httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Proxy SSL and Client Certificates
Date Wed, 27 Sep 2006 02:08:56 GMT
Plus of course SSLOptions +ExportCertsData that exports client
certificate data into env. The question is how to make mod_proxy to
send it down to backend server.

On 9/26/06, Serge Dubrouski <sergeyfd@gmail.com> wrote:
> You aren't quite right. Your statement is right for crypting part but
> not for authenticating part. IE client's key is needed fo decrypting
> information but client crtificate is also needed for authenticating
> client.
>
> For example mod_jk that is used for connecting Apache to Tomcat has
> following options for passing SSL data from Apache to Tomcat:
>
> JkExtractSSL On
> # What is the indicator for SSL (default is HTTPS)
> JkHTTPSIndicator HTTPS
> # What is the indicator for SSL session (default is SSL_SESSION_ID)
> JkSESSIONIndicator SSL_SESSION_ID
> # What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
> JkCIPHERIndicator SSL_CIPHER
> # What is the indicator for the client SSL certificated (default is SSL_CLIENT_C
> ERT)
> JkCERTSIndicator SSL_CLIENT_CERT
>
> And Tomcat sees client certificates all right after that. I'm looking
> for that kind of options for mod_proxy.
>
>
> On 9/26/06, Andrew E. White <aewhite@uark.edu> wrote:
> > By nature, certs require a private key to verify them, so if a user is passing through
your web server, the client's certificate will do you no good beyond the webserver since the
webserver does not have the client's private key.
> >
> > Andrew
> >
> > ----- Original Message -----
> > From: Serge Dubrouski <sergeyfd@gmail.com>
> > Date: Tuesday, September 26, 2006 5:12 pm
> > Subject: [users@httpd] Proxy SSL and Client Certificates
> > To: users@httpd.apache.org
> >
> > > Hello Everyone -
> > >
> > > I have an Apache 2.2.3 server installed with mod_proxy and mod_ssl
> > > configured that I use as a frontend server in Internet. I also have
> > > iPlanet backend  legasy server that runs on of our custom
> > > applications. That application has embedded authentication based on
> > > clients SSL Certificates. Now I want to make Apache to act as a proxy
> > > server between Internet users and that backend iPlanet server. The
> > > problem here is that I can't make Apache to pass submitted client
> > > certificate down to iPlanet. Does anybody have any idea how to do
> > > that? Simple SSLProxyEngine does not work.
> > >
> > > Thanks.
> > >
> > > Serge.
> > >
> > > --------------------------------------------------------------------
> > > -
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project.See <URL:http://httpd.apache.org/userslist.html> for more
> > > info.To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message