Andy Armstrong wrote:
[snip]
> I've now had a look at the 3.3 source for ajp13 and I think I understand
> the problem. Look at this:
>
> if(s->ssl_cert_len) {
> if(0 != jk_b_append_byte(msg, SC_A_SSL_CERT) ||
> 0 != jk_b_append_string(msg, s->ssl_cert)) {
> jk_log(l, JK_LOG_ERROR,
> "Error ajp13_marshal_into_msgb - Error appending the
> SSL certificates\n");
>
> return JK_FALSE;
> }
> }
>
> I've been assuming that ssl_cert_len and ssl_cert are independent
> variables, and specifically that it's possible, and desirable, to know
> the length of the cert without actually having the cert. However, the
> ajp13 code assumes that if you know the length of the cert you also have
> the cert. If ssl_cert_len != 0 then it assumes that ssl_cert != NULL and
> attempts to send it.
>
> Is this correct? Is it never useful to know the cert's length without
> having the cert itself?
I've now found where Domino stashes the cert/cert length and am now
passing them through to Tomcat. I'll make a new release tomorrow when
I've had a chance to test against an NT Domino server.
Incidentally, is it the case that the SSL Cert contains, in effect,
arbitrary binary data? If so the code I quoted above from ajp13 seems to
be flawed in that it uses jk_b_append_string() (which expects a null
terminated string) to append the cert to the message. If there happens
to be a zero byte in the cert it will be truncated at that point.
--
Andy Armstrong, Tagish
