tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rafael Rossetto" <waterh...@ig.com.br>
Subject Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Date Fri, 08 Feb 2008 20:30:17 GMT
Hi Bruno,

     I finally got the whole cert chain, but the real problem is that
I can't get it through the
request.getAttribute("javax.servlet.request.X509Certificate"), I only
got it using the request.getAttribute("SSL_CLIENT_CERT_CHAIN_n").

     I read an e-mail that you stated:
     "In Tomcat, I've only managed to get the client certificate and
not the full chain. A quick glance at
apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/AjpProcessor.java
seems to indicate that only an array of size 1 is created, which would
explain this behaviour. I'm not sure if everything regarding AJP and
X509Certificates happens in this class in Tomcat."

    Did you managed to get full cert chain in a X509Certificate array
using request.getAttribute("javax.servlet.request.X509Certificate")?

    Other thing that I noticed that you wrote, is that you are able to
get the full cert-chain only the first time the client browser connect
to the server, looking at mod_jk.log seems to be a mod_jk issue, it
happens to me as well.

Best regards,
Rafael

On 2/1/08, Rainer Jung <rainer.jung@kippdata.de> wrote:
> Hi Rafael,
>
> if your certificate chain is to large for the default AJP packet size of
> app. 8KB and you increase via max_packet_size, you need to change your
> Tomcat connector settings as well. See max_packet_size in
>
> http://tomcat.apache.org/connectors-doc/reference/workers.html
>
> Didn't try it myself, let us know if it works.
>
> If you can easily test this with one or few requests, you can set
> JkLogLevel trace and you'll see the complete packet traffic between
> httpd and Tomcat.
>
> Regards,
>
> Rainer
>
> Rafael Rossetto schrieb:
> > Bruno,
> >
> >      I tried to change my conf file, the only thing I didn't set before was:
> >     - JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
> >
> >     When I set this option the Firefox give me the following error:
> >     Request Entity Too Large
> >
> >     So I changed the workers.properties to set the max_packet_size
> > bigger. And the Entity Too Large Error stopped.
> >
> >     But the thing is, I still don't get the cert chain through the
> > request.getAttribute("javax.servlet.request.X509Certificate").
> >
> >     Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
> > cert chain?
> >
> > Thanks,
> > Rafael
> >
> > On 2/1/08, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk> wrote:
> >> Hi,
> >>
> >> Rafael Rossetto wrote:
> >>>     I'm using the  JkOptions +ForwardSSLCertChain in httpd.conf.  In
> >>> ssl.conf I also use the SSLVerifyClient require(tried optional and
> >>> optional_no_ca), so the client certificate validation in Apache seems
> >>> all right to me. And the SSLOptions is SSLOptions +StdEnvVars
> >>> +ExportCertData.
> >> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
> >> by default anyway)?
> >>
> >> I generally use this:
> >>
> >> JkExtractSSL On
> >> JkHTTPSIndicator HTTPS
> >> JkSESSIONIndicator SSL_SESSION_ID
> >> JkCIPHERIndicator SSL_CIPHER
> >> JkCERTSIndicator SSL_CLIENT_CERT
> >> JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
> >> JkOptions +ForwardSSLCertChain
> >>
> >> and this in the relevant VirtualHost:
> >>
> >>          SSLEngine       on
> >>          SSLCertificateFile      ...
> >>          SSLCertificateKeyFile   ...
> >>          SSLCACertificatePath    ...
> >>          SSLCARevocationPath     ...
> >>          SSLVerifyClient         optional
> >>          SSLVerifyDepth          5
> >>          SSLOptions              +ExportCertData +StdEnvVars
> >>
> >>
> >> I get the full chain with this.
> >>
> >> Best wishes,
> >>
> >> Bruno.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message