HowTo setup Tomcat serving two SSL Certificates using SNI?

tomcat ssl ssl-certificate sni
nexus picture nexus · Nov 25, 2013 · Viewed 12.2k times · Source

According to these two answers [1] [2] it's possible to have two SSL certificates serving from the same Apache Tomcat using Server Name Indication (SNI).

My question is then, how to setup this? I could setup two virtual hosts but I still have then just one connector which presents the specified SSL certificate to the client. In the connector one can specify the keystore and alias to use for the certificate but there is no parameter saying for which virtual host this connector is for or which certificate he should present to the client according to the used domain.

How can I tell tomcat which SSL certificate (or to be more correct which keystore) he has to use while using SNI?

[1] https://stackoverflow.com/a/10173447
[2] https://stackoverflow.com/a/6343059

Answer

Mark Thomas picture Mark Thomas · Nov 29, 2013

You need to re-read the answers to those question. SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat.

It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which there are currently no plans.

Update as of December 2014:

Adding SNI support is on the TODO list for Tomcat 9. That TODO list is quite long and SNI is not currently at the top of the list. As always patches are welcome.

Once SNI is implemented in Tomcat 9 it is possible that SNI support might be back-ported to Tomcat 7 and Tomcat 8. Again, patched welcome.

Update as of June 2015:

SNI has been implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2 and APR/native). To use SNI with NIO or NIO2 you will need to compile Tomcat 9 (a.k.a. trunk) from source. To use SNI with APR/native you will also need to compile tc-native trunk (not the 1.1.x branch currently used by the Tomcat releases).

TLS configuration has changed significantly to support SNI. Details will be in the docs web application once you have build Tomcat 9.

Update as of November 2016:

SNI support is included in Tomcat 8.5.x. It is unlikely it will be back-ported further. i.e. It is unlikely to make it to 8.0.x or 7.0.x.

Related questions

Tomcat Server/Client Self-Signed SSL Certificate

I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. I want the client to present their own certificate to the server so I can authenticate them based on a database of users. I have it all …

Read More
TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_AES_128_CBC_SHA

Is there any difference between these cipher suites? They look the same however the first three letters are different. I am referring to TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_AES_128_CBC_SHA.

Read More
keytool error bash: keytool: command not found

I have tried to execute keytool from Java bin directory but I get an error with warning bash: keytool: command not found. root@xxxxxx]# keytool -genkey -alias mypassword -keyalg RSA bash: keytools: command not found

Read More