Bruno,
I tried to change my conf file, the only thing I didn't set before was:
- JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
When I set this option the Firefox give me the following error:
Request Entity Too Large
So I changed the workers.properties to set the max_packet_size
bigger. And the Entity Too Large Error stopped.
But the thing is, I still don't get the cert chain through the
request.getAttribute("javax.servlet.request.X509Certificate").
Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
cert chain?
Thanks,
Rafael
On 2/1/08, Bruno Harbulot <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Rafael Rossetto wrote:
> >
> > I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In
> > ssl.conf I also use the SSLVerifyClient require(tried optional and
> > optional_no_ca), so the client certificate validation in Apache seems
> > all right to me. And the SSLOptions is SSLOptions +StdEnvVars
> > +ExportCertData.
>
> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
> by default anyway)?
>
> I generally use this:
>
> JkExtractSSL On
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
> JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
> JkOptions +ForwardSSLCertChain
>
> and this in the relevant VirtualHost:
>
> SSLEngine on
> SSLCertificateFile ...
> SSLCertificateKeyFile ...
> SSLCACertificatePath ...
> SSLCARevocationPath ...
> SSLVerifyClient optional
> SSLVerifyDepth 5
> SSLOptions +ExportCertData +StdEnvVars
>
>
> I get the full chain with this.
>
> Best wishes,
>
> Bruno.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
