tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Tomcat don't validate Certificate by using mod_proxy_ajp
Date Sat, 29 Jul 2006 23:06:47 GMT
Actually, Tomcat can't validate your client cert with either mod_jk or 
mod_proxy_ajp for the simple reason that the AJP/1.3 protocol only forwards 
the client cert and not the entire chain.  You have to configure certificate 
validation in Httpd.

"Florian Rock" <florianrock@web.de> wrote in message 
news:44CB691D.7040601@web.de...
> Hi,
> tomcat doesn't validate my client certificate when using mod_proxy_ajp:
> my config:
>
>    SSLEngine on
>    SSLCertificateFile /somepath/somecert.crt
>    SSLCertificateKeyFile /somepath/somecert.key
>    SSLVerifyClient optional_no_ca
>    SSLVerifyDepth 0
>    SSLOptions +StdEnvVars +ExportCertData
>
> SSLProxyEngine on
> SSLProxyVerify optional_no_ca
> SSLProxyVerifyDepth 0
> <Location /f00>
>    ProxyPass ajp://127.0.0.1:8009/f00
> </Location>
>
> the certificate is forwared to my application but tomcat doesn't verify
> it with its truststore.
>
> on mod_jk it works without problems:
> same ssl config and the default JkOptions:
> JkExtractSSL On
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
>
> someone know what is wrong?
>
> thanks for help
>
> Florian
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message