Re: problems with mod_jk and https requests
Eran, That´s what I meant add all JkMounts to your ssl VirualHost. Thanks Rainer for the explanation, I think I didn´t make my self clear previously. Regards, Rafael On 3/4/08, Rainer Jung [EMAIL PROTECTED] wrote: Rafael Rossetto schrieb: Eran, Ensure that you correctly configured the ssl.conf for the JkMount directives. ... and also add all JkMounts to your ssl VirualHost. Regards, Rafael On 3/4/08, eranc [EMAIL PROTECTED] wrote: Hi, I have a web application running in tomcat 5.5 and using Apache 2.0 with mod_jk to forward the requests to tomcat. Everything is working fine for http requests but not for https requests which are not forwarded correctly. When I go to the root of apache or a PHP application that I have installed there I can acess them via https but not those going through mod_jk. Any ideas? Thanx, Eran Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problems with mod_jk and https requests
Eran, Ensure that you correctly configured the ssl.conf for the JkMount directives. Regards, Rafael On 3/4/08, eranc [EMAIL PROTECTED] wrote: Hi, I have a web application running in tomcat 5.5 and using Apache 2.0 with mod_jk to forward the requests to tomcat. Everything is working fine for http requests but not for https requests which are not forwarded correctly. When I go to the root of apache or a PHP application that I have installed there I can acess them via https but not those going through mod_jk. Any ideas? Thanx, Eran -- View this message in context: http://www.nabble.com/problems-with-mod_jk-and-https-requests-tp15831304p15831304.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Hi Bruno, I finally got the whole cert chain, but the real problem is that I can't get it through the request.getAttribute(javax.servlet.request.X509Certificate), I only got it using the request.getAttribute(SSL_CLIENT_CERT_CHAIN_n). I read an e-mail that you stated: In Tomcat, I've only managed to get the client certificate and not the full chain. A quick glance at apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/AjpProcessor.java seems to indicate that only an array of size 1 is created, which would explain this behaviour. I'm not sure if everything regarding AJP and X509Certificates happens in this class in Tomcat. Did you managed to get full cert chain in a X509Certificate array using request.getAttribute(javax.servlet.request.X509Certificate)? Other thing that I noticed that you wrote, is that you are able to get the full cert-chain only the first time the client browser connect to the server, looking at mod_jk.log seems to be a mod_jk issue, it happens to me as well. Best regards, Rafael On 2/1/08, Rainer Jung [EMAIL PROTECTED] wrote: Hi Rafael, if your certificate chain is to large for the default AJP packet size of app. 8KB and you increase via max_packet_size, you need to change your Tomcat connector settings as well. See max_packet_size in http://tomcat.apache.org/connectors-doc/reference/workers.html Didn't try it myself, let us know if it works. If you can easily test this with one or few requests, you can set JkLogLevel trace and you'll see the complete packet traffic between httpd and Tomcat. Regards, Rainer Rafael Rossetto schrieb: Bruno, I tried to change my conf file, the only thing I didn't set before was: - JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT When I set this option the Firefox give me the following error: Request Entity Too Large So I changed the workers.properties to set the max_packet_size bigger. And the Entity Too Large Error stopped. But the thing is, I still don't get the cert chain through the request.getAttribute(javax.servlet.request.X509Certificate). Do you use the request.getAttribute(SSL_CLIENT_CERT) to get the cert chain? Thanks, Rafael On 2/1/08, Bruno Harbulot [EMAIL PROTECTED] wrote: Hi, Rafael Rossetto wrote: I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In ssl.conf I also use the SSLVerifyClient require(tried optional and optional_no_ca), so the client certificate validation in Apache seems all right to me. And the SSLOptions is SSLOptions +StdEnvVars +ExportCertData. Just to make sure, do you use 'JkExtractSSL On' as well (it should be on by default anyway)? I generally use this: JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT JkOptions +ForwardSSLCertChain and this in the relevant VirtualHost: SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... SSLCACertificatePath... SSLCARevocationPath ... SSLVerifyClient optional SSLVerifyDepth 5 SSLOptions +ExportCertData +StdEnvVars I get the full chain with this. Best wishes, Bruno. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Hi,
I am trying to set up a Apache + mod_jk in front of my JBoss(using
Tomcat), to handle the http/https connections, in order to be able to
cluster JBoss. Everything works fine except when I try to validate the
client certificate in my application, I don´t get the full Certificate
Chain. Accessing directly the JBoss with the https connector it works.
I am trying to use the following code, to figure out what is happening:
X509Certificate cert[] =
(X509Certificate[])request.getAttribute(javax.servlet.request.X509Certificate);
if (cert!=null) {
log.info(Número de Certificados = +cert.length);
for (int i=0;icert.length;i++){
log.info(i + - +cert[i].getSubjectDN().getName());
}
}
else log.info(Certificado é nulo!);
The log is the following:
#consignacao# INFO [AppUsuarioPerfilService] Número de Certificados
= 1 12:14:57,851 [TP-Processor3]
#consignacao# INFO [AppUsuarioPerfilService] 0 - CN=XXX:N,
OU=Analista Judiciario, OU=TRT9, OU=Cert-JUS
Institucional - A3, OU=Autoridade Certificadora da Justica - AC-JUS,
O=ICP-Brasil, C=BR 12:14:57,852 [TP-Processor3]
So instead of the full cert chain(should have 3 certs), I get only
the client cert(only 1 cert).
I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In
ssl.conf I also use the SSLVerifyClient require(tried optional and
optional_no_ca), so the client certificate validation in Apache seems
all right to me. And the SSLOptions is SSLOptions +StdEnvVars
+ExportCertData.
I am using RHEL5 + jboss-4.2.1.GA + httpd-2.2.3-6.el5 +
tomcat-connectors-1.2.26-src(mod_jk)
. Also tired to use the latest RHEL5 + httpd(2.2.8) compiled +
tomcat(6.0.14) + tomcat-connectors-1.2.26-src(mod_jk) in another
environment, and got the same results.
I could just leave the CA validation to the Apache, and validate
just the client cert ID in the application, but I already have the
error code in the application, so if I could get the whole cert chain
I would prefer.
Does anyone know what am I doing wrong?
Thx,
Rafael
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Bruno, I tried to change my conf file, the only thing I didn't set before was: - JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT When I set this option the Firefox give me the following error: Request Entity Too Large So I changed the workers.properties to set the max_packet_size bigger. And the Entity Too Large Error stopped. But the thing is, I still don't get the cert chain through the request.getAttribute(javax.servlet.request.X509Certificate). Do you use the request.getAttribute(SSL_CLIENT_CERT) to get the cert chain? Thanks, Rafael On 2/1/08, Bruno Harbulot [EMAIL PROTECTED] wrote: Hi, Rafael Rossetto wrote: I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In ssl.conf I also use the SSLVerifyClient require(tried optional and optional_no_ca), so the client certificate validation in Apache seems all right to me. And the SSLOptions is SSLOptions +StdEnvVars +ExportCertData. Just to make sure, do you use 'JkExtractSSL On' as well (it should be on by default anyway)? I generally use this: JkExtractSSL On JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT JkOptions +ForwardSSLCertChain and this in the relevant VirtualHost: SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... SSLCACertificatePath... SSLCARevocationPath ... SSLVerifyClient optional SSLVerifyDepth 5 SSLOptions +ExportCertData +StdEnvVars I get the full chain with this. Best wishes, Bruno. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
