httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Haroon Rafique <>
Subject Re: [users@httpd] pass on X509 certificate to reverse-proxy backend
Date Fri, 27 Nov 2009 03:04:45 GMT
On Today at 4:12pm, HR=>Haroon Rafique <> wrote:

HR> [..snip..]
HR>         <Location /rxp>
HR>             Order allow,deny
HR>             Allow from all
HR>             SSLVerifyClient optional
HR>             SSLVerifyDepth 3
HR>             SSLOptions +StdEnvVars +ExportCertData
HR>             # pass-on to proxied internal web application
HR>             RequestHeader set SSL_CLIENT_S_DN       "%{SSL_CLIENT_S_DN}s"
HR>             RequestHeader set SSL_CLIENT_I_DN       "%{SSL_CLIENT_I_DN}s"
HR>             RequestHeader set SSL_SERVER_S_DN_OU    "%{SSL_SERVER_S_DN_OU}s"
HR>             RequestHeader set SSL_CLIENT_VERIFY     "%{SSL_CLIENT_VERIFY}s"
HR>         </Location>
HR> Upon request /rxp, I get the prompt for "Choose a certificate to present as
HR> identification". (I have a eToken "smart card" with a cert inside it).
HR> Hitting OK or Cancel at this point takes me to the requested page (since
HR> client cert is optional).
HR> For further processing, I need to give the backend glassfish server the
HR> ability to extract the X509 certificate from the request. Is that possible?
HR> Typically, on the backend you can use (e.g., java) to extract the certs:
HR> X509Certificate[] certs = (X509Certificate[])
HR> request.getAttribute("javax.servlet.request.X509Certificate");
HR> The problem is that there is no cert in the request (certs is always null).

Thought I would post a follow-up. I got a chance to put a break-point in 
the backend server and looks like even though the above code returns 
null certs, I do have some information in the request headers (due to the 
RequestHeader set .... lines in httpd.conf). So, it won't be a seamless 
fit right into the security infrastructure of the backend, but I believe I 
can see, e.g., SSL_CLIENT_S_DN, by invoking 
and that should at least get me started on the right track.

Hope this helps someone. If someone has any other ideas, please keep them 

Haroon Rafique

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message