Hi Chris,
Am 25.05.2015 um 14:01 schrieb Christopher Schultz:
Rainer,
On 5/24/15 2:09 PM, Rainer Jung wrote:
mod_ssl supports multiple certificates for the same host, one with RSA
key, one with DSA key and one with EC key. They can be configured at the
same time.
So the connector would be able to handshake using any of the 3 different
types of certificate for the same hostname?
Altough tcnative has the code to handle that, we currently do not wire
it. We would need an way to express in the ssl config, that multiple
certificates are used (for the same name). A way to distinguish which
one is the one with RSA would be helpful. mod_ssl does it by requiring
it to be the first one. Any ideas how to express this in the config so
that e can create the wiring down to tcnative? Or do we think it is an
exotic feature?
Mark has been doing a whole lot of work recently to both unify the TLS
configuration across all connectors (OpenSSL and JSSE) as well as
support SNI. Since it's all changing, this would be a good time to
either add some new configuration attributes (-0 for me) or to change
the format of the "certificate" (or whatever) value to support multiple
values. I'm +1 for something like comma-separated multi-valued, like this:
<SSLHostConfig ...
certificateFile="/path/to/rsa.pem, , /path/to/ec.pem"
Note the double-comma, indicating that there is no DSA certificate in
this example.
Actually only the first certificate has a special meaning. AFAIK the one
with the RSA key has to come first, DSA (very rarely used) and EC(DSA)
(should become more popular) can come after without any special ordering
and without any problem if one or both are missing. New server key types
can turn up in the future and then the number could grow.
Furthermore if we want to support all three (RSA, DSA, EC) at the same
time, it would require the use of a new tcnative version, because it has
a fixed array length of 2 for the certificates.
Do you mean a new major version of tcnative? Presumably, we'd need a new
version to wire those certificates all the way down to OpenSSL... or
does tcnative /currently/ have the capability to offer /two/ different
types, just not /three/?
In any case, it makes sense to me to start improving tcnative with an
eye towards supporting these use cases in the future, even if we aren't
ready at the Tomcat level.
tcnative already supports up to two certificates if the Java API
provides an index when handing over the certificate. Tomcat always sets
the index to 0.
So if we are goint to improve Tomcat to handle multiple certificates,
tcnative must be able to handle the incoming indexes. The biggest
allowed index currently is 1. Short term mitigation would be to simply
allow max 2 (0, 1, 2) in tcnative, but actually it would be better to
allocate them dynamically. That would simply be a new minor version of
tcnative, because the API stays compatible.
Then we would require that new tcnative version in all Tomcat versions,
handing over more than one certificate. If we wouldn't require it, a new
Tomcat could pass an index > 1 to an old tcnative version that leads in
overwriting parts of memory.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
