tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Harbulot <Bruno.Harbu...@manchester.ac.uk>
Subject Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Date Fri, 01 Feb 2008 18:00:34 GMT
Hi,

Rafael Rossetto wrote:
> 
>     I'm using the  JkOptions +ForwardSSLCertChain in httpd.conf.  In
> ssl.conf I also use the SSLVerifyClient require(tried optional and
> optional_no_ca), so the client certificate validation in Apache seems
> all right to me. And the SSLOptions is SSLOptions +StdEnvVars
> +ExportCertData.

Just to make sure, do you use 'JkExtractSSL On' as well (it should be on 
by default anyway)?

I generally use this:

JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
JkOptions +ForwardSSLCertChain

and this in the relevant VirtualHost:

         SSLEngine       on
         SSLCertificateFile      ...
         SSLCertificateKeyFile   ...
         SSLCACertificatePath    ...
         SSLCARevocationPath     ...
         SSLVerifyClient         optional
         SSLVerifyDepth          5
         SSLOptions              +ExportCertData +StdEnvVars


I get the full chain with this.

Best wishes,

Bruno.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message