DO NOT REPLY [Bug 49123] New: mod_proxy_ajp does not send the client's SSL chain certificates

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=49123

           Summary: mod_proxy_ajp does not send the client's SSL chain
                    certificates
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_ajp
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apache-bugzi...@paulsd.com


Created an attachment (id=25299)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25299)
Patch for trunk and/or 2.2.x branch

mod_proxy_ajp only sends the client's SSL certificate to the AJP server. The
client's chain (intermediate certificates) are not sent. This is not a problem
with self-signed certificates or certificates directly signed by the root CA
certificate. However, there's a large number of certificates signed by an
intermediate CA certificate, where this is a significant problem: A servlet
will not have the possibility to validate the client certificate on its own.

mod_jk was patched back in 2007 to allow sending all of the SSL chain
certificates, but mod_proxy_ajp was not updated at the same time (See
https://issues.apache.org/bugzilla/show_bug.cgi?id=39636).  In 2008, Mladen
Turk mentioned he was planning to add such support to mod_proxy_ajp (See
http://www.mail-archive.com/d...@httpd.apache.org/msg41676.html), but it does
not look like that ever happened.

So, I'm attaching a patch which implements this functionality.

In mod_jk, this was implemented as an option that was disabled by default.  As
mod_proxy_ajp does not currently have any options, I decided to skip the option
and just enable this by default in mod_proxy_ajp.  I don't believe this will
cause any compatibility problems, but I have not thoroughly tested this with
old versions of Tomcat/Jetty/etc.  However, I will continue to do testing, and
if I find compatibility problems, I will add an option to mod_proxy_ajp to
control this behavior.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org