On 23.10.2009 20:49, Christopher Schultz wrote:
> Rainer,
>
> On 10/23/2009 1:36 PM, Rainer Jung wrote:
>> Keep in mind the 8KB limit for the AJP header packet. Especially in case
>> you sometime switch to a longer certificate chain, then you might run
>> into it (and will be able to fix it with max_packet_size).
>
> I will certainly keep this in mind, especially since I'm likely to use a
> top-level CA and then multiple signing CAs for our deployment strategy
> (therefore increasing the cert chain by 50%).
>
> I haven't decided whether or not to have mod_jk forward the entire
> certificate chain, but I wasn't able to discern a difference between
> "JkOptions +ForwardSSLCertChain" and the default
> ("-ForwardSSLCertChain", right?).
Default is off, right.
If turned on, mod_jk should not only forward the client cert, but also
all the rest of the cert chain. It takes those out of the Apache env vars
SSL_CLIENT_CERT_CHAIN_*
mod_ssl docs say:
SSL_CLIENT_CERT_CHAIN_n:
PEM-encoded certificates in client certificate chain
> There's no particular need to have the
> client (or httpd) forward the entire chain to my server, since my server
> will have all the CA certs necessary to do the validation, as long as
> the client cert makes it through the whole chain of communication.
OK
> I seem to recall that, at one point, a mod_jk recompile was necessary to
> increase the packet size. Has it become a configuration option at this
> point? Or am I thinking of something else?
Configuration (mod_jk: max_packet_size and Tomcat: packetSize).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
