Hello,
I thought that Tomcat (at least recent versions) was able to get the
full chain, but I guess I was wrong.
I'm in fact using Jetty behind mod_jk, and it exposes the full chain of
certificates in the "javax.servlet.request.X509Certificate" request
attribute, as expected (I am using "JkOptions +ForwardSSLCertChain").
The version of mod_jk I'm using is that shipped with Ubuntu 8.04, so
it's mod_jk 1.2.25. As far as I can tell, it hasn't been patched for
this. I've also tried it successfully with the version shipped with CentOS.
I was getting the impression that mod_jk was being deprecated in favour
of mod_proxy_ajp. I've also experienced intermittent connection problems
between Apache Httpd and the Jetty-based application I'm using. These
problems could be due to many things, including the way I've deployed
the system, so I've tried to investigate it by using mod_proxy_ajp
instead of mod_jk.
Best wishes,
Bruno.
Bill Barker wrote:
Yes, while mod_jk has an option to send the cert chain (added a little over
18 months ago by mturk), no Tomcat connector has an option to read it. As a
result, Tomcat will read the end certificate and ignore the rest of the
chain.
This is because the AJP/1.3 protocol was created back in the days of
Servlet-2.2 (corresponding to Tomcat 3.x) and back then only the end
certificate was exposed by the Servlet-API.
Mladen's patch to mod_jk is simplier than this one, so I would prefer it to
this one. But I have no voting rights on this list :).
"Bruno Harbulot" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Hello,
I'm trying to use mod_proxy_ajp instead of mod_jk, but I'd like to be
able to pass the whole client certificate chain, instead of only the end
certificate. The servlet specification allows for a chain of
certificates to be presented and this is indeed possible with mod_jk,
using "JkOptions +ForwardSSLCertChain".
This doesn't seem to be possible using mod_proxy_ajp, which uses the
content of the SSL_CLIENT_CERT variable only.
