On 25.02.21 07:38, Jarno Huuskonen wrote:
Hi,
On Thu, 2021-02-25 at 03:24 +0100, Aleksandar Lazic wrote:
Hi.
I try to setup HAProxy (precisely OpenShift Router :-)) to send the TLS/SSL
Client
Information's to tomcat.
On the SSL Valve page are the following parameters available.
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve
SSL_CLIENT_CERT string PEM-encoded client certificate
?
The only missing parameter is "SSL_CLIENT_CERT in PEM format". There is one
in DER Format
ssl_c_der in HAProxy but the code in SSL-Valve expects the PEM format.
https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/valves/SSLValve.java#L125
Have I overseen something in the HAProxy code or doc or isn't there
currently an option to get
the client certificate out of HAProxy in PEM format?
It should be possible (had this working years ago):
(https://www.mail-archive.com/haproxy@formilux.org/msg20883.html
http://shibboleth.net/pipermail/users/2015-July/022674.html)
Something like:
http-request add-header X-SSL-Client-Cert -----BEGIN\ CERTIFICATE-----\
%[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ # don't forget last space
Cool thanks.
-Jarno
Best regards
Alex
