On Mon, 17 Sep 2001, GOMEZ Henri wrote:
> Date: Mon, 17 Sep 2001 23:40:29 +0200
> From: GOMEZ Henri <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: RE: SSL Attributes
>
> >
> >> But what did we need to have present in SPEC ?
> >> client cert and ca cert or only client cert ?
> >
> >*All* certs in the chain are required for authentication.
> >There could be
> > several tiers: i.e. CA 1 signs CA 2's cert, then CA 2 signs the
> >company cert. I don't know what the specs have to say, and I
> >don't know
> >what the impact on the connectors is, but in order for client
> >authentication to work correctly, I need the whole chain.
>
> So are you sure we get all the certs from mod_ssl ?
>
> We're currently use var SSL_CLIENT_CERT :
>
> If you take a look at mod_ssl doc you'll see :
>
> http://www.modssl.org/docs/2.8/ssl_reference.html
>
> SSL_CLIENT_CERT string PEM-encoded client certificate
> SSL_CLIENT_CERT_CHAINn string PEM-encoded certificates in client certificate
> chain
>
> To follow fully the spec will have to use also
> SSL_CLIENT_CERT_CHAINn (n = 0 -> x)
>
> That will be just too many vars (bytes) to send each
> time we forward a request.
>
JSSE exposes the underlying SSL session and offers an API with storable
attributes like an HttpSession. Tomcat 4 caches its converted version of
the cert chain there (to avoid reparsing every single time). Could you do
something similar and transfer the certs only at the beginning of an SSL
session, and cache them on the Java side?
This would require mod_ssl to tell you when an SSL session begins and ends
... I don't know if it does that.
Craig
> It's something I plan to handle differently in ajp14
> (asked to web-server if tomcat/servlet dev need it),
> but for now couldn't we assume we only need
> client cert only for strict 2.2 compliance ?
>
> Craig just said :
>
> 2.2 just says "an array".
>
> 2.3 says "The order of this array is defined as being in ascending
> order of trust. The first certificate in the chain is the one set by the
> client, the next is the one used to authenticate the first, and so on."
>
> What about ?
>
