httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Harbulot <>
Subject Re: mod_ssl, SSL_CLIENT_CERT_CHAIN, mod_proxy_ajp and full chain of client certificates
Date Mon, 06 Oct 2008 14:19:54 GMT

I thought that Tomcat (at least recent versions) was able to get the 
full chain, but I guess I was wrong.
I'm in fact using Jetty behind mod_jk, and it exposes the full chain of 
certificates in the "javax.servlet.request.X509Certificate" request 
attribute, as expected (I am using "JkOptions +ForwardSSLCertChain"). 
The version of mod_jk I'm using is that shipped with Ubuntu 8.04, so 
it's mod_jk 1.2.25. As far as I can tell, it hasn't been patched for 
this. I've also tried it successfully with the version shipped with CentOS.

I was getting the impression that mod_jk was being deprecated in favour 
of mod_proxy_ajp. I've also experienced intermittent connection problems 
between Apache Httpd and the Jetty-based application I'm using. These 
problems could be due to many things, including the way I've deployed 
the system, so I've tried to investigate it by using mod_proxy_ajp 
instead of mod_jk.

Best wishes,


Bill Barker wrote:
> Yes, while mod_jk has an option to send the cert chain (added a little over 
> 18 months ago by mturk), no Tomcat connector has an option to read it.  As a 
> result, Tomcat will read the end certificate and ignore the rest of the 
> chain.
> This is because the AJP/1.3 protocol was created back in the days of 
> Servlet-2.2 (corresponding to Tomcat 3.x) and back then only the end 
> certificate was exposed by the Servlet-API.
> Mladen's patch to mod_jk is simplier than this one, so I would prefer it to 
> this one.  But I have no voting rights on this list :).
> "Bruno Harbulot" <> wrote in message 
> news:gbt26i$9p2$
>> Hello,
>> I'm trying to use mod_proxy_ajp instead of mod_jk, but I'd like to be
>> able to pass the whole client certificate chain, instead of only the end
>> certificate. The servlet specification allows for a chain of
>> certificates to be presented and this is indeed possible with mod_jk,
>> using "JkOptions +ForwardSSLCertChain".
>> This doesn't seem to be possible using mod_proxy_ajp, which uses the
>> content of the SSL_CLIENT_CERT variable only.

View raw message