如何设置使用SNI提供两个SSL证书的Tomcat? [英] HowTo setup Tomcat serving two SSL Certificates using SNI?

问题描述

根据这两个答案(1)(2)，可以使用服务器名称指示(SNI)在同一个tomcatserver中提供两个ssl证书.

According to these two answers (1)(2) it's possible to have two ssl certificates serving from the same tomcatserver using Server Name Indication (SNI).

那么我的问题是，如何设置它? 我可以设置两个虚拟主机，但是我仍然只有一个连接器，该连接器向客户端提供指定的ssl证书.在连接器中，可以指定用于证书的密钥库和别名，但是并没有明确说明此连接器用于哪个虚拟主机，或者应该根据所使用的域将其提供给客户端的证书.

My question is then, how to setup this? I could setup two virtual hosts but I still have then just one connector which presents the specified ssl certificate to the client. In the connector one can specify the keystore and alias to use for the certificate but there is no paramter saying for which virtual host this connector is for or which certificate he should present to the client according to the used domain.

我如何告诉tomcat在使用SNI时必须使用哪个ssl证书(或更正确地说，是哪个密钥库)?

How can I tell tomcat which ssl certificate (or to be more correct which keystore) he has to use while using SNI?

(1) https://stackoverflow.com/a/10173447 (2) https://stackoverflow.com/a/6343059

推荐答案

您需要重新阅读这些问题的答案.直到Java 8，服务器端才支持SNI.Tomcat8必须支持的最低Java版本是Java 7，因此，目前在Tomcat中我还没有SNI支持.

You need to re-read the answers to those question. SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat.

如果Tomcat在Java 8或更高版本上运行，则可以有选择地支持SNI，但是这需要在Tomcat中进行代码更改，而目前尚无计划.

It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which there are currently no plans.

截至2014年12月的更新:

在 TODO TODO Tomcat 9列表.该TODO列表很长，并且SNI当前不在列表的顶部.一如既往，欢迎使用补丁程序.

Adding SNI support is on the TODO list for Tomcat 9. That TODO list is quite long and SNI is not currently at the top of the list. As always patches are welcome.

一旦在Tomcat 9中实现了SNI，就有可能将SNI支持反向移植到Tomcat 7和Tomcat8.再次，打上欢迎补丁.

Once SNI is implemented in Tomcat 9 it is possible that SNI support might be back-ported to Tomcat 7 and Tomcat 8. Again, patched welcome.

截至2015年6月的更新:

SNI已为Tomcat 9实现.所有三个HTTP连接器实现(NIO，NIO2和APR/native)都支持它.要将SNI与NIO或NIO2结合使用，您将需要从源代码编译Tomcat 9(也称为中继).要将SNI与APR/本机一起使用，您还需要编译tc-本机主干(不是Tomcat版本当前使用的1.1.x分支.)

SNI has been implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2 and APR/native). To use SNI with NIO or NIO2 you will need to compile Tomcat 9 (a.k.a. trunk) from source. To use SNI with APR/native you will also need to compile tc-native trunk (not the 1.1.x branch currently used by the Tomcat releases).

TLS配置已显着更改，以支持SNI.一旦构建了Tomcat 9，详细信息将在docs Web应用程序中.

TLS configuration has changed significantly to support SNI. Details will be in the docs web application once you have build Tomcat 9.

截至2016年11月的更新:

SNI支持包含在Tomcat 8.5.x中.它不太可能进一步向后移植.即不太可能将其设置为8.0.x或7.0.x.

SNI support is included in Tomcat 8.5.x. It is unlikely it will be back-ported further. i.e. It is unlikely to make it to 8.0.x or 7.0.x.

这篇关于如何设置使用SNI提供两个SSL证书的Tomcat?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！