tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucas Ventura Carro <useyour.m...@gmail.com>
Subject Passing client certificate through Nginx to Tomcat SSL Valve
Date Thu, 23 Jun 2016 11:51:41 GMT
I have a webapp which reads a X.509 client certificate from the standard
servlet request attribute:
ServletRequest.getAttribute("javax.servlet.request.X509Certificate").
When Tomcat is the HTTPS endpoint, works like a charm.
But when there is a Nginx as the HTTPS endpoint, and Tomcat is configured
with HTTP, the certificate (of course) won't be at the attribute unless:
  - Configured Nginx to send it through a header, using its variable
'$ssl_client_cert' [1]
  - Added to Tomcat the SSL Valve [2] (same header as before).

But as a certificate in PEM format, it will contain new lines, and an HTTP
header can't be multilined (header-folding is deprecated [3]).

And here comes the incompatibility: Nginx replaces new lines with tab
characters, but the valve only try to change white spaces.
Should not be the SSL Valve smarter and try to replace one or multiple
whitespaces (the regex '\s+')? Or at least should be configurable the
delimiter character?

Thanks!

  [1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
  [2]:
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/SSLValve.html
  [3]: https://tools.ietf.org/html/rfc7230#section-3.2.4
--
Lucas

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message