All, While I believe the answer to my problem lies with Allaire and JRun, I hope that some may find the following tests and configuration files helpful. Of course, if someone sees something wrong, please be sure to let me know! What follows is the e-mail I sent to JRun support with the attached files appended. Mark -- Mark Pollard PanGo Networks, Inc. http://www.pangonetworks.com -------------------------------------------------------------- John, We are having problems accessing SSL information that should be available as simple CGI/header variables (listed at http://www.modssl.org/docs/2.6/ssl_reference.html#ToC25). In particular, our servlet needs to have access to a client's certificate. We are running: JRun 3.0 under Windows NT 4.0 with service pack 6, Apache 1.3.12, OpenSSL 0.9.5a and modssl 2.6.5. We believe that we have verified this problem in three ways: (1) Running SnoopServlet from Internet Explorer 5 (2) Connecting to our servlet from IE 5 and attempting to access CGI/header SSL information. (3) Connecting to our servlet from a Java client using JSSE and attempting to access CGI/header SSL information. Before I describe these tests, let me note that I've attached our Apache httpd.conf file (notice that 'SSLOptions +StdEnvVars +ExportCertData' is set). (1) I've attached the output of running: https://180.180.180.19/servlet/SnoopServlet Because we've set Apache to request client certificates ('SSLVerifyClient require'), Apache prompted me for my client certificate when I ran this test. Note that JRun does know the connection is secure (in the output, 'Is Secure' is true). However, none of the CGI/header information has been set. Apache is aware of this information - somehow JRun is not. In the attached Apache custom log (ssl_requests.log), Apache echoes the client certificate that we are interested in. I've also attached Apache's error.log which seems to contain JRun debugging info ('JRunConfig Verbose true'). (2) & (3) both securely access the attached servlet (SecureServletExperiment.java). Again, the CGI/header information does not appear to be set. For completeness, I've attached our Java client (in fact a servlet) that uses JSSE to run SecureServletExperiment. SUMMARY: I'm hoping that Allaire's JRun Apache connector expert (I did rebuild the connector using -DEAPI) has encountered this problem before and can quickly identify either if this is a bug, or if we are doing something wrong. httpd.conf (relevant sections)--------------------------------- SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/ssl.log SSLLogLevel info SSLOptions +StdEnvVars +ExportCertData <VirtualHost 180.180.180.19:443> SSLEngine On SSLCertificateFile conf/ssl/my-server.cert SSLCertificateKeyFile conf/ssl/my-server.key SSLVerifyClient require SSLCACertificateFile conf/ssl.crt/ca-bundle.crt SSLVerifyDepth 2 </VirtualHost> CustomLog logs/ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_CERT}x \"%r\" %b" # JRun Settings # JRun - Comment out this line to disable DSO (ie you compiled module into your server. LoadModule jrun_module "F:\Program Files\Allaire\JRun\connectors\apache\intel-win\mod_jrun136.dll" <IfModule mod_jrun.c> JRunConfig jrun.rootdir "f:\PROGRA~1\Allaire\JRun" JRunConfig jvmlist default JRunConfig Verbose true JRunConfig ProxyHost 127.0.0.1 JRunConfig ProxyPort 5100 JRunConfig Mappings "F:\Program Files\Allaire\JRun\servers\default\local.properties" </IfModule> ssl_requests.log---------------------------------------------- [10/Aug/2000:22:54:12 -0400] 180.180.180.19 SSLv3 EXP1024-RC4-SHA -----BEGIN CERTIFICATE----- MIID+jCCA2OgAwIBAgIQLqKEN+VNu4R1JWxEVffyajANBgkqhkiG9w0BAQQFADCB zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1Zl cmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg Tm90IFZhbGlkYXRlZDAeFw0wMDA4MTAwMDAwMDBaFw0wMDEwMDkyMzU5NTlaMIIB CTEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBl cnNvbmEgTm90IFZhbGlkYXRlZDEnMCUGA1UECxMeRGlnaXRhbCBJRCBDbGFzcyAx IC0gTWljcm9zb2Z0MRUwEwYDVQQDFAxNYXJrIFBvbGxhcmQxJTAjBgkqhkiG9w0B CQEWFm1hcmtAcGFuZ29uZXR3b3Jrcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMoI3foBP/ytk95nwPQ9bBrc2Dp3Je1LHzxzbCtL2H/C9T8pGX9UtL9c ccmPhuIkaAJa5BA3R5zUgwL+d0MhCelioq1YpUEfhtgSEVKYC9SJQOoPQlPHpMOy +b8M2s8bulSKRQriEnrRNJdcPf7k4TK2J0GyglcbabDwvyH/9agRAgMBAAGjgZww gZkwCQYDVR0TBAIwADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBwEIMCowKAYIKwYB BQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEQYJYIZIAYb4QgEB BAQDAgeAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29t L2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQADgYEAPpZ2q/i/GuXhpRb+kXAxLyDg MT+oW1SfXKW0o//p2kmUEeGR6306+HqjwCf+luVTfjxBXNPBpTF/o57+yEJ58mWA 1iu76CkOQBMnnYWUycGqO5i/Ytz60zWi/QqiW4SzP/wsTP46V6of1Mq/kNb0Wm3S s5DqkKVz6NQ7b4Tap4U= -----END CERTIFICATE----- "GET /servlet/SnoopServlet HTTP/1.1" 5943 SecureServletExperiment.java---------------------------------- package SSLexperiment; import java.io.*; import java.util.*; import java.security.cert.*; import javax.servlet.*; import javax.servlet.http.*; public class SecureServletExperiment extends HttpServlet { private int count; public void init(ServletConfig config) throws ServletException { super.init(config); count = 0; } // end of init() protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { boolean secure = req.isSecure(); String scheme = req.getScheme(); int port = req.getServerPort(); count++; res.setContentType("text/plain"); PrintWriter out = res.getWriter(); out.println("count = "+count); if (secure == true) out.println("Servlet accessed via HTTPS."); else out.println("Servlet accessed via HTTP."); out.println("Scheme: "+scheme); out.println("Port: "+port); X509Certificate [] certs = (X509Certificate []) req.getAttribute("javax.servlet.request.X509Certificate" ); if (certs == null) out.println("no certs for the client of this request."); else out.println("number of certs for client: "+certs.length); Enumeration headers = req.getHeaderNames(); while (headers.hasMoreElements()) { out.println((String)headers.nextElement()) ; } out.close(); } // end of doGet(); } // end of SecureServletExperiment class UsesSSL.java--------------------------------------------------- package SSLexperiment; import java.net.*; import javax.net.ssl.*; import java.io.*; import java.security.KeyStore; import javax.security.cert.X509Certificate; import javax.servlet.*; import javax.servlet.http.*; import com.sun.net.ssl.*; public class UsesSSL extends HttpServlet { public void init(ServletConfig config) throws ServletException { super.init(config); } // end of init() protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { res.setContentType("text/plain"); PrintWriter out = res.getWriter(); out.println("Attempting to make SSL connection to another servlet...."); System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.int ernal.www.protocol"); try { SSLSocketFactory factory = null; SSLContext context; KeyManagerFactory kmFactory; KeyStore store; char[] passphrase = "password".toCharArray(); context = SSLContext.getInstance("SSL"); kmFactory = KeyManagerFactory.getInstance("SunX509"); store = KeyStore.getInstance("PKCS12"); store.load(new FileInputStream("f:\\Program Files\\JavaSoft\\JRE\\1.2\\lib\\security\\test.pfx"), passphrase); kmFactory.init(store, passphrase); context.init(kmFactory.getKeyManagers(), null, null); factory = context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket("180.180.180.19", 443); out.println(socket.getSession().getCipherSuite()); // send http request // before any application data gets sent or received, // ssl socket will do ssl handshaking first to set up // the security associates PrintWriter SSLout = new PrintWriter( new BufferedWriter( new OutputStreamWriter( socket.getOutputStream()))); SSLout.println("GET http://180.180.180.19/servlet/SSLexperiment.SecureServletExperiment HTTP/1.0"); SSLout.println(); SSLout.flush(); // read response BufferedReader in = new BufferedReader( new InputStreamReader( socket.getInputStream())); String inputLine; while ((inputLine = in.readLine()) != null) { out.print(" * "); out.println(inputLine); } in.close(); out.println("Finished with SSL connection to another servlet."); } catch (Exception e) { out.println(e.getMessage()); e.printStackTrace(out); } out.close(); } // end of doGet(); } ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
