Re: JkExtractSSL not sending SSL information to tomcat
On 25.05.2011 15:18, Christopher Schultz wrote: André, On 5/24/2011 7:13 PM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 10:56 AM, Marc Boorshtein wrote: I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the correct SSLOptions in the httpd configuration files. I can see the SSL environment variables in /cgi-bin/printenv but no headers or environment variables in the backend tomcat app. Am I missing something? Something just tickled my brain, here: you said environment variables or headers. The data stored in environment variables on the Apache httpd side are neither stored in environment variables (since the environment is shared, and a multi-threaded server would never work) nor in request headers (because that's not really appropriate). Instead, they are stored in the request /attributes/. Unfortunately, the mod_jk documentation doesn't make that clear. I'll try to find a reference, even if it's only in the source code. Checkup JkEnvVar. http://grokbase.com/topic/2007/04/19/howto-forward-user-name-from-apache-via-mod-jk-to-tomcat/00UYI-2ef5d4aI6oZhrQPFf3JD0 Yeah, except that JkEnvVar puts the environment variable FOO into the request attribute FOO, while JkExtractSSL puts them under attribute keys defined by the servlet specification. That was not clear at all from the existing documentation (at least not without having read the servlet spec as well and drawing a logical conclusion). Being late here, I used to suggest taking a look at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 5/24/2011 7:13 PM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 10:56 AM, Marc Boorshtein wrote: I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the correct SSLOptions in the httpd configuration files. I can see the SSL environment variables in /cgi-bin/printenv but no headers or environment variables in the backend tomcat app. Am I missing something? Something just tickled my brain, here: you said environment variables or headers. The data stored in environment variables on the Apache httpd side are neither stored in environment variables (since the environment is shared, and a multi-threaded server would never work) nor in request headers (because that's not really appropriate). Instead, they are stored in the request /attributes/. Unfortunately, the mod_jk documentation doesn't make that clear. I'll try to find a reference, even if it's only in the source code. Checkup JkEnvVar. http://grokbase.com/topic/2007/04/19/howto-forward-user-name-from-apache-via-mod-jk-to-tomcat/00UYI-2ef5d4aI6oZhrQPFf3JD0 Yeah, except that JkEnvVar puts the environment variable FOO into the request attribute FOO, while JkExtractSSL puts them under attribute keys defined by the servlet specification. That was not clear at all from the existing documentation (at least not without having read the servlet spec as well and drawing a logical conclusion). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3dAZcACgkQ9CaO5/Lv0PA08wCfZlOWEIntLxU+GIN7uqh2KAYk SSoAnjrm3uykVbrlv9btssKqrAabWg9P =Uy36 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JkExtractSSL not sending SSL information to tomcat
I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the correct SSLOptions in the httpd configuration files. I can see the SSL environment variables in /cgi-bin/printenv but no headers or environment variables in the backend tomcat app. Am I missing something? Thanks Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
On 24/05/2011 15:56, Marc Boorshtein wrote: I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the correct SSLOptions in the httpd configuration files. And your SSLOptions are what exactly? Also Tomcat and mod_jk version info might be relevant. Mark I can see the SSL environment variables in /cgi-bin/printenv but no headers or environment variables in the backend tomcat app. Am I missing something? Thanks Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
And your SSLOptions are what exactly?
Also Tomcat and mod_jk version info might be relevant.
oadModulejk_module modules/mod_jk.so
LoadFile /home/sys/ssl-poc/webgate/access/oblix/lib/libgcc_s.so.1
LoadFile /home/sys/ssl-poc/webgate/access/oblix/lib/libstdc++.so.5
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
JkWorkerProperty worker.list=worker1
JkWorkerProperty worker.worker1.type=ajp13
JkWorkerProperty worker.worker1.host=localhost
JkWorkerProperty worker.worker1.port=8009
JkShmFile /home/sys/ssl-poc/httpd/logs/mod_jk.shm
JkLogFile /home/sys/ssl-poc/httpd/logs/mod_jk.log
JkLogLevelinfo
JkLogStampFormat [%a %b %d %H:%M:%S %Y]
JkExtractSSL On
VirtualHost _default_:9443
WebGateMode PEER
Location /access/oblix/apps/webgate/bin/webgate.cgi
SetHandler obwebgateerr
/Location
Location /oberr.cgi
SetHandler obwebgateerr
/Location
# General setup for the virtual host
DocumentRoot /home/sys/ssl-poc/httpd/htdocs
ServerName ws.server.net:9443
ErrorLog /home/sys/ssl-poc/httpd/logs/error_ws_log
TransferLog /home/sys/ssl-poc/httpd/logs/access_ws_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /home/sys/ssl-poc/httpd/conf/server-ws.crt
SSLCertificateKeyFile /home/sys/ssl-poc/httpd/conf/server-ws.key
#FilesMatch \.(cgi|shtml|phtml|php)$
#
#/FilesMatch
#Directory /home/sys/ssl-poc/httpd/cgi-bin
#
#/Directory
BrowserMatch .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /home/sys/ssl-poc/httpd/logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
LocationMatch /app*
AuthType Oblix
require valid-user
JkMount worker1
/LocationMatch
/VirtualHost
Thanks
Marc
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 11:39 AM, Marc Boorshtein wrote: SSLOptions +StdEnvVars SSLOptions +ExportCertData JkExtractSSL On VirtualHost _default_:9443 I'm not entirely sure about the JkExtractSSL option, but some other mod_jk options are not copied into all virtual hosts. You might want to try moving the JkExtractSSL directive into (each of) your virtual host(s). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3b9E4ACgkQ9CaO5/Lv0PDqJACgnTonUznHMb9xcX4PCx7zz5Mi tHYAmwVGYv4xlD8c9OXcylJflFppkXyX =/Gsa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Marc, On 5/24/2011 11:39 AM, Marc Boorshtein wrote: SSLOptions +StdEnvVars SSLOptions +ExportCertData JkExtractSSL On VirtualHost _default_:9443 I'm not entirely sure about the JkExtractSSL option, but some other mod_jk options are not copied into all virtual hosts. You might want to try moving the JkExtractSSL directive into (each of) your virtual host(s). - -chris No changes. I looked at a wireshark trace and no ssl information was sent - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 4:13 PM, Marc Boorshtein wrote: Marc, On 5/24/2011 11:39 AM, Marc Boorshtein wrote: SSLOptions +StdEnvVars SSLOptions +ExportCertData JkExtractSSL On VirtualHost _default_:9443 I'm not entirely sure about the JkExtractSSL option, but some other mod_jk options are not copied into all virtual hosts. You might want to try moving the JkExtractSSL directive into (each of) your virtual host(s). No changes. I looked at a wireshark trace and no ssl information was sent :( I've definitely gotten mod_jk to send the SSL certificate information over to Tomcat in the past, and I don't recall any herculean measures required to do so. See here for a recap of my efforts to get client-certs working in Tomcat: http://markmail.org/message/kzxsamuiu6bldjmv - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cGygACgkQ9CaO5/Lv0PCQrgCfTrXNCtbgsZkJB/DsBNye9isf 1ywAmgJ/uFmay4Kw/2BB/ZPgaUat9w8z =ZHda -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 10:56 AM, Marc Boorshtein wrote: I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the correct SSLOptions in the httpd configuration files. I can see the SSL environment variables in /cgi-bin/printenv but no headers or environment variables in the backend tomcat app. Am I missing something? Something just tickled my brain, here: you said environment variables or headers. The data stored in environment variables on the Apache httpd side are neither stored in environment variables (since the environment is shared, and a multi-threaded server would never work) nor in request headers (because that's not really appropriate). Instead, they are stored in the request /attributes/. Unfortunately, the mod_jk documentation doesn't make that clear. I'll try to find a reference, even if it's only in the source code. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cHB8ACgkQ9CaO5/Lv0PBvmQCgjvNNbcH+Bq7kYKu5mLBtcKXn tHYAoJyJgNWUL+9qsUtStvZukjdjyySF =bpQP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 4:59 PM, Christopher Schultz wrote: Instead, they are stored in the request /attributes/. Specifically, these: javax.servlet.request.cipher_suite - as a String javax.servlet.request.key_size - as an Integer javax.servlet.request.ssl_session - as a String I'm not sure if you can get the SSL protocol (e.g. SSLv3 vs. TLSv1) unless you use JkEnvVar to have mod_jk take the http-side's SSL_PROTOCOL environment variable and send it over to Tomcat like this: JkEnvVar SSL_PROTOCOL Then you can get the protocol using request.getAttribute(SSL_PROTOCOL). I would have expected JkExtractSSL On (which is the default) to pre-populate a series of SSL-oriented attributes similar to the list found at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars but that doesn't appear to be the case -- at least, the attributes cannot be found under request.getAttribute(SSL_CIPHER), etc. even when requested directly (the mod_jk documentation says explicitly that these attribute names will *not* be included in those returned by request.getAttributeNames). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cIRkACgkQ9CaO5/Lv0PDt5wCfTd4cBJsxLLCL+87k72nmcpur yV0AnRgb2Wr0tNnoRs8m6MKa7f6axmx2 =SvNT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 5:20 PM, Christopher Schultz wrote: On 5/24/2011 4:59 PM, Christopher Schultz wrote: Instead, they are stored in the request /attributes/. Specifically, these: javax.servlet.request.cipher_suite - as a String javax.servlet.request.key_size - as an Integer javax.servlet.request.ssl_session - as a String The above are specified as part of the Servlet 3.0 Specification under section 3.8. Not shown above (because I wasn't using a client certificate for testing) is javax.servlet.request.X509Certificate which is of type java.security.cert.X509Certificate[] (note the array type). I would have expected JkExtractSSL On (which is the default) to pre-populate a series of SSL-oriented attributes similar to the list found at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars but that doesn't appear to be the case Looking at the mod_jk code, it appears that the only variables that are included by using JkExtractSSL are those shown above. If you want more, you'll have to use JkEnvVar. I can confirm that JkEnvVar SSL_PROTOCOL will result in request.getAttribute(SSL_PROTOCOL) returning TLSv1 or whatever secure protocol is in use for the current request. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cJSkACgkQ9CaO5/Lv0PDBaACgjr4EKI49IyBMyObzwUHHFStm VGEAnj2Yxu99GrYC+qvbIPfoSGcjXc+o =FrAY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 5:37 PM, Christopher Schultz wrote: Looking at the mod_jk code, it appears that the only variables that are included by using JkExtractSSL are those shown above. If you want more, you'll have to use JkEnvVar. I can confirm that JkEnvVar SSL_PROTOCOL will result in request.getAttribute(SSL_PROTOCOL) returning TLSv1 or whatever secure protocol is in use for the current request. I have clarified this in the mod_jk documentation in the trunk, so it will be available in the documentation in the next release. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cLlIACgkQ9CaO5/Lv0PDb4gCfYpKsqWz0o6ufEdeT59rPwyS0 EhwAoIdLD6/XRwwcYJJq6dE2YDW3D7ao =95l/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JkExtractSSL not sending SSL information to tomcat
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, On 5/24/2011 10:56 AM, Marc Boorshtein wrote: I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the correct SSLOptions in the httpd configuration files. I can see the SSL environment variables in /cgi-bin/printenv but no headers or environment variables in the backend tomcat app. Am I missing something? Something just tickled my brain, here: you said environment variables or headers. The data stored in environment variables on the Apache httpd side are neither stored in environment variables (since the environment is shared, and a multi-threaded server would never work) nor in request headers (because that's not really appropriate). Instead, they are stored in the request /attributes/. Unfortunately, the mod_jk documentation doesn't make that clear. I'll try to find a reference, even if it's only in the source code. Checkup JkEnvVar. http://grokbase.com/topic/2007/04/19/howto-forward-user-name-from-apache-via-mod-jk-to-tomcat/00UYI-2ef5d4aI6oZhrQPFf3JD0 Funny, that.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
