Hi Bruno,
I finally got the whole cert chain, but the real problem is that
I can't get it through the
request.getAttribute("javax.servlet.request.X509Certificate"), I only
got it using the request.getAttribute("SSL_CLIENT_CERT_CHAIN_n").
I read an e-mail that you stated:
"In Tomcat, I've only managed to get the client certificate and
not the full chain. A quick glance at
apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/AjpProcessor.java
seems to indicate that only an array of size 1 is created, which would
explain this behaviour. I'm not sure if everything regarding AJP and
X509Certificates happens in this class in Tomcat."
Did you managed to get full cert chain in a X509Certificate array
using request.getAttribute("javax.servlet.request.X509Certificate")?
Other thing that I noticed that you wrote, is that you are able to
get the full cert-chain only the first time the client browser connect
to the server, looking at mod_jk.log seems to be a mod_jk issue, it
happens to me as well.
Best regards,
Rafael
On 2/1/08, Rainer Jung <[EMAIL PROTECTED]> wrote:
> Hi Rafael,
>
> if your certificate chain is to large for the default AJP packet size of
> app. 8KB and you increase via max_packet_size, you need to change your
> Tomcat connector settings as well. See max_packet_size in
>
> http://tomcat.apache.org/connectors-doc/reference/workers.html
>
> Didn't try it myself, let us know if it works.
>
> If you can easily test this with one or few requests, you can set
> JkLogLevel trace and you'll see the complete packet traffic between
> httpd and Tomcat.
>
> Regards,
>
> Rainer
>
> Rafael Rossetto schrieb:
> > Bruno,
> >
> > I tried to change my conf file, the only thing I didn't set before was:
> > - JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
> >
> > When I set this option the Firefox give me the following error:
> > Request Entity Too Large
> >
> > So I changed the workers.properties to set the max_packet_size
> > bigger. And the Entity Too Large Error stopped.
> >
> > But the thing is, I still don't get the cert chain through the
> > request.getAttribute("javax.servlet.request.X509Certificate").
> >
> > Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
> > cert chain?
> >
> > Thanks,
> > Rafael
> >
> > On 2/1/08, Bruno Harbulot <[EMAIL PROTECTED]> wrote:
> >> Hi,
> >>
> >> Rafael Rossetto wrote:
> >>> I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In
> >>> ssl.conf I also use the SSLVerifyClient require(tried optional and
> >>> optional_no_ca), so the client certificate validation in Apache seems
> >>> all right to me. And the SSLOptions is SSLOptions +StdEnvVars
> >>> +ExportCertData.
> >> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
> >> by default anyway)?
> >>
> >> I generally use this:
> >>
> >> JkExtractSSL On
> >> JkHTTPSIndicator HTTPS
> >> JkSESSIONIndicator SSL_SESSION_ID
> >> JkCIPHERIndicator SSL_CIPHER
> >> JkCERTSIndicator SSL_CLIENT_CERT
> >> JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
> >> JkOptions +ForwardSSLCertChain
> >>
> >> and this in the relevant VirtualHost:
> >>
> >> SSLEngine on
> >> SSLCertificateFile ...
> >> SSLCertificateKeyFile ...
> >> SSLCACertificatePath ...
> >> SSLCARevocationPath ...
> >> SSLVerifyClient optional
> >> SSLVerifyDepth 5
> >> SSLOptions +ExportCertData +StdEnvVars
> >>
> >>
> >> I get the full chain with this.
> >>
> >> Best wishes,
> >>
> >> Bruno.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
