httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nicolas.villoutr...@accenture.com
Subject [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.
Date Fri, 06 Feb 2004 12:47:35 GMT
FYI
 
 
 
Hi Joe,
for my purpose, i think the first method would be better.
 
I want to forward the ssl certificate from one apache to an other. The solution i experimented
was using mod_proxy and mod_headers.
 
I want to include the ssl cert into a header and then read the header and store the client
cert back as an environment variable, just as it is stored by mod_ssl, so that mod_jk act
as if mod_ssl was installed on the same apache. As i know mod_jk works fine combined with
mod_ssl on a same server, my strategy is to fake a mod_ssl on the second server by writing
the same environment variable as mod_ssl does.
 
That is why i would prefer to transfer the certificate as a PEM format with the wrapping,
without modifying it, otherwise i will have to fix mod_jk to understand other formats of certificates.
 
Besides, wouldn't it be more logical to fix mod_headers to handle multiple lines correctly
instead of extending mod_ssl?
 
Cheers,
Nicolas.
 
 

	-------- Message d'origine-------- 
	De: Joe Orton [mailto:jorton@redhat.com] 
	Date: ven. 06/02/2004 10:50 
	À: Villoutreix, Nicolas 
	Cc: users@httpd.apache.org 
	Objet: Re: [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through
HTTPHeaders.
	
	

	On Tue, Feb 03, 2004 at 01:56:08PM +0100, nicolas.villoutreix@accenture.com wrote:
	...
	> But the main issue is about storing a client certificate in a HTTP
	> header : When mod_ssl writes the certificate as an environment
	> variable, it produces a multi-line output and the RequestHeader
	> directive isn't able to transfer it into a correct multi-line HTTP
	> header.
	
	> I saw in the httpd-dev mailing-list archive that there was a patch in
	> apache 2.0 submitted, but it does not seem to have been integrated
	> (http://www.mail-archive.com/modssl-users@modssl.org/msg15917.html).
	
	Hi - I looked at the solution Maik presented, it does seem a little like
	overkill.  After all: the SSL_CLIENT_CERT variable is already a base64
	representation of the certificate.
	
	I wonder whether the simplest fix would be to change mod_headers to
	handle multi-line env.vars correctly; either by sending them over
	multiple lines correctly, or by flattening them on to a single line.
	
	Another alternative would be to extend mod_ssl to produce a single-line
	equivalent of SSL_CLIENT_CERT directly. (just directly converting the
	DER cert into a base64 string without the PEM wrapping)
	
	Would both of those work for whatever you do with the cert the other
	end?
	
	Regards,
	
	joe
	

 


This message is for the designated recipient only and may contain privileged, proprietary,
or otherwise private information.  If you have received it in error, please notify the sender
immediately and delete the original.  Any other use of the email by you is prohibited.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message