-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rainer,
On 10/23/2009 1:36 PM, Rainer Jung wrote:
> Keep in mind the 8KB limit for the AJP header packet. Especially in case
> you sometime switch to a longer certificate chain, then you might run
> into it (and will be able to fix it with max_packet_size).
I will certainly keep this in mind, especially since I'm likely to use a
top-level CA and then multiple signing CAs for our deployment strategy
(therefore increasing the cert chain by 50%).
I haven't decided whether or not to have mod_jk forward the entire
certificate chain, but I wasn't able to discern a difference between
"JkOptions +ForwardSSLCertChain" and the default
("-ForwardSSLCertChain", right?). There's no particular need to have the
client (or httpd) forward the entire chain to my server, since my server
will have all the CA certs necessary to do the validation, as long as
the client cert makes it through the whole chain of communication.
I seem to recall that, at one point, a mod_jk recompile was necessary to
increase the packet size. Has it become a configuration option at this
point? Or am I thinking of something else?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrh+swACgkQ9CaO5/Lv0PAr2ACdG7JM/w/ZNUJ4WVYBfnmO1v4A
vyIAnib7O8g+l2AZL/3hwT6s0Zeold6N
=KpId
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
