Hi Bruno, I finally got the whole cert chain, but the real problem is that I can't get it through the request.getAttribute("javax.servlet.request.X509Certificate"), I only got it using the request.getAttribute("SSL_CLIENT_CERT_CHAIN_n").
I read an e-mail that you stated: "In Tomcat, I've only managed to get the client certificate and not the full chain. A quick glance at apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/AjpProcessor.java seems to indicate that only an array of size 1 is created, which would explain this behaviour. I'm not sure if everything regarding AJP and X509Certificates happens in this class in Tomcat." Did you managed to get full cert chain in a X509Certificate array using request.getAttribute("javax.servlet.request.X509Certificate")? Other thing that I noticed that you wrote, is that you are able to get the full cert-chain only the first time the client browser connect to the server, looking at mod_jk.log seems to be a mod_jk issue, it happens to me as well. Best regards, Rafael On 2/1/08, Rainer Jung <[EMAIL PROTECTED]> wrote: > Hi Rafael, > > if your certificate chain is to large for the default AJP packet size of > app. 8KB and you increase via max_packet_size, you need to change your > Tomcat connector settings as well. See max_packet_size in > > http://tomcat.apache.org/connectors-doc/reference/workers.html > > Didn't try it myself, let us know if it works. > > If you can easily test this with one or few requests, you can set > JkLogLevel trace and you'll see the complete packet traffic between > httpd and Tomcat. > > Regards, > > Rainer > > Rafael Rossetto schrieb: > > Bruno, > > > > I tried to change my conf file, the only thing I didn't set before was: > > - JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT > > > > When I set this option the Firefox give me the following error: > > Request Entity Too Large > > > > So I changed the workers.properties to set the max_packet_size > > bigger. And the Entity Too Large Error stopped. > > > > But the thing is, I still don't get the cert chain through the > > request.getAttribute("javax.servlet.request.X509Certificate"). > > > > Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the > > cert chain? > > > > Thanks, > > Rafael > > > > On 2/1/08, Bruno Harbulot <[EMAIL PROTECTED]> wrote: > >> Hi, > >> > >> Rafael Rossetto wrote: > >>> I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In > >>> ssl.conf I also use the SSLVerifyClient require(tried optional and > >>> optional_no_ca), so the client certificate validation in Apache seems > >>> all right to me. And the SSLOptions is SSLOptions +StdEnvVars > >>> +ExportCertData. > >> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on > >> by default anyway)? > >> > >> I generally use this: > >> > >> JkExtractSSL On > >> JkHTTPSIndicator HTTPS > >> JkSESSIONIndicator SSL_SESSION_ID > >> JkCIPHERIndicator SSL_CIPHER > >> JkCERTSIndicator SSL_CLIENT_CERT > >> JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT > >> JkOptions +ForwardSSLCertChain > >> > >> and this in the relevant VirtualHost: > >> > >> SSLEngine on > >> SSLCertificateFile ... > >> SSLCertificateKeyFile ... > >> SSLCACertificatePath ... > >> SSLCARevocationPath ... > >> SSLVerifyClient optional > >> SSLVerifyDepth 5 > >> SSLOptions +ExportCertData +StdEnvVars > >> > >> > >> I get the full chain with this. > >> > >> Best wishes, > >> > >> Bruno. > >> > >> > >> --------------------------------------------------------------------- > >> To start a new topic, e-mail: users@tomcat.apache.org > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]