Hi Mark,
> Alexey,
>
> I created two self signed certificates using keytool. I think I may
> have
> the answer. What I am attempting to do is use multiple certificates
> for
> different domains on the same IP/PORT. After further investigation I
> do
> not think this is possible. The following quote is from this link:
>
> http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxw.html
>
> "Using name-based virtual hosts on a secured connection can be
> problematic. This is a design limitation of the SSL protocol itself.
> The
> SSL handshake, where the client browser accepts the server
> certificate,
> must occur before the HTTP request is accessed. As a result, the
> request
> information containing the virtual host name cannot be determined
> before
> authentication, and it is therefore not possible to assign multiple
> certificates to a single IP address. If all virtual hosts on a
> single IP
> address need to authenticate against the same certificate, the
> addition of
> multiple virtual hosts should not interfere with normal SSL
> operations on
> the server. Be aware, however, that most client browsers will
> compare the
> server’s domain name against the domain name listed in the
> certificate, if
> any (this is applicable primarily to official, CA-signed
> certificates). If
> the domain names do not match, these browsers will display a warning
> to
> the client. In general, only address-based virtual hosts are
> commonly used
> with SSL in a production environment."
>
> So is this correct, do I need to give up on name-based SSL hosts?
I checked the same thing with GF security engineer, and seems it is
not possible.
Only in case if you can determine the correct certificate by HTTP
client's ip address, which, IMHO, is not reliable thing to do.
Thank you.
WBR,
Alexey.
>
>
> Thanks,
> Mark
>
>
>> Hi Mark,
>>
>> are you creating different nicknames for those certificates?
>> Can you pls. provide more details on how you add certificates and if
>> you do any additional SSL tunings on Grizzly side?
>>
>> Thank you.
>>
>> WBR,
>> Alexey.
>>
>> On Nov 10, 2008, at 6:34 , Mark Fix wrote:
>>
>>> I have been able to create an HTTPS version of the GrizzlyWebServer
>>> class. It is very straight forward, using SSLSelectorThread in place
>>> of the SelectorThread. It works fine if I have only one alias
>>> defined in my keystore and truststore files. However, if I have more
>>> than one alias in my keystore and truststores It does not map to the
>>> correct alias. For example; if I create a self signed certificate
>>> forwww.testsite1.com in my keystore/truststore , start the server,
>>> and then navigate in my browser to https:// www.testsite1.com it
>>> works fine. Once I add a second self signed certificate for
>>> saywww.testsite2.com then only one of them is recognized. By this I
>>> mean https://www.testsite1.com might work fine, but
>>> https://www.testsite2.com
>>> would complain that the certificate is only valid
>>> forwww.testsite1.com. It does not seem to find the alias for
>>> www.testsite2.com
>>> . I am not sure if this is how it is supposed to work or if I might
>>> be doing something wrong. Any ideas or suggestions would be greatly
>>> appreciated.
>>>
>>>
>>> Mark Fix
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>