tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: SSL Attributes
Date Mon, 17 Sep 2001 21:40:29 GMT
> 
>> But what did we need to have present in SPEC ?
>> client cert and ca cert or only client cert ?
>
>*All* certs in the chain are required for authentication. 
>There could be 
>   several tiers: i.e. CA 1 signs CA 2's cert, then CA 2 signs the 
>company cert. I don't know what the specs have to say, and I 
>don't know 
>what the impact on the connectors is, but in order for client 
>authentication to work correctly, I need the whole chain.

So are you sure we get all the certs from mod_ssl ?

We're currently use var SSL_CLIENT_CERT :

If you take a look at mod_ssl doc you'll see :

http://www.modssl.org/docs/2.8/ssl_reference.html

SSL_CLIENT_CERT string PEM-encoded client certificate 
SSL_CLIENT_CERT_CHAINn string PEM-encoded certificates in client certificate
chain 

To follow fully the spec will have to use also 
SSL_CLIENT_CERT_CHAINn (n = 0 -> x)

That will be just too many vars (bytes) to send each 
time we forward a request. 

It's something I plan to handle differently in ajp14 
(asked to web-server if tomcat/servlet dev need it), 
but for now couldn't we assume we only need
client cert only for strict 2.2 compliance ?

Craig just said :

2.2 just says "an array".

2.3 says "The order of this array is defined as being in ascending
order of trust.  The first certificate in the chain is the one set by the
client, the next is the one used to authenticate the first, and so on."

What about ?

Mime
View raw message