tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: mod_jk & Client SSL Certificates
Date Thu, 22 Oct 2009 21:21:38 GMT
Hash: SHA1


On 10/22/2009 3:22 PM, Rainer Jung wrote:
> Not sure, but here are some steps to close the gap:
> Apache itself should put the cert into a so-called environment variable
> names "SSL_CLIENT_CERT". You can log env vars in the access log by
> adding "%{SSL_CLIENT_CERT}e" to your LogFormat. That way you can first
> check, whether the cert data is present in Apache.

Okay, here's what I have for relevant Apache httpd configuration:

SSLEngine on

SSLCipherSuite \

SSLCertificateFile ...
SSLCertificateKeyFile ...

SSLCACertificateFile /path/to/ca.crt
JkOptions +ForwardSSLCertChain

CustomLog /var/log/apache2/wtf.log \
  "%t %h proto=%{SSL_PROTOCOL}x cipher=%{SSL_CIPHER}x
cert=%{SSL_CLIENT_CERT}e \"%r\" %b"

<Location /diagnosis/admin/ClientCertInfo.jsp>
  SSLVerifyClient require
  SSLVerifyDepth 1

  JkMount worker3

When I request /diagnosis/admin/ClientCertInfo.jsp, I get this message
in my wtf.log file:

[22/Oct/2009:17:13:13 -0400] proto=TLSv1
cipher=DHE-RSA-CAMELLIA256-SHA cert=- "GET
/diagnosis/admin/ClientCertInfo.jsp?foo=bar HTTP/1.1" 36

So, it looks like the cert isn't being set in the environment variable.

If I connect using a browser without the client certificate installed (I
have Mozilla set up with the client cert, while MSIE does not have the
client cert), then I get a connection error (stupid MSIE "friendly"
error message).

This leads me to believe that the "SSLVerifyClient require" is having
the desired effect.

Any thoughts as to why the SSL_CLIENT_CERT environment variable is not
being set?

I even tried adding:

  SSLOptions +StdEnvVars

...but that seemed to have no effect.

I'm guessing once I get past this problem, the rest ought to work (also
ducks and runs!).

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message