如何使用 SNI 设置 Tomcat 服务两个 SSL 证书? [英] HowTo setup Tomcat serving two SSL Certificates using SNI?

问题描述

根据这两个答案[1] [2] 可以有两个 SSL 证书来自同一个 Apache Tomcat 使用服务器名称指示 (SNI).

According to these two answers [1] [2] it's possible to have two SSL certificates serving from the same Apache Tomcat using Server Name Indication (SNI).

我的问题是，如何设置?我可以设置两个虚拟主机，但我仍然只有一个连接器，它将指定的 SSL 证书提供给客户端.在连接器中，可以指定用于证书的密钥库和别名，但没有参数说明此连接器用于哪个虚拟主机，或者他应该根据使用的域向客户端提供哪个证书.

My question is then, how to setup this? I could setup two virtual hosts but I still have then just one connector which presents the specified SSL certificate to the client. In the connector one can specify the keystore and alias to use for the certificate but there is no parameter saying for which virtual host this connector is for or which certificate he should present to the client according to the used domain.

我如何告诉 tomcat 在使用 SNI 时他必须使用哪个 SSL 证书(或者更准确地说是哪个密钥库)?

How can I tell tomcat which SSL certificate (or to be more correct which keystore) he has to use while using SNI?

[1] https://stackoverflow.com/a/10173447
[2] https://stackoverflow.com/a/6343059

推荐答案

您需要重新阅读这些问题的答案.在 Java 8 之前，服务器端不支持 SNI.Tomcat 8 必须支持的最低 Java 版本是 Java 7，所以目前 Tomcat 不支持 SNI.

You need to re-read the answers to those question. SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat.

如果 Tomcat 在 Java 8 或更高版本上运行，则可以选择支持 SNI，但这需要 Tomcat 中的代码更改，目前没有计划.

It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which there are currently no plans.

2014 年 12 月更新:

添加 SNI 支持在 TODO Tomcat 9 的列表.该 TODO 列表很长，而 SNI 目前不在列表的顶部.一如既往地欢迎补丁.

Adding SNI support is on the TODO list for Tomcat 9. That TODO list is quite long and SNI is not currently at the top of the list. As always patches are welcome.

一旦 SNI 在 Tomcat 9 中实现，SNI 支持可能会向后移植到 Tomcat 7 和 Tomcat 8.再次，欢迎修补.

Once SNI is implemented in Tomcat 9 it is possible that SNI support might be back-ported to Tomcat 7 and Tomcat 8. Again, patched welcome.

2015 年 6 月更新:

已为 Tomcat 9 实现了 SNI.所有三个 HTTP 连接器实现(NIO、NIO2 和 APR/native)都支持它.要将 SNI 与 NIO 或 NIO2 一起使用，您需要从源代码编译 Tomcat 9(又名主干).要将 SNI 与 APR/native 一起使用，您还需要编译 tc-native trunk(不是 Tomcat 版本当前使用的 1.1.x 分支).

SNI has been implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2 and APR/native). To use SNI with NIO or NIO2 you will need to compile Tomcat 9 (a.k.a. trunk) from source. To use SNI with APR/native you will also need to compile tc-native trunk (not the 1.1.x branch currently used by the Tomcat releases).

TLS 配置已显着更改以支持 SNI.构建 Tomcat 9 后，详细信息将在 docs Web 应用程序中.

TLS configuration has changed significantly to support SNI. Details will be in the docs web application once you have build Tomcat 9.

2016 年 11 月更新:

SNI 支持包含在 Tomcat 8.5.x 中.不太可能进一步向后移植.即不太可能达到 8.0.x 或 7.0.x.

SNI support is included in Tomcat 8.5.x. It is unlikely it will be back-ported further. i.e. It is unlikely to make it to 8.0.x or 7.0.x.

这篇关于如何使用 SNI 设置 Tomcat 服务两个 SSL 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！