On 22.10.2009 20:57, Christopher Schultz wrote:
> All,
>
> On 10/22/2009 11:50 AM, Christopher Schultz wrote:
>> SSLVerifyClient optional
>> SSLVerifyDepth 1
>> SSLCACertificateFile conf/my-client-cert-ca.crt
>
> Okay, I took the above steps and I can see that Apache httpd will
> properly reject clients when using "SSLVerifyClient require" and a
> signed client certificate cannot be found.
>
> If the client certificate IS provided, Apache httpd will allow access to
> a protected <Location>.
>
> After confirming that...
>
>> Next, I need my mod_jk/Tomcat configuration updated so that I can get
>> the certificate forwarded via AJP:
>
>> # not sure if this is required, since validation of the client
>> # cert has already occurred.
>> JkOptions +ForwardSSLCertChain
>
>> Finally, in my code:
>
>> X509Certificate clientCert =
>> (X509Certificate)req.getAttribute("javax.servlet.request.X509Certificate");
>
> The above code ends up with a null object. I have a request snooping JSP
> file, too, that confirms that this request attribute is not present
> (though I do know that certain request attributes are not reported by
> request.getAttributeNames).
>
> Is there something else I'm missing?
Not sure, but here are some steps to close the gap:
Apache itself should put the cert into a so-called environment variable
names "SSL_CLIENT_CERT". You can log env vars in the access log by
adding "%{SSL_CLIENT_CERT}e" to your LogFormat. That way you can first
check, whether the cert data is present in Apache.
mod_jk takes it out of that env var (you can configure the name of the
env var, but that should not be necessary) and forwards it via AJP13.
This is done if JkExtractSSL is *not* set to false, i.e. it is done if
not explicitely disabled.
When setting mod_jk to JkLogLevel debug, it should log
SSL client certificate (%d bytes): %s
debug log level is not good for production ;)
Now there's a problem, because the certificate chain is sent together
with all other request headers in a single AJP13 packet (the protocol
requires that) and by default AJP13-packets are limited to 8KB. Often
this is not enough for certificate chains. In this case you should get a
log line in the mod_jk log with ERROR level:
failed appending the SSL certificates
To make it work, you can increase the maximum AJP packet size in the
mod_jk configuration *and* in the Tomcat configuration. Look for
"max_packet_size" in
http://tomcat.apache.org/connectors-doc/reference/workers.html and
carefully read the comment.
Hope that works (duck and run).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
