So currently with the last merged patch, we can directly encode the
header in base64:
http-request add-header Client-Cert %[ssl_c_der,base64]
And add pem's header/footer:
http-request add-header Client-Cert -----BEGIN\ CERTIFICATE-----\
%[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last
space
So this creates a header like this ?
SSL_CLIENT_CERT: -----BEGIN CERTIFICATE----- MIIDODCCAiACCQDe7Bdbly6M4DANBgkqhki
G9w0BAQUFADBeMQswCQYDVQQGEwJGSTETMBEGA1UECBMKU29tZS1TdGF0 -----END
CERTIFICATE-----
>
> (the base64 encoded cert is one long line w/out newlines or spaces).
>
Exatcly, it's only a partial implementation.
I don't know if line-returns in base64 body are mandatory for
current usages, but i know that 'openssl x509 -in' cmdline doesn't
care.
Is your patch available somewhere ?
It was pushed in the 1.6 dev branch, git cid:
43e7958def282deebde934950b133a1dd9edaabf
I think tomcat's SSLValve expects the certificate in certain format:
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
https://github.com/violetagg/apache-tomcat-8.0/blob/master/java/org/apache/catalina/valves/SSLValve.java
I will take a look.
I guess a quick and dirty test to see if the SSLValve accepts the base64
without newlines would be to copy the SSLValve.java to quick standalone prog.
Ok, let me informed.
-Jarno
R,
Emeric
