1

We have a production Apache Tomcat server over which some websites are served. The sites have started to request valid SSL certificates. We have some limitations on the number of valid IPs on our server. On the other hand, we have read about Server Name Indication (SNI) in the recent SSL versions which appears to be supported by all major web browsers and enables us to have multiple SSL-enabled sites on a single IP address.

The problem is that neither Apache Tomcat have support for SNI in its stable release, nor a major commercial server like WebLogic.

After all, could SNI be considered as a mature solution for this problem?

Thanks.

user2798081
  • 41
  • 1
  • 5
  • SNI is absolutely considered mature. Tomcat are simply behind in support although it is supported in Tomcat 9 (dev I know) – Drifter104 Nov 09 '15 at 12:32
  • The main problem is the lack of SNI support in server side Java. SNI of a form was added in Java 8 but it is essentially useless for TLS virtual hosting. Tomcat 9 will have proper SNI support along with other TLS goodies. The first 9.0.x RC is due just as soon as I can iron out the last few known wrinkles on Windows. Once we are convinced that is stable it will be back-ported to 8.0.x. – Mark Thomas Nov 09 '15 at 23:45

1 Answers1

1

SNI is definitely the way to go and is very mature. Doing SSL directly in Tomcat is generally discouraged, though. The problem is that the Tomcat SSL libraries are generally out dated and incomplete. The typical way to do SSL with a Tomcat site is to proxy the content through another program (httpd, HAProxy, Pound, etc.) which can add SSL to the request between the client and the proxy. If you do the proxying on the same server that's running Tomcat there's no plain text traffic on the network (ie. it's not a security concern). I'm not sure about HAProxy and Pound but I know httpd has good support for SNI built in.

David King
  • 476
  • 2
  • 6