Alexey,
I created two self signed certificates using keytool. I think I may have
the answer. What I am attempting to do is use multiple certificates for
different domains on the same IP/PORT. After further investigation I do
not think this is possible. The following quote is from this link:
http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxw.html
"Using name-based virtual hosts on a secured connection can be
problematic. This is a design limitation of the SSL protocol itself. The
SSL handshake, where the client browser accepts the server certificate,
must occur before the HTTP request is accessed. As a result, the request
information containing the virtual host name cannot be determined before
authentication, and it is therefore not possible to assign multiple
certificates to a single IP address. If all virtual hosts on a single IP
address need to authenticate against the same certificate, the addition of
multiple virtual hosts should not interfere with normal SSL operations on
the server. Be aware, however, that most client browsers will compare the
server’s domain name against the domain name listed in the certificate, if
any (this is applicable primarily to official, CA-signed certificates). If
the domain names do not match, these browsers will display a warning to
the client. In general, only address-based virtual hosts are commonly used
with SSL in a production environment."
So is this correct, do I need to give up on name-based SSL hosts?
Thanks,
Mark
> Hi Mark,
>
> are you creating different nicknames for those certificates?
> Can you pls. provide more details on how you add certificates and if
> you do any additional SSL tunings on Grizzly side?
>
> Thank you.
>
> WBR,
> Alexey.
>
> On Nov 10, 2008, at 6:34 , Mark Fix wrote:
>
>> I have been able to create an HTTPS version of the GrizzlyWebServer
>> class. It is very straight forward, using SSLSelectorThread in place
>> of the SelectorThread. It works fine if I have only one alias
>> defined in my keystore and truststore files. However, if I have more
>> than one alias in my keystore and truststores It does not map to the
>> correct alias. For example; if I create a self signed certificate
>> forwww.testsite1.com in my keystore/truststore , start the server,
>> and then navigate in my browser to https:// www.testsite1.com it
>> works fine. Once I add a second self signed certificate for
>> saywww.testsite2.com then only one of them is recognized. By this I
>> mean https://www.testsite1.com might work fine, but
>> https://www.testsite2.com
>> would complain that the certificate is only valid
>> forwww.testsite1.com. It does not seem to find the alias for
>> www.testsite2.com
>> . I am not sure if this is how it is supposed to work or if I might
>> be doing something wrong. Any ideas or suggestions would be greatly
>> appreciated.
>>
>>
>> Mark Fix
>
>