Re: ssl client certificate forwarding

Wed, 29 Oct 2014 11:37:37 -0700 

On 10/22/2014 04:02 PM, Rein Remmel wrote:

Hi Jarno,

Thanks for a prompt reply!
It seems to work for me too, although there were some line offsets when 
applying to version 1.5.6.

Any idea what would it take to get it merged?
I’ll try to understand what the patch does, but I’m afraid my knowledge of c 
and ssl is not sufficient to provide a valid review.

Rein


On 22 Oct 2014, at 16:06, Jarno Huuskonen <[email protected]> wrote:

Hi,

On Wed, Oct 22, Rein Remmel wrote:

Hi,

I’m wondering if there are any plans to support passing client certificate to 
the backend? Currently most of the certificate fields can be forwarded as 
headers, but I couldn’t find a way to froward the certificate itself. What I 
need is something similar to apache
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
Any comments on workaround or roadmap would be appreciated.

I would like to avoid mixing haproxy with nginx/httpd/… One workaround would be 
to bind ssl require to different port/ip and use tcp passthrough, but with this 
solution I have to enable ssl on all tomcat backends.


See this thread:
https://www.mail-archive.com/[email protected]/msg13618.html

I did a quick proof of concept in may. It appeared to work with
tomcat SSLValve.
(https://www.mail-archive.com/[email protected]/msg13875.html)

-Jarno

--
Jarno Huuskonen



pired



Hi,
I've just push to Willy a patch to produce the 2 new fetchs to retrieve frontend and client certificates in binary/DER format.
It was clearly inspired by your patch Jarno but nowadays the ssl-fetchs code is more generic so i needed to review it. 

For the pem converter, we are not fixed yet and we need to discuss.
So currently with the last merged patch, we can directly encode the header in base64: 

http-request add-header Client-Cert %[ssl_c_der,base64]

And add pem's header/footer:
http-request add-header Client-Cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last space
I don't know if line-returns in base64 body are mandatory for current usages, but i know that 'openssl x509 -in' cmdline doesn't care. 


Regards,
Emeric.

Reply via email to