httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nicolas.villoutr...@accenture.com
Subject RE : RE : [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl to a distant mod_jk through HTTPHeaders.
Date Tue, 02 Mar 2004 13:08:29 GMT
I changed the Jk directive to point to the HTTP_SSL_CLIENT_CERT variable.
It does not work. In fact, it seems that the variable forwarded through the header is not
exactly the same as the one exported by mod_ssl :
here is the perl printenv :
 
 
HTTP_HOST="172.20.8.17:8445"
HTTP_KEEP_ALIVE="300"
HTTP_SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD
VQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMSUwIwYDVQQKExxDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eSwgSW5jMScwJQYDVQQLEx5DbGllbnQgY2VydGlmaWNhdGlvbiBh
dXRob3JpdHkxEjAQBgNVBAMTCUNsaWVudCBDQTEfMB0GCSqGSIb3DQEJARYQY2xp ZW50X2NhQGNhLmNvbTAeFw0wNDAxMjgxMjEwMzBaFw0wNTAxMjcxMjEwMzBaMIGI
MQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5l czEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxGDAWBgNVBAMUD0ZyYW7nb2lzIFBp
Z25vbjEiMCAGCSqGSIb3DQEJARYTZnBpZ25vbkBob3RtYWlsLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAt7wimDsCaynG4LkOqAMmw/IGux4VjnuR854/
k3uEi9/0JpuIstl/ZapSRbQGXqEVUczgxreV3WzRkKygGL+v11JZKaHERmuclFF3 5+HnxGFm94OjAP2ruYvu/hSoToZXubABIdGvvTXvdGOebKdeGgGM6WmzWOxFyQ4y
iJTVbwMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNAgaR2N1ehIrDv8hpypd4Q9aQ 0fycSwHPbJbxRCifHw1i28QAOGy8fen7TNhc6haTwUG2TctxyguhxylqnG/qiOvy
rfwOPF175DIVueM7hE73+x0eflCziL1QDPOEDPSOY5IDIJMpUX+6Haxy6l3N3JQq GvheL/tRVr3eYH6yQA== -----END
CERTIFICATE----- "
HTTP_TEST="ETSTSETSETSETSTSE"
HTTP_TESTHEADER="D=744 t=1078231011168118 Test sur la transmission de variables d'environnement
dans le Header : Variable TOTO = toto"
HTTP_USER_AGENT="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
MOD_PERL="mod_perl/1.99_12"
SSL_CLIENT_A_KEY="rsaEncryption"
SSL_CLIENT_A_SIG="md5WithRSAEncryption"
SSL_CLIENT_CERT="-----BEGIN CERTIFICATE-----\nMIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD\nVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMSUwIwYDVQQKExxDZXJ0aWZpY2F0aW9u\nIEF1dGhvcml0eSwgSW5jMScwJQYDVQQLEx5DbGllbnQgY2VydGlmaWNhdGlvbiBh\ndXRob3JpdHkxEjAQBgNVBAMTCUNsaWVudCBDQTEfMB0GCSqGSIb3DQEJARYQY2xp\nZW50X2NhQGNhLmNvbTAeFw0wNDAxMjgxMjEwMzBaFw0wNTAxMjcxMjEwMzBaMIGI\nMQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5l\nczEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxGDAWBgNVBAMUD0ZyYW7nb2lzIFBp\nZ25vbjEiMCAGCSqGSIb3DQEJARYTZnBpZ25vbkBob3RtYWlsLmNvbTCBnzANBgkq\nhkiG9w0BAQEFAAOBjQAwgYkCgYEAt7wimDsCaynG4LkOqAMmw/IGux4VjnuR854/\nk3uEi9/0JpuIstl/ZapSRbQGXqEVUczgxreV3WzRkKygGL+v11JZKaHERmuclFF3\n5+HnxGFm94OjAP2ruYvu/hSoToZXubABIdGvvTXvdGOebKdeGgGM6WmzWOxFyQ4y\niJTVbwMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNAgaR2N1ehIrDv8hpypd4Q9aQ\n0fycSwHPbJbxRCifHw1i28QAOGy8fen7TNhc6haTwUG2TctxyguhxylqnG/qiOvy\nrfwOPF175DIVueM7hE73+x0eflCziL1QDPOEDPSOY5IDIJMpUX+6Haxy6l3N3JQq\nGvheL/tRVr3eYH6yQA==\n-----END
CERTIFICATE-----\n"
SSL_CLIENT_I_DN="/C=FR/ST=IDF/L=Paris/O=Certification Authority, Inc/OU=Client certification
authority/CN=Client CA/Email=client_ca@ca.com"

If you have a look at the two variables : SSL_CLIENT_CERT exported by mod_ssl and HTTP_SSL_CLIENT_CERT
exported by mod_header.
There are not exactly identical : HTTP_SSL_CLIENT_CERT is missing the \n which must confuse
mod_jk.
Nicolas.
 
 
 
 
 
 
 
 

	-------- Message d'origine-------- 
	De: Joe Orton [mailto:jorton@redhat.com] 
	Date: mar. 02/03/2004 12:15 
	À: users@httpd.apache.org 
	Cc: 
	Objet: Re: RE : [users@httpd] RE : [users@httpd] Forwarding client Certficates from mod_ssl
to a distant mod_jk through HTTPHeaders.
	
	

	Thanks for testing the patch, Nicolas.
	
	On Tue, Mar 02, 2004 at 12:05:12PM +0100, nicolas.villoutreix@accenture.com wrote:
	> I have just a small probleme remaining, i do get the client certificate as an environment
variable from the RequestHeader: 
	> HTTP_SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIICqTCCAhICAQIwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAkZSMQwwCgYD
VQQ
	> 
	> But mod_jk expects an environment variable named SSL_CLIENT_CERT,
	> is there an easy way to rename or create this new variable using the content of the
first variable,
	
	Google says you can configure mod_jk to pick up the client cert from a
	different variable, have you tried that: i.e.
	
	  JkCERTSIndicator HTTP_SSL_CLIENT_CERT
	
	> I saw you post an other fix : http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/metadata/mod_headers.c?r1=1.49&r2=1.50
	> In what way is it better than the first one? Is it because you do not have to tell mod_ssl
to export variables?
	
	Yes: there is a lot of overhead when using: "SSLOptions +ExportCertData
	+StdEnvVars" - with the fix I committed, on your proxy you don't need to
	enable those settings, just use %{...}s in the RequestHeader directives
	to pass on the few specific SSL variables from mod_ssl.
	
	Regards,
	
	joe
	



This message is for the designated recipient only and may contain privileged, proprietary,
or otherwise private information.  If you have received it in error, please notify the sender
immediately and delete the original.  Any other use of the email by you is prohibited.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message