Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 89220 invoked from network); 1 Feb 2008 18:01:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Feb 2008 18:01:25 -0000 Received: (qmail 77768 invoked by uid 500); 1 Feb 2008 18:01:04 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 77740 invoked by uid 500); 1 Feb 2008 18:01:04 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 77729 invoked by uid 99); 1 Feb 2008 18:01:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Feb 2008 10:01:04 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [130.88.200.93] (HELO serenity.mcc.ac.uk) (130.88.200.93) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Feb 2008 18:00:35 +0000 Received: from rankine.its.manchester.ac.uk ([130.88.25.196]) by serenity.mcc.ac.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from ) id 1JL0Bq-000HFO-Tg for users@tomcat.apache.org; Fri, 01 Feb 2008 18:00:38 +0000 Received: from cspool68.cs.man.ac.uk ([130.88.195.168]:50430) by rankine.its.manchester.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.43) id 1JL0Bq-0004Av-Q5 for users@tomcat.apache.org; Fri, 01 Feb 2008 18:00:38 +0000 Message-ID: <47A35E42.9010708@manchester.ac.uk> Date: Fri, 01 Feb 2008 18:00:34 +0000 From: Bruno Harbulot User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain References: <72c945240802010909l3cb24a8dp775f6c5643003481@mail.gmail.com> <72c945240802010914r259f07eei78f1a1fff98222f@mail.gmail.com> <72c945240802010917j768374e1qd944f9a76da91d4f@mail.gmail.com> In-Reply-To: <72c945240802010917j768374e1qd944f9a76da91d4f@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: Bruno Harbulot from cspool68.cs.man.ac.uk [130.88.195.168]:50430 X-Authenticated-From: Bruno.Harbulot@manchester.ac.uk X-UoM: Scanned by the University Mail System. See http://www.itservices.manchester.ac.uk/email/filtering/information/ for details. X-Virus-Checked: Checked by ClamAV on apache.org Hi, Rafael Rossetto wrote: > > I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In > ssl.conf I also use the SSLVerifyClient require(tried optional and > optional_no_ca), so the client certificate validation in Apache seems > all right to me. And the SSLOptions is SSLOptions +StdEnvVars > +ExportCertData. Just to make sure, do you use 'JkExtractSSL On' as well (it should be on by default anyway)? I generally use this: JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT JkOptions +ForwardSSLCertChain and this in the relevant VirtualHost: SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... SSLCACertificatePath ... SSLCARevocationPath ... SSLVerifyClient optional SSLVerifyDepth 5 SSLOptions +ExportCertData +StdEnvVars I get the full chain with this. Best wishes, Bruno. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org