Rainer, On 5/24/15 2:09 PM, Rainer Jung wrote: > mod_ssl supports multiple certificates for the same host, one with RSA > key, one with DSA key and one with EC key. They can be configured at the > same time.
So the connector would be able to handshake using any of the 3 different
types of certificate for the same hostname?
> Altough tcnative has the code to handle that, we currently do not wire
> it. We would need an way to express in the ssl config, that multiple
> certificates are used (for the same name). A way to distinguish which
> one is the one with RSA would be helpful. mod_ssl does it by requiring
> it to be the first one. Any ideas how to express this in the config so
> that e can create the wiring down to tcnative? Or do we think it is an
> exotic feature?
Mark has been doing a whole lot of work recently to both unify the TLS
configuration across all connectors (OpenSSL and JSSE) as well as
support SNI. Since it's all changing, this would be a good time to
either add some new configuration attributes (-0 for me) or to change
the format of the "certificate" (or whatever) value to support multiple
values. I'm +1 for something like comma-separated multi-valued, like this:
<SSLHostConfig ...
certificateFile="/path/to/rsa.pem, , /path/to/ec.pem"
Note the double-comma, indicating that there is no DSA certificate in
this example.
> Furthermore if we want to support all three (RSA, DSA, EC) at the same
> time, it would require the use of a new tcnative version, because it has
> a fixed array length of 2 for the certificates.
Do you mean a new major version of tcnative? Presumably, we'd need a new
version to wire those certificates all the way down to OpenSSL... or
does tcnative /currently/ have the capability to offer /two/ different
types, just not /three/?
In any case, it makes sense to me to start improving tcnative with an
eye towards supporting these use cases in the future, even if we aren't
ready at the Tomcat level.
-chris
signature.asc
Description: OpenPGP digital signature
