Am 05.01.2019 um 15:10 schrieb Graham Leggett:
Hi all,

I am trying to connect an httpd reverse proxy to a backend tomcat, and have 
this particular hop protected by a client certificate.

The error I get is:

[Sat Jan 05 14:02:54.252552 2019] [ssl:warn] [pid 16448:tid 139929388369664] 
AH02268: Proxy client certificate callback: ( downstream 
server wanted client certificate but none are configured

Ok, so httpd is telling me that the tomcat has requested a client certificate 
(entirely true) but httpd is not configured with a client certificate.

Except httpd is configured with a client certificate, as follows:

     SSLProxyEngine on
     SSLProxyMachineCertificateFile /etc/pki/httpd/client.cert
     SSLProxyMachineCertificateChainFile /etc/pki/httpd/client.chain
     SSLProxyCACertificateFile /etc/pki/httpd/client-ca.crt
     SSLProxyVerify require
     SSLProxyVerifyDepth 3

Does this functionality work in httpd v2.4.35, or is it configured incorrectly?

(As soon as I can get this working, I would like to fix our docs to be clear 
how to do this)

Since you mention 2.4.35 explicitly, the following changelog entries come to my mind:


*) mod_ssl: Correctly merge configurations that have client certificates set by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]


*) mod_ssl: Fix a regression that the configuration settings for verify mode and verify depth were taken from the frontend connection in case of connections by the proxy to the backend. PR 62769. [Ruediger Pluem]

The first got broken likely in 2.4.30, the second was reported for 2.4.34 and was only fixed in 36, so it should be broken in 35 as well.

The first has the additional log info (r1844226):

The certificates and keys loaded during configuration time got lost during runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host level and there was an SSL directive at directory level, e.g. SSLRequire. This fixes a regression likely introduced in r1740928 (backported in r1824187).
Backport of r1844002 from trunk.



Reply via email to