Since certs are public anyhow (not keys), here's the decoding done by openssl -x509 -in ... -text:
On 20.11.2009 18:49, Rainer Jung wrote: > The following line from you mod_jk log really shows what is being > forwarded as an attribute to Tomcat. This is logged after retrieving the > data from Apache but before sending it over the wire. At least we know > we got the data from Apache and because it is three and not four certs > it is likely, that the root will not be forwarded. > > On 20.11.2009 17:20, Christopher Schultz wrote: > [Fri Nov 20 15:45:13.878 2009] [7826:3057286032] [debug] > init_ws_service::mod_jk.c (867): SSL client certificate (3620 bytes): > -----BEGIN CERTIFICATE----- > MIIC+zCCAmSgAwIBAgICFEowDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAlVT > MREwDwYDVQQIEwhNYXJ5bGFuZDEhMB8GA1UEChMYVG90YWwgQ2hpbGQgSGVhbHRo > LCBJbmMuMQ8wDQYDVQQLEwZDSEFESVMxKjAoBgNVBAMTIUNIQURJUyBDbGllbnQg > U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0wOTExMTkyMTQ5MDVaFw0xMTExMTkyMTQ5 > MDVaMIGHMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxITAfBgNVBAoT > GFRvdGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UECxMGQ0hBRElTMTEwLwYD > VQQDFChDSEFESVMvRnJhbmtsaW4gU3F1YXJlIEhvc3BpdGFsIFdpUGFkICMxMIGf > MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+TezrUb2Bo889dnSHQ9CSal1Jw0S5 > eV/74IlGMNnDS9PYZ8ITtdJXj3h9B1Ob8PjWpsDJQ03rb0oQEfX51nt6tcjQgRoV > h1UGPF0uWvyyRqmK3EvmyGdtRCpgEtknf/e7DV84yGyxLD9dS+DzB8NnDoGV+kZf > Q+HxIMp7W+NKuwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P > cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUL4u3oJ0I19j1 > j9FO7PmBZIKVqEwwHwYDVR0jBBgwFoAUqDuUvZYFkbiMwWdfjg2viJUd7f8wDQYJ > KoZIhvcNAQEFBQADgYEAFXM0unMuvuf1ablBIhbgY3lJf1Mj3kk91ByUVrUDMZTf > CWymm3dM4yoWX3XL67iatYNW5bNBcr+pOtPZB59vIC/kiadZY4jKqNmEeEZ3XHOn > sEpUnvgA/a1JGGRRa4r47zepuPCDtg7RVTjiK+MlX8YkSkIuhyc51cApPHgPD8g= > -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 5194 (0x144a) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Client Signing Certificate Validity Not Before: Nov 19 21:49:05 2009 GMT Not After : Nov 19 21:49:05 2011 GMT Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS/Franklin Square Hospital WiPad #1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:be:4d:ec:eb:51:bd:81:a3:cf:3d:76:74:87:43: d0:92:6a:5d:49:c3:44:b9:79:5f:fb:e0:89:46:30: d9:c3:4b:d3:d8:67:c2:13:b5:d2:57:8f:78:7d:07: 53:9b:f0:f8:d6:a6:c0:c9:43:4d:eb:6f:4a:10:11: f5:f9:d6:7b:7a:b5:c8:d0:81:1a:15:87:55:06:3c: 5d:2e:5a:fc:b2:46:a9:8a:dc:4b:e6:c8:67:6d:44: 2a:60:12:d9:27:7f:f7:bb:0d:5f:38:c8:6c:b1:2c: 3f:5d:4b:e0:f3:07:c3:67:0e:81:95:fa:46:5f:43: e1:f1:20:ca:7b:5b:e3:4a:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2F:8B:B7:A0:9D:08:D7:D8:F5:8F:D1:4E:EC:F9:81:64:82:95:A8:4C X509v3 Authority Key Identifier: keyid:A8:3B:94:BD:96:05:91:B8:8C:C1:67:5F:8E:0D:AF:88:95:1D:ED:FF Signature Algorithm: sha1WithRSAEncryption 15:73:34:ba:73:2e:be:e7:f5:69:b9:41:22:16:e0:63:79:49: 7f:53:23:de:49:3d:d4:1c:94:56:b5:03:31:94:df:09:6c:a6: 9b:77:4c:e3:2a:16:5f:75:cb:eb:b8:9a:b5:83:56:e5:b3:41: 72:bf:a9:3a:d3:d9:07:9f:6f:20:2f:e4:89:a7:59:63:88:ca: a8:d9:84:78:46:77:5c:73:a7:b0:4a:54:9e:f8:00:fd:ad:49: 18:64:51:6b:8a:f8:ef:37:a9:b8:f0:83:b6:0e:d1:55:38:e2: 2b:e3:25:5f:c6:24:4a:42:2e:87:27:39:d5:c0:29:3c:78:0f: 0f:c8 > -----BEGIN CERTIFICATE----- > MIIDbzCCAtigAwIBAgICM0AwDQYJKoZIhvcNAQEFBQAwfjELMAkGA1UEBhMCVVMx > ETAPBgNVBAgTCE1hcnlsYW5kMSEwHwYDVQQKExhUb3RhbCBDaGlsZCBIZWFsdGgs > IEluYy4xDzANBgNVBAsTBkNIQURJUzEoMCYGA1UEAxMfQ0hBRElTIFJvb3QgU2ln > bmluZyBDZXJ0aWZpY2F0ZTAeFw0wOTExMTkyMTQ4MzNaFw0xOTExMTcyMTQ4MzNa > MIGAMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxITAfBgNVBAoTGFRv > dGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UECxMGQ0hBRElTMSowKAYDVQQD > EyFDSEFESVMgQ2xpZW50IFNpZ25pbmcgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcN > AQEBBQADgY0AMIGJAoGBALMWXLw/9nmrZwgl34YxKnPkC0lWAxlGAXAIfwOAPvSL > NciE1RfDGgdSPIn1zy6xnK00Ul2lzQUIpau2+Cl4IL8YW9uhLbKL3MLWnfEkkb7K > R8jFRK6QYzHwvvkD6LaCk0nwePNdsltyCt3o9zq49OKOxuwv9TlZDSCIPb5I0xHt > AgMBAAGjgfgwgfUwHQYDVR0OBBYEFKg7lL2WBZG4jMFnX44Nr4iVHe3/MIG4BgNV > HSMEgbAwga2AFChNal3wLZ2NXSnmDV20IB7Tks8GoYGQpIGNMIGKMQswCQYDVQQG > EwJVUzERMA8GA1UECBMITWFyeWxhbmQxEjAQBgNVBAcTCUJhbHRpbW9yZTEhMB8G > A1UEChMYVG90YWwgQ2hpbGQgSGVhbHRoLCBJbmMuMQ8wDQYDVQQLEwZDSEFESVMx > IDAeBgNVBAMTF0NIQURJUyBSb290IENlcnRpZmljYXRlggIhXjAMBgNVHRMEBTAD > AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQBHd+pjS+Yzz0A3lOkR > pwTJSssxQ4fJ/52LjEYvtrI5uDGBkF0/yXEaI4PBAzE79NiqhAEzkSApRbVhfNbs > Ar6PD0T/COi3gU5dejzoiymZdzAgawagTASkP4UUKQVKBFkQtbmGB5LNNzcXsOea > rkFU0ywatgSU5zCheaWkinfVzw== > -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 13120 (0x3340) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Root Signing Certificate Validity Not Before: Nov 19 21:48:33 2009 GMT Not After : Nov 17 21:48:33 2019 GMT Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Client Signing Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:16:5c:bc:3f:f6:79:ab:67:08:25:df:86:31: 2a:73:e4:0b:49:56:03:19:46:01:70:08:7f:03:80: 3e:f4:8b:35:c8:84:d5:17:c3:1a:07:52:3c:89:f5: cf:2e:b1:9c:ad:34:52:5d:a5:cd:05:08:a5:ab:b6: f8:29:78:20:bf:18:5b:db:a1:2d:b2:8b:dc:c2:d6: 9d:f1:24:91:be:ca:47:c8:c5:44:ae:90:63:31:f0: be:f9:03:e8:b6:82:93:49:f0:78:f3:5d:b2:5b:72: 0a:dd:e8:f7:3a:b8:f4:e2:8e:c6:ec:2f:f5:39:59: 0d:20:88:3d:be:48:d3:11:ed Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A8:3B:94:BD:96:05:91:B8:8C:C1:67:5F:8E:0D:AF:88:95:1D:ED:FF X509v3 Authority Key Identifier: keyid:28:4D:6A:5D:F0:2D:9D:8D:5D:29:E6:0D:5D:B4:20:1E:D3:92:CF:06 DirName:/C=US/ST=Maryland/L=Baltimore/O=Total Child Health, Inc./OU=CHADIS/CN=CHADIS Root Certificate serial:21:5E X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 47:77:ea:63:4b:e6:33:cf:40:37:94:e9:11:a7:04:c9:4a:cb: 31:43:87:c9:ff:9d:8b:8c:46:2f:b6:b2:39:b8:31:81:90:5d: 3f:c9:71:1a:23:83:c1:03:31:3b:f4:d8:aa:84:01:33:91:20: 29:45:b5:61:7c:d6:ec:02:be:8f:0f:44:ff:08:e8:b7:81:4e: 5d:7a:3c:e8:8b:29:99:77:30:20:6b:06:a0:4c:04:a4:3f:85: 14:29:05:4a:04:59:10:b5:b9:86:07:92:cd:37:37:17:b0:e7: 9a:ae:41:54:d3:2c:1a:b6:04:94:e7:30:a1:79:a5:a4:8a:77: d5:cf > -----BEGIN CERTIFICATE----- > MIIDgDCCAumgAwIBAgICIV4wDQYJKoZIhvcNAQEFBQAwgYoxCzAJBgNVBAYTAlVT > MREwDwYDVQQIEwhNYXJ5bGFuZDESMBAGA1UEBxMJQmFsdGltb3JlMSEwHwYDVQQK > ExhUb3RhbCBDaGlsZCBIZWFsdGgsIEluYy4xDzANBgNVBAsTBkNIQURJUzEgMB4G > A1UEAxMXQ0hBRElTIFJvb3QgQ2VydGlmaWNhdGUwHhcNMDkxMTE5MjE0NzQ5WhcN > MTkxMTE3MjE0NzQ5WjB+MQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQx > ITAfBgNVBAoTGFRvdGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UECxMGQ0hB > RElTMSgwJgYDVQQDEx9DSEFESVMgUm9vdCBTaWduaW5nIENlcnRpZmljYXRlMIGf > MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRH0fCILLYQ6GlYIPLKqSkB088eSOO > e3a5WYPsM7+2hxZ/Cfhlo+kWHGTGV/hj5mNTNNOrzlYP/0dj5SPAxWb3rctI/tSv > ng1OYHJDbuHPem4AUFu6J8bCWKx1VHRwEI+EOCASHsyTVx6zwzdGceTwdZOLJ0au > h+DD504Hr/J0AwIDAQABo4H/MIH8MB0GA1UdDgQWBBQoTWpd8C2djV0p5g1dtCAe > 05LPBjCBvwYDVR0jBIG3MIG0gBQ7YcI6LIrWzvdFGyUBmNDqnsj1UqGBkKSBjTCB > ijELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHEwlCYWx0 > aW1vcmUxITAfBgNVBAoTGFRvdGFsIENoaWxkIEhlYWx0aCwgSW5jLjEPMA0GA1UE > CxMGQ0hBRElTMSAwHgYDVQQDExdDSEFESVMgUm9vdCBDZXJ0aWZpY2F0ZYIJAN3k > WK0VaBELMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUA > A4GBAE6nIhSpGR36zuP70sqgOcui+KvtsC2oqJziEENrzSW9aaEdGifDX0/UeMY2 > 94X9b2DaUY4m1Zbi/ybTzENxkK+qwPZTgfsN5xkXwm8grXz/r8y1zT1Jkdl0EH5G > ihpbqb5COIdhUiAq+cdqfa5sRe0CB1olxD8UqVlORDcikydH > -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 8542 (0x215e) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Maryland, L=Baltimore, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Root Certificate Validity Not Before: Nov 19 21:47:49 2009 GMT Not After : Nov 17 21:47:49 2019 GMT Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Root Signing Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d1:1f:47:c2:20:b2:d8:43:a1:a5:60:83:cb:2a: a4:a4:07:4f:3c:79:23:8e:7b:76:b9:59:83:ec:33: bf:b6:87:16:7f:09:f8:65:a3:e9:16:1c:64:c6:57: f8:63:e6:63:53:34:d3:ab:ce:56:0f:ff:47:63:e5: 23:c0:c5:66:f7:ad:cb:48:fe:d4:af:9e:0d:4e:60: 72:43:6e:e1:cf:7a:6e:00:50:5b:ba:27:c6:c2:58: ac:75:54:74:70:10:8f:84:38:20:12:1e:cc:93:57: 1e:b3:c3:37:46:71:e4:f0:75:93:8b:27:46:ae:87: e0:c3:e7:4e:07:af:f2:74:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 28:4D:6A:5D:F0:2D:9D:8D:5D:29:E6:0D:5D:B4:20:1E:D3:92:CF:06 X509v3 Authority Key Identifier: keyid:3B:61:C2:3A:2C:8A:D6:CE:F7:45:1B:25:01:98:D0:EA:9E:C8:F5:52 DirName:/C=US/ST=Maryland/L=Baltimore/O=Total Child Health, Inc./OU=CHADIS/CN=CHADIS Root Certificate serial:DD:E4:58:AD:15:68:11:0B X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 4e:a7:22:14:a9:19:1d:fa:ce:e3:fb:d2:ca:a0:39:cb:a2:f8: ab:ed:b0:2d:a8:a8:9c:e2:10:43:6b:cd:25:bd:69:a1:1d:1a: 27:c3:5f:4f:d4:78:c6:36:f7:85:fd:6f:60:da:51:8e:26:d5: 96:e2:ff:26:d3:cc:43:71:90:af:aa:c0:f6:53:81:fb:0d:e7: 19:17:c2:6f:20:ad:7c:ff:af:cc:b5:cd:3d:49:91:d9:74:10: 7e:46:8a:1a:5b:a9:be:42:38:87:61:52:20:2a:f9:c7:6a:7d: ae:6c:45:ed:02:07:5a:25:c4:3f:14:a9:59:4e:44:37:22:93: 27:47 You expected Root Cert <- Root Signing Cert <- Sub Signing Cert <- My Client Cert and instead we see: Issuer: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Client Signing Certificate Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS/Franklin Square Hospital WiPad #1 Issuer: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Root Signing Certificate Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Client Signing Certificate Issuer: C=US, ST=Maryland, L=Baltimore, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Root Certificate Subject: C=US, ST=Maryland, O=Total Child Health, Inc., OU=CHADIS, CN=CHADIS Root Signing Certificate So in fact the root is missing when sending the whole stuff. The native code in Apache and mod_jk looks like sending the client cert and the cert chain, and the cert chain is retrieved via SSL_get_peer_cert_chain(), which is unfortunately not really documented whether to include the root or not :( OpenSSL Code looks like only returning the chain provided by the client, and the client should not provide the root. At the moment I see no way of getting the root CA which verified the client chain from OpenSSL or Apache, so especially no way to forward it. The root should really be available directly to Tomcat in some certificate store and the client side of the chain received via mod_jk and TC 5.5.28 should be verified against that locally available root. Does that make sense? Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org