DO NOT REPLY [Bug 21371] - apache not passing certificate chain to servlet or CGI

16 Jul 2003 17:48:17 -0000 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21371>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21371

apache not passing certificate chain to servlet or CGI





------- Additional Comments From [EMAIL PROTECTED]  2003-07-16 17:50 -------
I'm stuck at the point of getting a certificate chain passed from the client. 
(No idea how to do that yet :) ).  I see SSL_CLIENT_CERT being set but with the
following patch to one of the mod_ssl files I see that OpenSSL is telling
mod_ssl that there are zero certificates in the chain.

Try testing with this patch to see if OpenSSL has provided mod_ssl with a chain.
If it hasn't, you'll see something like I did:

[debug] ssl_engine_kernel.c(1064): [client 9.65.78.133] got peer certificate
chain (0/8245458/8252f50)

where the 0 after "chain (" is the number of certificates in the chain returned
by OpenSSL...

Index: modules/ssl/ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.82.2.6
diff -u -r1.82.2.6 ssl_engine_kernel.c
--- modules/ssl/ssl_engine_kernel.c     16 May 2003 18:12:18 -0000      1.82.2.6
+++ modules/ssl/ssl_engine_kernel.c     16 Jul 2003 17:28:03 -0000
@@ -1059,6 +1061,9 @@
         apr_table_setn(env, "SSL_CLIENT_CERT", val);

         if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "got peer certificate chain (%d/%pp/%pp)",
+                          sk_X509_num(peer_certs), peer_certs, ssl);
             for (i = 0; i < sk_X509_num(peer_certs); i++) {
                 var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
                 val = ssl_var_lookup(r->pool, r->server, r->connection,
@@ -1067,6 +1072,10 @@
                     apr_table_setn(env, var, val);
                 }
             }
+        }
+        else {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "SSL library returned no peer certificate chain");
         }
     }

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to