On 10/30/2014 10:38 AM, Emeric Brun wrote:
So currently with the last merged patch, we can directly encode the
header in base64:
http-request add-header Client-Cert %[ssl_c_der,base64]
And add pem's header/footer:
http-request add-header Client-Cert -----BEGIN\ CERTIFICATE-----\
%[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last
space
So this creates a header like this ?
SSL_CLIENT_CERT: -----BEGIN CERTIFICATE-----
MIIDODCCAiACCQDe7Bdbly6M4DANBgkqhki
G9w0BAQUFADBeMQswCQYDVQQGEwJGSTETMBEGA1UECBMKU29tZS1TdGF0 -----END
CERTIFICATE-----
>
> (the base64 encoded cert is one long line w/out newlines or spaces).
>
Exatcly, it's only a partial implementation.
I don't know if line-returns in base64 body are mandatory for
current usages, but i know that 'openssl x509 -in' cmdline doesn't
care.
Is your patch available somewhere ?
It was pushed in the 1.6 dev branch, git cid:
43e7958def282deebde934950b133a1dd9edaabf
I think tomcat's SSLValve expects the certificate in certain format:
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
https://github.com/violetagg/apache-tomcat-8.0/blob/master/java/org/apache/catalina/valves/SSLValve.java
I will take a look.
OMG! it is the dirtiest parser i ever seen!
In any case, i think the previous example should work, the parser is
only based on the length of the pem-header and footer, and i'm pretty
sure the primitive used to decode base64 doesn't care about line returns.
You could also try:
http-request add-header ssl_client_cert
1234567890123456789012345678%[ssl_c_der,base64]12345678901234567890123456 #
without space
It should work!
R,
Emeric
