Hi, On Thu, Oct 30, Emeric Brun wrote: > On 10/30/2014 10:38 AM, Emeric Brun wrote: > >>>So currently with the last merged patch, we can directly encode the > >>>header in base64: > >>> > >>>http-request add-header Client-Cert %[ssl_c_der,base64] > >>> > >>>And add pem's header/footer: > >>> > >>>http-request add-header Client-Cert -----BEGIN\ CERTIFICATE-----\ > >>>%[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last > >>>space > >> > >>So this creates a header like this ? > >> > >>SSL_CLIENT_CERT: -----BEGIN CERTIFICATE----- > >>MIIDODCCAiACCQDe7Bdbly6M4DANBgkqhki > >>G9w0BAQUFADBeMQswCQYDVQQGEwJGSTETMBEGA1UECBMKU29tZS1TdGF0 -----END > >>CERTIFICATE----- > > > > > > (the base64 encoded cert is one long line w/out newlines or spaces). > > > > > > >Exatcly, it's only a partial implementation. > > > >>>I don't know if line-returns in base64 body are mandatory for > >>>current usages, but i know that 'openssl x509 -in' cmdline doesn't > >>>care. > >> > >>Is your patch available somewhere ? > > > >It was pushed in the 1.6 dev branch, git cid: > >43e7958def282deebde934950b133a1dd9edaabf
Thanks, I see that the patch is already in 1.5.7 / 1.5.8 > >>I think tomcat's SSLValve expects the certificate in certain format: > >>http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java > >> > >>https://github.com/violetagg/apache-tomcat-8.0/blob/master/java/org/apache/catalina/valves/SSLValve.java > >> > >I will take a look. > > OMG! it is the dirtiest parser i ever seen! > > In any case, i think the previous example should work, the parser is > only based on the length of the pem-header and footer, and i'm > pretty sure the primitive used to decode base64 doesn't care about > line returns. Copied the SSLValve.java to a simple standalone prog and looks like java CertificateFactory/generateCertificate doesn't seem to care if the base64 has newlines or not. > You could also try: > > http-request add-header ssl_client_cert > 1234567890123456789012345678%[ssl_c_der,base64]12345678901234567890123456 > # without space > > It should work! Yes, it also seems to work :) -Jarno -- Jarno Huuskonen

