-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I'm following up because I was able to get the following working. In
case anyone else wants to get this all working, the information is all
in (roughly) one place.
1. Apache httpd terminates SSL
2. Apache httpd performs client certificate
Thanks for the comprehensive instructions, very useful.
Keep in mind the 8KB limit for the AJP header packet. Especially in case
you sometime switch to a longer certificate chain, then you might run
into it (and will be able to fix it with max_packet_size).
Regards,
Rainer
On 23.10.2009 18:36,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rainer,
On 10/23/2009 1:36 PM, Rainer Jung wrote:
Keep in mind the 8KB limit for the AJP header packet. Especially in case
you sometime switch to a longer certificate chain, then you might run
into it (and will be able to fix it with
On 23.10.2009 20:49, Christopher Schultz wrote:
Rainer,
On 10/23/2009 1:36 PM, Rainer Jung wrote:
Keep in mind the 8KB limit for the AJP header packet. Especially in case
you sometime switch to a longer certificate chain, then you might run
into it (and will be able to fix it with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
On 10/22/2009 11:50 AM, Christopher Schultz wrote:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLCACertificateFile conf/my-client-cert-ca.crt
Okay, I took the above steps and I can see that Apache httpd will
properly reject clients when using
On 22.10.2009 20:57, Christopher Schultz wrote:
All,
On 10/22/2009 11:50 AM, Christopher Schultz wrote:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLCACertificateFile conf/my-client-cert-ca.crt
Okay, I took the above steps and I can see that Apache httpd will
properly reject clients
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rainer,
On 10/22/2009 3:22 PM, Rainer Jung wrote:
Not sure, but here are some steps to close the gap:
Apache itself should put the cert into a so-called environment variable
names SSL_CLIENT_CERT. You can log env vars in the access log by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rainer,
On 10/22/2009 5:21 PM, Christopher Schultz wrote:
I even tried adding:
SSLOptions +StdEnvVars
Looks like I was close:
SSLOptions +ExportCertData
...did the trick. I now see an ASCII-formatted certificate dumped into
my wtf.log
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
On 10/22/2009 5:26 PM, Christopher Schultz wrote:
...did the trick. I now see an ASCII-formatted certificate dumped into
my wtf.log file (yay!) and I get a ClassCastException in my JSP, which
means that the request attribute is definitely not