Hi everybody,
has anybody an idea why the SSL_CLIENT_CERT data change during
calls/sessions?
I'm working with 2-way-authentication and investigate the SSL_CLIENT_CERT
data.
If the same client (with the same cert) calls twice, I get different info
everytime.
The following example servlet example demonstrates this:
(the same happens using cgi scripts)
//
// getting different client certificates / demo
// with apache 1.3.12, mod_ssl 2.6.4, openssl 0.9.5a, jserv 1.1.2
//
import java.io.*;
import java.util.*;
import java.lang.Long;
import javax.servlet.*;
import javax.servlet.http.*;
public class getClientCert extends HttpServlet {
static private ServletConfig cfg;
public void init(ServletConfig config) throws ServletException {
super.init(config);
cfg = config;
}
public void doGet (HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
HttpSession session = req.getSession(true);
String cert;
// get client certificate
try {
// required Apache JServ Configuration
// ApJServEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
cert =
req.getAttribute("org.apache.jserv.SSL_CLIENT_CERT").toString();
} catch (Exception e) {
// go out, don't get SSL info
cfg.getServletContext().log(e,"Don't get SSL_CLIENT_CERT");
return;
}
/*
** Check if its the first session
*/
if (session.isNew()) {
// save client cert for demo purpose
session.putValue("cert", cert);
} else {
// compare cert with the certificate from prev. call
if (cert.compareTo((String)session.getValue("cert")) != 0) {
// get different client cert data
cfg.getServletContext().log("ERROR: Certificates are not
equal");
} else {
// OK
cfg.getServletContext().log("OK: Certificates are equal");
}
}
}
}
The output in the log file:
[12/07/2000 17:01:54:190 GMT+01:00] cd/OK: Certificates are equal
[12/07/2000 17:01:59:014 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:00:326 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:01:284 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:02:296 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:03:304 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:04:331 GMT+01:00] cd/OK: Certificates are equal
[12/07/2000 17:02:05:659 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:06:472 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:07:355 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:08:317 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:09:253 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:10:295 GMT+01:00] cd/OK: Certificates are equal
[12/07/2000 17:02:11:694 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:13:257 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:14:317 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:15:315 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:16:310 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:17:302 GMT+01:00] cd/OK: Certificates are equal
I printed the certificates and checked it with openssl x509 -noout -text -in
...
They only differ in the signature! Why??????
Every fifth call they match! Has that something todo with CAs?
Thanks for any help
Robert
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
