODO list is quite long, and SNI is not currently at the top of the list. As always, patches are welcome.

Once SNI is implemented in Tomcat 9, perhaps SNI support can be ported back to Tomcat 7 and Tomcat 8. Again, a fixed trick.

Update as of June 2015:

SNI was implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2, and APR / native). To use SNI with NIO or NIO2, you will need to compile Tomcat 9 (aka trunk) from the source. To use SNI with APR / native, you will also need to compile tc-native trunk ( not the 1.1.x branch currently used by Tomcat versions ).

TLS configuration has changed significantly to support SNI. Details will be in the docs web application after building Tomcat 9.

November 2016 Update:

SNI support is included in Tomcat 8.5.x. It is unlikely that he will be moved on. that is, it is unlikely that it will reach 8.0.x or 7.0.x.

+14
source

You can configure multiple ssl certificates using the following configuration:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain1"> <SSLHostConfig hostName="domain1" > <Certificate certificateKeystoreFile="conf/domain1-keystore.jks" certificateKeystorePassword="dom1keystorepwd" certificateKeyPassword="dom1keypwd" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="domain2" > <Certificate certificateKeystoreFile="conf/domain2-keystore.jks" certificateKeystorePassword="dom2keystorepwd" certificateKeyPassword="dom2keypwd" type="RSA" /> </SSLHostConfig> </Connector>

Modify the protocol to suit your needs. You can also configure using openssl instead of jsse. Please refer to https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig for further assistance.

In addition, defaultSSLHostConfigName very important, otherwise it will not work. Choose any default domain.

+3
source

You can install nginx / haproxy (supporting SNI) in front of tomcat and they will act as proxies.

+1
source

Source: https://habr.com/ru/post/958769/

More articles:


All Articles