On Tue, Apr 8, 2008 at 2:40 PM, Christopher Ljungblad
<[EMAIL PROTECTED]> wrote:
> Thanks for quick reply Serge,
>
> I'm still a bit confused and can not really address the problem, so
>
> I also checked the ssl access_log where I got these 2 messages:
>
> 192.168.0.254 - - [08/Apr/2008:22:27:59 +0200] "POST
> /servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
> 403 -
>
> 192.168.0.254 - - [08/Apr/2008:22:28:00 +0200] "POST
> /servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
> 500 3012
>
> And in my java code where I usually (using Tomcat and a keystore) can fetch
> the certificates I got a null-pointer exception (certs is now null)
>
> X509Certificate[] certs =
> (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
>
> How do I know that the Apache httpd correctly gets the certificates?You shall be able to pick the up in your application. > How do I fetch the certficate in my java application (Tomcat)? Use mod_jk with appropriate configuration. Something like this: JkWorkersFile /opt/web/tomcat/conf/jk/workers.properties JkLogFile /opt/web/logs/http/mod_jk.log JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkRequestLogFormat "%w %V %T" # Should mod_jk send SSL information to Tomcat (default is On) JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_C ERT) JkCERTSIndicator SSL_CLIENT_CERT So far this is the only method that worked for me. Sorry, I'm not a Java developer and can't give you info on how to retrieve client certs in Java. > Any other suggestions what is going wrong are highly appreciated. Check this https://issues.apache.org/bugzilla/show_bug.cgi?id=12355 for more details on this problem. > > Cheers > Chris > > > > > > On Tue, Apr 8, 2008 at 9:54 PM, Serge Dubrouski <[EMAIL PROTECTED]> wrote: > > > > > > > > > Just ignore them, they are generated when client switches between > > locations with different SSLVerifyClient options set. > > > > > > > > > > On Tue, Apr 8, 2008 at 1:51 PM, Christopher Ljungblad > > <[EMAIL PROTECTED]> wrote: > > > Hi, > > > We are using Apache httpd 2.2.3 on Red hat linux and have a problem with > our > > > client certificates. > > > > > > In the ssl.conf file we have a configured a Virtual Host that listens to > > > port 444 that requires the client to verify a certificate. > > > > > > <VirtualHost *:444> > > > <Location /servlets/*> > > > SSLVerifyClient require > > > SSLVerifyDepth 1 > > > SSLCACertificateFile /etc/pki/tls/certs/xxxxx_users.cer > > > </Location> > > > > > > This works out fine, the client certificate can be choosen in the > browser > > > and I can fill in the password and click "ok". > > > But the certificate is not validated correctly and the ssl_error log > says: > > > > > > [Tue Apr 08 15:25:23 2008] [error] Re-negotiation handshake failed: Not > > > accepted by client!? > > > > > > What am I missing? I got this working in Tomcat using the exact same > > > certificate. Is there a way to keep the client certificate > > > handling in Tomcat. > > > > > > Regards > > > /Christopher > > > > > > > > > > > > > > -- > > Serge Dubrouski. > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > " from the digest: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- Serge Dubrouski. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
