Hi, On Wed, Oct 29, Emeric Brun wrote: > I've just push to Willy a patch to produce the 2 new fetchs to > retrieve frontend and client certificates in binary/DER format.
Is the client cert available when client reuses ssl session ? (This is something I've never tested). I think somewhere in openssl docs I read that the client cert is available with reused ssl session, but the full client cert ca path is not ? > It was clearly inspired by your patch Jarno but nowadays the > ssl-fetchs code is more generic so i needed to review it. > > For the pem converter, we are not fixed yet and we need to discuss. > > So currently with the last merged patch, we can directly encode the > header in base64: > > http-request add-header Client-Cert %[ssl_c_der,base64] > > And add pem's header/footer: > > http-request add-header Client-Cert -----BEGIN\ CERTIFICATE-----\ > %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last > space So this creates a header like this ? SSL_CLIENT_CERT: -----BEGIN CERTIFICATE----- MIIDODCCAiACCQDe7Bdbly6M4DANBgkqhki G9w0BAQUFADBeMQswCQYDVQQGEwJGSTETMBEGA1UECBMKU29tZS1TdGF0 -----END CERTIFICATE----- (the base64 encoded cert is one long line w/out newlines or spaces). > I don't know if line-returns in base64 body are mandatory for > current usages, but i know that 'openssl x509 -in' cmdline doesn't > care. Is your patch available somewhere ? I think tomcat's SSLValve expects the certificate in certain format: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java https://github.com/violetagg/apache-tomcat-8.0/blob/master/java/org/apache/catalina/valves/SSLValve.java I guess a quick and dirty test to see if the SSLValve accepts the base64 without newlines would be to copy the SSLValve.java to quick standalone prog. -Jarno -- Jarno Huuskonen
