achieving a clients (browsers) certificate in a webapp

Tue, 22 Jul 2003 08:03:18 -0700 

now this seems like a big task!

we've been trying to achieve a clients certificate from the request-object,
which
failed because there is no parameter for achieving the x509Certificate
installed
in the browser of the client out of the request-object
(javax.servlet.ServletRequest).

the certification of the server works fine, except the fact that the
server-name
on the certificate doesn't match the actual server-name of the webserver
(we're about
to change the server-name)

anyway, we've spend the whole day - but we had no chance to figure out where
the
problem's hidden.

what we use:
jdk 1.3
apache 2.0.45 with openssl
tomcat 4.1.24
mod_jk connector


other hint:
 - https connection works on the webapp
 

important parts of the configuration files:

******* configuration of ssl.conf looks like this:
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

SSLMutex  file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
DocumentRoot "/opt/httpd-2.0.45/htdocs"
#ServerName new.host.name:443
ServerName servername.is.ok:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_log
TransferLog logs/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /opt/httpd-2.0.45/conf/ssl.crt/server.crt

SSLCertificateKeyFile /opt/httpd-2.0.45/conf/ssl.key/server.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/opt/httpd-2.0.45/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  
</IfDefine>


******* configuration of httpd.conf looks like this:
...
#
# Bring in additional module-specific configurations
#
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>
...

JkWorkersFile /opt/jakarta/conf/jk/workers.properties
JkLogFile /opt/jakarta/logs/mod_jk.log

JkLogLevel debug

JkMount /examples ajp13
JkMount /examples/* ajp13
...


******* configuration of server.xml looks like this:
...
    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
               acceptCount="10" debug="0" scheme="https" secure="true"
               useURIValidationHack="false"> 
      <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="false" protocol="TLS" 
               keystoreFile=".keystore" keystorePass="xxxxx" />
    </Connector>

    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8009" minProcessors="5" maxProcessors="75"
               enableLookups="true" redirectPort="8443"
               acceptCount="10" debug="0" connectionTimeout="0"
               useURIValidationHack="false"
 
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
...

******* just anyone?

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to