At the moment, mod_jk only sends the top-level cert to Tomcat. The reasons are largely historical: mod_jk was originally developed for Tomcat 3.x, and the 2.2 Servlet spec only allows exposing the top-level cert. Apache has already validated the chain by the time it gets to mod_jk, so this isn't the security problem that it looks like.
Patches are always welcome ;-). "Mark W. Webb" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I have been researching this issue for a few days, and have come to the > conclusion that apache 2.0.46 is not exporting the entire certificate > chain to tomcat when I use mutually authenticated SSL. I have tried > different configurations, and also some cgi-type programs to determine > whether or not I am doing something wrong. So far, I have only been > able to get apache to export the user certificate to tomcat. I want > tomcat to have the entire certificate chain that was used in the SSL, > and not just the user certificate. > > Does anyone know if this is a limitation of apache, a bug, or am I doing > something wrong. > > Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
