tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rafael Rossetto" <waterh...@ig.com.br>
Subject Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Date Fri, 01 Feb 2008 19:40:44 GMT
Bruno,

     I tried to change my conf file, the only thing I didn't set before was:
    - JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT

    When I set this option the Firefox give me the following error:
    Request Entity Too Large

    So I changed the workers.properties to set the max_packet_size
bigger. And the Entity Too Large Error stopped.

    But the thing is, I still don't get the cert chain through the
request.getAttribute("javax.servlet.request.X509Certificate").

    Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
cert chain?

Thanks,
Rafael

On 2/1/08, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> wrote:
> Hi,
>
> Rafael Rossetto wrote:
> >
> >     I'm using the  JkOptions +ForwardSSLCertChain in httpd.conf.  In
> > ssl.conf I also use the SSLVerifyClient require(tried optional and
> > optional_no_ca), so the client certificate validation in Apache seems
> > all right to me. And the SSLOptions is SSLOptions +StdEnvVars
> > +ExportCertData.
>
> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
> by default anyway)?
>
> I generally use this:
>
> JkExtractSSL On
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
> JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
> JkOptions +ForwardSSLCertChain
>
> and this in the relevant VirtualHost:
>
>          SSLEngine       on
>          SSLCertificateFile      ...
>          SSLCertificateKeyFile   ...
>          SSLCACertificatePath    ...
>          SSLCARevocationPath     ...
>          SSLVerifyClient         optional
>          SSLVerifyDepth          5
>          SSLOptions              +ExportCertData +StdEnvVars
>
>
> I get the full chain with this.
>
> Best wishes,
>
> Bruno.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message