Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?

Wed, 22 Nov 2006 11:47:27 -0800 

What is the backend serverf? If it's Tomcat or JBoss I'd suggest to
use AJP connector that allows to pass client certificates to backend.

On 11/22/06, Lucuk, Pete <[EMAIL PROTECTED]> wrote:

Hello,

I currently have a HTTPS reverse proxy setup and it works like a champ!

I am trying to pass the client cert from the reverse proxy to the
backend server in the headers like so...

RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RequestHeader add X-SSL-Client-Cert %{SSLCC}e
RewriteRule ^/https(.*)$ https://kftcsu09.ftc.lab:6443/$1 [P,L]

Problem is, on the backend server that receives the request with client
cert. in the headers it looks like this...

XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
[21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

I only get the FIRST line of the client certificate...

-----BEGIN CERTIFICATE-----

And NOT the whole thing like...

-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
Stuff, stuff, stuff,
CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
-----END CERTIFICATE-----


I am assuming that the newlines in the client certificate on the reverse
proxy are hosing up sending the WHOLE client certificate.

How do I fix this problem?

Do I try to take out the new lines in rewrite somehow?, how do I do
that, I have no clue.

Do I try to do something else? What and how?

I have searched and could not find anything.

Thanks much for you help, I appreciate it.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to