Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 80798 invoked from network); 6 Oct 2004 14:52:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 6 Oct 2004 14:52:30 -0000 Received: (qmail 43048 invoked by uid 500); 6 Oct 2004 14:48:52 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 42945 invoked by uid 500); 6 Oct 2004 14:48:51 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 42844 invoked by uid 99); 6 Oct 2004 14:48:49 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FORGED_RCVD_HELO X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [217.115.66.8] (HELO plim.fujitsu-siemens.com) (217.115.66.8) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 06 Oct 2004 07:48:49 -0700 Received: from trulli.pdb.fsc.net ([172.25.96.53]) by plim.fujitsu-siemens.com (8.11.3/8.11.3) with ESMTP id i96Emjo20713 for ; Wed, 6 Oct 2004 16:48:45 +0200 Received: from deejai2.mch.fsc.net (deejai2.mch.fsc.net [172.25.124.236]) by trulli.pdb.fsc.net (8.11.6/8.11.6) with ESMTP id i96Emju08843 for ; Wed, 6 Oct 2004 16:48:45 +0200 Received: from fujitsu-siemens.com (0ui5ozds2uie1tzl@deejai2.mch.fsc.net [172.25.124.236]) by deejai2.mch.fsc.net (8.12.11/8.12.11) with ESMTP id i96EmgIS095049 for ; Wed, 6 Oct 2004 16:48:42 +0200 (CEST) (envelope-from jfrederic.clere@fujitsu-siemens.com) Message-ID: <41640717.4040001@fujitsu-siemens.com> Date: Wed, 06 Oct 2004 16:54:15 +0200 From: jean-frederic clere Reply-To: jfrederic.clere@fujitsu-siemens.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040517 X-Accept-Language: ca, en, fr, de MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet References: In-Reply-To: X-Enigmail-Version: 0.84.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by amavisd-new X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Jes=FAs Luna wrote: > Hi everybody, > Currently I'm developing a servlet that validates with our OCSP service= a > user certificate received from Apache v1.3.29 (with mod_ssl v2.8.16 and= > ajp13 workers), but the problem is that I need to extract some data abo= ut > the correspondent client certificate chain to build the OCSP request an= d > I've not been able to obtain this from Tomcat v4.1.30 (with mod_jk v1.2= ) all > under Linux. I'm pretty sure that it's not a configuration problem beca= use > my servlet is already retrieving additional information from mod_jk (i.= e. > the client certificate, cipher, protocol and other SSL_ environment > variables from Apache/mod_ssl). What do have in httpd.conf? >=20 > Anyway, in mod_jk I've tried the following directives: > JkEnvVar SSL_CLIENT_CERT_CHAIN_0 SSL_CLIENT_CERT_CHAIN_0 > JkEnvVar SSL_CLIENT_CERT_CHAIN_1 SSL_CLIENT_CERT_CHAIN_1 > . > . > etc >=20 > An then from my Java servlet: > String chain0 =3D (String) request.getAttribute("SSL_CLIENT_CERT_CHAIN_= 0"); > // Also tried it like an X509Certificate object > // Variable chain0 appears equal to the string > "SSL_CLIENT_CERT_CHAIN_0" >=20 > X509Certificate[] cert > =3D(X509Certificate[])request.getAttribute("javax.servlet.request.X509C= ertific > ate"); > // Only getting one certificate in the array, the correspondent to= the > SSL client > // No certificates from the chain >=20 > Finally, I've been browsing trough some emails on this list that talk a= bout > performance issues with the cert chain extraction so I don=B4t know if = this > feature may be unavailable or something like this. >=20 > Thank you in advance for your help, best regards >=20 > _______________________ > Jesus Luna Garcia > CertiVeR (U.E. Funded Project) > j.luna@certiver.com > http://www.certiver.com >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org >=20 >=20 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org