We have a production Apache Tomcat server over which some websites are served. The sites have started to request valid SSL certificates. We have some limitations on the number of valid IPs on our server. On the other hand, we have read about Server Name Indication (SNI) in the recent SSL versions which appears to be supported by all major web browsers and enables us to have multiple SSL-enabled sites on a single IP address.
The problem is that neither Apache Tomcat have support for SNI in its stable release, nor a major commercial server like WebLogic.
After all, could SNI be considered as a mature solution for this problem?
Thanks.
SNI is definitely the way to go and is very mature. Doing SSL directly in Tomcat is generally discouraged, though. The problem is that the Tomcat SSL libraries are generally out dated and incomplete. The typical way to do SSL with a Tomcat site is to proxy the content through another program (httpd, HAProxy, Pound, etc.) which can add SSL to the request between the client and the proxy. If you do the proxying on the same server that's running Tomcat there's no plain text traffic on the network (ie. it's not a security concern). I'm not sure about HAProxy and Pound but I know httpd has good support for SNI built in.