tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49335] Client certificate not passed to Tomcat
Date Tue, 25 May 2010 08:20:58 GMT

--- Comment #2 from Mark Thomas <> 2010-05-25 04:20:52 EDT ---
(In reply to comment #1)
> Is it reproducible in 7.0 RC3 only, or in 6.0.x as well?
Both. Given that the mod_jk logs showed that no certificate was being sent,
this is expected. 

> Is Tomcat running with 32-bit or 64-bit JRE? Is Tomcat-Native used?
Not relevant. This isn't an AJP connector issue.

> Does this certificate fit into a single AJP packet, along with other request
> headers? Sure that it does fit, because otherwise there must be an error
> logged.
Yes, else a) there would be an error and b) mod_proxy_ajp wouldn't work either.

> What JkOptions directives are used in the configuration?
The bare minimum:
JkWorkersFile    conf/
JkShmFile    logs/mod_jk.shm
JkLogFile    logs/mod_jk.log

Non-SSL requests work without issue.

The relevant parts of the SSL virtual host are:
<Location /bugs-tc5/bug37869.jsp >
    SSLVerifyClient    require

This works:
ProxyPass /bugs-tc5/bug37869.jsp ajp://localhost:8009/bugs-tc5/bug37869.jsp

This fails:
JkMount /bugs-tc5/bug37869.jsp worker1

That JSP is configured on the Tomcat side to require SSL, require a specific
client certificate and to display the DN of the supplied cert.

With mod_proxy_ajp everything works.

With mod_jk no certificate is present in the request received by Tomcat. This
has been verified a) bu reviewing the mod_jk logs, b) debugging Tomcat parsing
the AJP request.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message