On 23.10.2009 20:49, Christopher Schultz wrote: > Rainer, > > On 10/23/2009 1:36 PM, Rainer Jung wrote: >> Keep in mind the 8KB limit for the AJP header packet. Especially in case >> you sometime switch to a longer certificate chain, then you might run >> into it (and will be able to fix it with max_packet_size). > > I will certainly keep this in mind, especially since I'm likely to use a > top-level CA and then multiple signing CAs for our deployment strategy > (therefore increasing the cert chain by 50%). > > I haven't decided whether or not to have mod_jk forward the entire > certificate chain, but I wasn't able to discern a difference between > "JkOptions +ForwardSSLCertChain" and the default > ("-ForwardSSLCertChain", right?).
Default is off, right. If turned on, mod_jk should not only forward the client cert, but also all the rest of the cert chain. It takes those out of the Apache env vars SSL_CLIENT_CERT_CHAIN_* mod_ssl docs say: SSL_CLIENT_CERT_CHAIN_n: PEM-encoded certificates in client certificate chain > There's no particular need to have the > client (or httpd) forward the entire chain to my server, since my server > will have all the CA certs necessary to do the validation, as long as > the client cert makes it through the whole chain of communication. OK > I seem to recall that, at one point, a mod_jk recompile was necessary to > increase the packet size. Has it become a configuration option at this > point? Or am I thinking of something else? Configuration (mod_jk: max_packet_size and Tomcat: packetSize). Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org