Re: Feature request for SSL Valve
Christopher. Thank you for your answer. On 25.02.21 21:10, Christopher Schultz wrote: Alex, On 2/24/21 22:05, Alex wrote: Hi. I try to setup HAProxy to send some TLS Information's to tomcat. As described in the documentation of SSL Valve are several parameters available and most of them are also available in HAProxy. http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve The only parameter which is not able to use is sslClientCertHeader because this header expects a PEM formatted certificate but HAProxy can send the certificate in DER format. http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.3.4-ssl_c_der Where can I add the Feature request to be this feature be considered to be added into tomcat ssl valve? Hmm. Sending binary data in an HTTP header field? You are going to definitely find some problems there. Or were you going to try something like: http-request set-header X-Client-Certificate %[ssl_c_der,base64] As suggested here: https://serverfault.com/a/859328 ? I got also a similar answer on the haproxy list. http-request add-header X-SSL-Client-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space https://www.mail-archive.com/haproxy@formilux.org/msg39893.html If so, you are base64-encoding a DER value which is essentially a PEM-formatted value :) But sure, it seems like adding this kind of thing would be okay. Are you able to provide a patch/PR? -chris Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Feature request for SSL Valve
Alex, On 2/24/21 22:05, Alex wrote: Hi. I try to setup HAProxy to send some TLS Information's to tomcat. As described in the documentation of SSL Valve are several parameters available and most of them are also available in HAProxy. http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve The only parameter which is not able to use is sslClientCertHeader because this header expects a PEM formatted certificate but HAProxy can send the certificate in DER format. http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.3.4-ssl_c_der Where can I add the Feature request to be this feature be considered to be added into tomcat ssl valve? Hmm. Sending binary data in an HTTP header field? You are going to definitely find some problems there. Or were you going to try something like: http-request set-header X-Client-Certificate %[ssl_c_der,base64] As suggested here: https://serverfault.com/a/859328 ? If so, you are base64-encoding a DER value which is essentially a PEM-formatted value :) But sure, it seems like adding this kind of thing would be okay. Are you able to provide a patch/PR? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Feature request for SSL Valve
Hi. I try to setup HAProxy to send some TLS Information's to tomcat. As described in the documentation of SSL Valve are several parameters available and most of them are also available in HAProxy. http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve The only parameter which is not able to use is sslClientCertHeader because this header expects a PEM formatted certificate but HAProxy can send the certificate in DER format. http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.3.4-ssl_c_der Where can I add the Feature request to be this feature be considered to be added into tomcat ssl valve? Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org