ROFL thats my bug! -----Original Message----- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 11:48 PM To: [EMAIL PROTECTED] Subject: Re: achieving a clients (browsers) certificate in a webapp
"Karli Christoph (CSE)" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > we have the ssl-configuration in the file ssl.conf which gets > included by httpd.conf. > > it tells me that the Jk* - entries aren't supposed to be at this > place.. ? > > and if i enter the line > > SSLVerifyClient require (or optional) > This is the part you were missing. Unfortunately, the handling of Client certs in the Jk-Coyote connector is broken in 4.1.24 (see http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790). > ..i get an empty page in my browser.. (ajp13 problem?) > > it really seems like this is a configuration-war.. > > i think during the ssl-handshaking of apache and the client-browser, > apache doesn't ask for the client-certificate (which is in fact > optional) > > hmm.. anyone wanna give another shot? > > > -----Original Message----- > From: Jay Garala [mailto:[EMAIL PROTECTED] > Sent: Dienstag, 22. Juli 2003 18:11 > To: 'Tomcat Users List' > Subject: RE: achieving a clients (browsers) certificate in a webapp > > > Oh I've done this before!!! > > In your SSL section in httd.conf > > > // Change accordingly > # SSLVerifyClient require > # SSLVerifyDepth 1 > ## SSLOptions +StdEnvVars +ExportCertData > # > ## > # JkOptions +ForwardKeySize +ForwardURICompat > ## JkExtractSSL On > # JkHTTPSIndicator HTTPS > ### JkSESSIONIndicator SSL_SESSION_ID > # JkCIPHERIndicator SSL_CIPHER > # JkCERTSIndicator SSL_CLIENT_CERT > // NEED THIS > # JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT > > then in ur Servlet do: > > String apacheClientCert = (String) request.getAttribute("SSL_CLIENT_CERT"); > java.security.cert.CertificateFactory cf = > CertificateFactory.getInstance("X.509"); > String cert = removePEMData(apacheClientCert); > sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder(); > byte[] bcert = dec.decodeBuffer(cert); > ByteArrayInputStream bais = new ByteArrayInputStream(bcert); > X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais); > bais.close(); > > ... Now you got your Client cert... if you want the server cert > add JkEnvVar SSL_SERVER_CERT SSL_SERVER_CERT in httpd and mirror changes in > servlet > > public String removePEMData(String cert) > { > String begin = "-----BEGIN CERTIFICATE-----"; > String end = "-----END CERTIFICATE-----"; > int s = cert.indexOf(begin); > if (s >= 0) > cert = cert.substring( s+begin.length(),cert.indexOf(end)); > return cert; > } > > -----Original Message----- > From: Karli Christoph (CSE) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 22, 2003 11:53 AM > To: 'Tomcat Users List' > Subject: RE: achieving a clients (browsers) certificate in a webapp > > > that's the point.. > > with the following code > > String certAttribute = "javax.servlet.request.X509Certificate"; > X509Certificate certificate[] = (java.security.cert.X509Certificate[]) > request.getAttribute(certAttribute); > > for (Enumeration e = request.getAttributeNames(); e.hasMoreElements();) { > System.out.println("attribute: " + e.nextElement()); > } > > > > we just can achieve the following attributes: > > attribute: javax.servlet.include.servlet_path > attribute: javax.servlet.include.context_path > attribute: javax.servlet.request.cipher_suite > attribute: javax.servlet.request.key_size > attribute: javax.servlet.include.request_uri > > any other ideas? > > > -----Original Message----- > From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED] > Sent: Dienstag, 22. Juli 2003 17:39 > To: 'Tomcat Users List' > Subject: RE: achieving a clients (browsers) certificate in a webapp > > > The 'javax.servlet.request.X509Certificate' request property will give you > the client certificate chain. It contains an array of > java.security.cert.X509Certificate Objects. Element [0] is the client > certificate, Element [1] is the CA for the client certificate etc. > > > > -----Original Message----- > From: Karli Christoph (CSE) [mailto:[EMAIL PROTECTED] > Sent: 22 July 2003 16:04 > To: 'Tomcat Users List' > Subject: achieving a clients (browsers) certificate in a webapp > > > now this seems like a big task! > > we've been trying to achieve a clients certificate from the request-object, > which > failed because there is no parameter for achieving the x509Certificate > installed > in the browser of the client out of the request-object > (javax.servlet.ServletRequest). > > the certification of the server works fine, except the fact that the > server-name > on the certificate doesn't match the actual server-name of the webserver > (we're about > to change the server-name) > > anyway, we've spend the whole day - but we had no chance to figure out where > the > problem's hidden. > > what we use: > jdk 1.3 > apache 2.0.45 with openssl > tomcat 4.1.24 > mod_jk connector > > > other hint: > - https connection works on the webapp > > > important parts of the configuration files: > > ******* configuration of ssl.conf looks like this: > <IfDefine SSL> > Listen 443 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > SSLPassPhraseDialog builtin > > SSLSessionCache dbm:logs/ssl_scache > SSLSessionCacheTimeout 300 > > SSLMutex file:logs/ssl_mutex > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > > <VirtualHost _default_:443> > DocumentRoot "/opt/httpd-2.0.45/htdocs" > #ServerName new.host.name:443 > ServerName servername.is.ok:443 > ServerAdmin [EMAIL PROTECTED] > ErrorLog logs/error_log > TransferLog logs/access_log > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > SSLEngine on > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile /opt/httpd-2.0.45/conf/ssl.crt/server.crt > > SSLCertificateKeyFile /opt/httpd-2.0.45/conf/ssl.key/server.key > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > SSLOptions +StdEnvVars > </Files> > <Directory "/opt/httpd-2.0.45/cgi-bin"> > SSLOptions +StdEnvVars > </Directory> > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > </IfDefine> > > > ******* configuration of httpd.conf looks like this: > ... > # > # Bring in additional module-specific configurations > # > <IfModule mod_ssl.c> > Include conf/ssl.conf > </IfModule> > ... > > JkWorkersFile /opt/jakarta/conf/jk/workers.properties > JkLogFile /opt/jakarta/logs/mod_jk.log > > JkLogLevel debug > > JkMount /examples ajp13 > JkMount /examples/* ajp13 > ... > > > ******* configuration of server.xml looks like this: > ... > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > port="8443" minProcessors="5" maxProcessors="75" > enableLookups="true" > acceptCount="10" debug="0" scheme="https" secure="true" > useURIValidationHack="false"> > <Factory > className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > clientAuth="false" protocol="TLS" > keystoreFile=".keystore" keystorePass="xxxxx" /> > </Connector> > > <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 --> > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > port="8009" minProcessors="5" maxProcessors="75" > enableLookups="true" redirectPort="8443" > acceptCount="10" debug="0" connectionTimeout="0" > useURIValidationHack="false" > > protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/> > ... > > ******* just anyone? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
