httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Harbulot <>
Subject mod_ssl, SSL_CLIENT_CERT_CHAIN, mod_proxy_ajp and full chain of client certificates
Date Tue, 30 Sep 2008 11:22:57 GMT

I'm trying to use mod_proxy_ajp instead of mod_jk, but I'd like to be 
able to pass the whole client certificate chain, instead of only the end 
certificate. The servlet specification allows for a chain of 
certificates to be presented and this is indeed possible with mod_jk, 
using "JkOptions +ForwardSSLCertChain".

This doesn't seem to be possible using mod_proxy_ajp, which uses the 
content of the SSL_CLIENT_CERT variable only.

I thought I would be able to pass the chain using mod_headers. 
Unfortunately, there doesn't seem to be a mod_ssl variable that 
represents the whole chain. There is a set of variables called 
SSL_CLIENT_CERT_CHAIN_n (where n is an integer), but they have to be 
named individually.

I'm attaching the patch I've written to provide a variable called 
SSL_CLIENT_CERT_CHAIN, which is the concatenation of all the 
certificates in the chain, in PEM format. (It also sets 
SSL_CLIENT_CERT_CHAIN_0 when there's no chain available but just one 

A few tests with mod_headers "RequestHeader set X-ClientCertChain 
%{SSL_CLIENT_CERT_CHAIN}s" seem to indicate that it works.

However, I've also tried to modify mod_proxy_ajp to send the whole 
chain, but this doesn't work:

--- a/modules/proxy/ajp.h
+++ b/modules/proxy/ajp.h
@@ -60,7 +60,7 @@

  /* The following environment variables match mod_ssl! */
  #define AJP13_HTTPS_INDICATOR           "HTTPS"

This patch has been made against the svn trunk, rev 695234.

I'm aware that my knowledge of the Apache Httpd code is limited, so this 
patch is likely to need improvements (there's obviously something wrong 
since my modification to mod_proxy_ajp doesn't work).
I'd appreciate any comments and suggestions.

Best wishes,


View raw message