tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Date Fri, 01 Feb 2008 23:20:06 GMT
Hi Rafael,

if your certificate chain is to large for the default AJP packet size of 
app. 8KB and you increase via max_packet_size, you need to change your 
Tomcat connector settings as well. See max_packet_size in

http://tomcat.apache.org/connectors-doc/reference/workers.html

Didn't try it myself, let us know if it works.

If you can easily test this with one or few requests, you can set 
JkLogLevel trace and you'll see the complete packet traffic between 
httpd and Tomcat.

Regards,

Rainer

Rafael Rossetto schrieb:
> Bruno,
> 
>      I tried to change my conf file, the only thing I didn't set before was:
>     - JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
> 
>     When I set this option the Firefox give me the following error:
>     Request Entity Too Large
> 
>     So I changed the workers.properties to set the max_packet_size
> bigger. And the Entity Too Large Error stopped.
> 
>     But the thing is, I still don't get the cert chain through the
> request.getAttribute("javax.servlet.request.X509Certificate").
> 
>     Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
> cert chain?
> 
> Thanks,
> Rafael
> 
> On 2/1/08, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> wrote:
>> Hi,
>>
>> Rafael Rossetto wrote:
>>>     I'm using the  JkOptions +ForwardSSLCertChain in httpd.conf.  In
>>> ssl.conf I also use the SSLVerifyClient require(tried optional and
>>> optional_no_ca), so the client certificate validation in Apache seems
>>> all right to me. And the SSLOptions is SSLOptions +StdEnvVars
>>> +ExportCertData.
>> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
>> by default anyway)?
>>
>> I generally use this:
>>
>> JkExtractSSL On
>> JkHTTPSIndicator HTTPS
>> JkSESSIONIndicator SSL_SESSION_ID
>> JkCIPHERIndicator SSL_CIPHER
>> JkCERTSIndicator SSL_CLIENT_CERT
>> JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
>> JkOptions +ForwardSSLCertChain
>>
>> and this in the relevant VirtualHost:
>>
>>          SSLEngine       on
>>          SSLCertificateFile      ...
>>          SSLCertificateKeyFile   ...
>>          SSLCACertificatePath    ...
>>          SSLCARevocationPath     ...
>>          SSLVerifyClient         optional
>>          SSLVerifyDepth          5
>>          SSLOptions              +ExportCertData +StdEnvVars
>>
>>
>> I get the full chain with this.
>>
>> Best wishes,
>>
>> Bruno.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message