httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Harbulot <Bruno.Harbu...@manchester.ac.uk>
Subject Re: mod_ssl, SSL_CLIENT_CERT_CHAIN, mod_proxy_ajp and full chain of client certificates
Date Mon, 06 Oct 2008 16:14:26 GMT


Mladen Turk wrote:
> Bill Barker wrote:
>>
>> Mladen's patch to mod_jk is simplier than this one, so I would prefer 
>> it to this one.  But I have no voting rights on this list :).
>>
> 
> Right, I'll prepare something for mod_proxy as well.
> It is on my TODO list for a long time.

Thank you. As I was saying in my previous message on this list [*], I've 
been able to get the full chain of certificates with mod_jk successfully 
with Jetty. One of the reasons I wanted to change is that the Jetty team 
now recommends using mod_proxy.
In fact, they also suggest using mod_proxy_http rather than mod_proxy_ajp.
For this, I think getting the full chain of certificate would require a 
variable in mod_ssl (for example SSL_CLIENT_CERT_CHAIN as it's done 
using my patch, or something else and/or a better patch), combined with 
a custom header via mod_headers. Of course, this would also require the 
reverse proxy to clear such a user-provided request header, if present, 
to avoid spoofing. I suppose this could be useful for other containers 
behind a reverse proxy, even if they don't support AJP.

Best wishes,

Bruno.


[*] 
http://mail-archives.apache.org/mod_mbox/httpd-dev/200810.mbox/%3Cgcd6qb$9hg$1@ger.gmane.org%3E


Mime
View raw message