SSL on Reverse Proxy -> Forward of Client Cert Serial No

Mon, 07 May 2001 07:22:55 -0700 


Hello!

I run Apache 1.3.19 with mod_ssl 2.8.2 as reverse proxy. This reverse proxy does the 
SSL part of the web application. On a specific URL the reverse proxy requests a client 
certificate from the browser using this configuration:

<Location /blablabla/>
     SSLVerifyClient require
     SSLVerifyDepth 1
</Location>
SSLCACertificateFile /blabla/my.CA.crt

This works fine, but the problem is that the application runs on another web server 
behind the reverse proxy and that the application needs to know/verify the client 
certificate serial number. Therefore somebody (before I started the job here ;-) ) 
wrote a patch that imports the client certification information into the HTTP header 
of the incoming request so that mod_proxy forwards this information to the web server.

Stupid enough this patch is mod_ssl version dependend so I am looking for a nicer 
solution. I can imagine that the combination of apache and mod_ssl as a reverse proxy 
is very popular and many people have demand on forwarding certificate informations to 
the application (web server).

So, is there a nicer solution?
Is this enough reason for adding some configuration parameters into mod_ssl to forward 
those informations like

SSLForwardVariable  SSL_CLIENT_M_SERIAL

?

Darko Krizic



--

Diese E-Mail enth�lt vertrauliche und/oder rechtlich gesch�tzte Informationen. Wenn 
Sie nicht der richtige Adressat sind oder diese E-Mail irrt�mlich erhalten haben, 
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das 
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorised copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to