I have a webapp which reads a X.509 client certificate from the standard servlet request attribute: ServletRequest.getAttribute("javax.servlet.request.X509Certificate"). When Tomcat is the HTTPS endpoint, works like a charm. But when there is a Nginx as the HTTPS endpoint, and Tomcat is configured with HTTP, the certificate (of course) won't be at the attribute unless: - Configured Nginx to send it through a header, using its variable '$ssl_client_cert' [1] - Added to Tomcat the SSL Valve [2] (same header as before).
But as a certificate in PEM format, it will contain new lines, and an HTTP header can't be multilined (header-folding is deprecated [3]). And here comes the incompatibility: Nginx replaces new lines with tab characters, but the valve only try to change white spaces. Should not be the SSL Valve smarter and try to replace one or multiple whitespaces (the regex '\s+')? Or at least should be configurable the delimiter character? Thanks! [1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables [2]: https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/SSLValve.html [3]: https://tools.ietf.org/html/rfc7230#section-3.2.4 -- Lucas