tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Rock <florianr...@web.de>
Subject Re: Tomcat don't validate Certificate by using mod_proxy_ajp
Date Sat, 29 Jul 2006 23:32:46 GMT
ok i checked my mod_jk config again and you are right: don't working

thanks for your replay,

florian

Bill Barker schrieb:
> Actually, Tomcat can't validate your client cert with either mod_jk or 
> mod_proxy_ajp for the simple reason that the AJP/1.3 protocol only forwards 
> the client cert and not the entire chain.  You have to configure certificate 
> validation in Httpd.
>
> "Florian Rock" <florianrock@web.de> wrote in message 
> news:44CB691D.7040601@web.de...
>   
>> Hi,
>> tomcat doesn't validate my client certificate when using mod_proxy_ajp:
>> my config:
>>
>>    SSLEngine on
>>    SSLCertificateFile /somepath/somecert.crt
>>    SSLCertificateKeyFile /somepath/somecert.key
>>    SSLVerifyClient optional_no_ca
>>    SSLVerifyDepth 0
>>    SSLOptions +StdEnvVars +ExportCertData
>>
>> SSLProxyEngine on
>> SSLProxyVerify optional_no_ca
>> SSLProxyVerifyDepth 0
>> <Location /f00>
>>    ProxyPass ajp://127.0.0.1:8009/f00
>> </Location>
>>
>> the certificate is forwared to my application but tomcat doesn't verify
>> it with its truststore.
>>
>> on mod_jk it works without problems:
>> same ssl config and the default JkOptions:
>> JkExtractSSL On
>> JkHTTPSIndicator HTTPS
>> JkSESSIONIndicator SSL_SESSION_ID
>> JkCIPHERIndicator SSL_CIPHER
>> JkCERTSIndicator SSL_CLIENT_CERT
>>
>> someone know what is wrong?
>>
>> thanks for help
>>
>> Florian
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>     
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message