Bill, Thanks for your prompt response. I see that it will be available in Tomcat 6.0.21 onwards. Do you know when will it be available for download ?
Also, does it resolve the 8k size limit on AJP connector or if there is a way around it ? We are using Soap headers and with cert-chain I am thinking this will be a big issue ! Thanks A t u l ________________________________ From: Bill Barker <billwbar...@verizon.net> To: users@tomcat.apache.org Sent: Thursday, August 27, 2009 8:40:14 PM Subject: Re: Client SSL certificate chain in Tomcat 6 when using AJP "atul" <techat...@yahoo.com> wrote in message news:216148.14679...@web36801.mail.mud.yahoo.com... > I've a setup where Apache 2.2 is fronting Tomcat 6.0.20. They are talking > AJP/1.3 > Using mod_proxy_ajp. > I've a URL protected by client SSL. Apache prompts for client certificate > and I can get to the cert in my webapp (servlet). > However, when the cert have intermediate CAs, I still only get the leaf > cert and Not the cert-chain in my tomcat webapp ! > > Could not find a setting on apache (mod_proxy_ajp) to send cert-chain. > And even if it did, the tomcat code looks like it only wants to get single > cert! > org.apache.jk.core.MsgContext public void action(ActionCode actionCode, > Object param) {... > > } else if( actionCode==ActionCode.ACTION_REQ_SSL_ATTRIBUTE ) { > Request req=(Request)param; > > // Extract SSL certificate information (if requested) > MessageBytes certString = > (MessageBytes)req.getNote(WorkerEnv.SSL_CERT_NOTE); > if( certString != null && !certString.isNull() ) { > ByteChunk certData = certString.getByteChunk(); > ByteArrayInputStream bais = > new ByteArrayInputStream(certData.getBytes(), > certData.getStart(), > certData.getLength()); > > // Fill the first element. > X509Certificate jsseCerts[] = null; > try { > CertificateFactory cf = > CertificateFactory.getInstance("X.509"); > X509Certificate cert = (X509Certificate) > cf.generateCertificate(bais); > jsseCerts = new X509Certificate[1]; > jsseCerts[0] = cert; > } catch(java.security.cert.CertificateException e) { > log.error("Certificate convertion failed" , e ); > return; > } > >>>> Can possibly change it to something like (assuming the cert-chain gets >>>> passed in WorkerEnv.SSL_CERT_NOTE) > Collection <? extends Certificate> certCollection = > cf.generateCertificates(bais); > X509Certificate [] certs = new > X509Certificate[certCollection.size()]; > int i = 0; > for (Certificate cert: certCollection) { > certs[i] = (X509Certificate)cert; > i++; > } > > > I tried it w/ Tomcat 5.5.27 as well with similar result. > Also, tried with original Java connector > org.apache.jk.server.JkCoyoteHandle & the new > org.apache.coyote.ajp.AjpProtocol with similar results. > > Seems like a bug ?? Or am I missing anything ? > Yes, it's a bug. Specifically https://issues.apache.org/bugzilla/show_bug.cgi?id=39637. With mod_jk, the "JkOptions +ForwardSSLCertChain" directive works. I'm too lazy to see if it has been implemented in mod_proxy_ajp. > Any prompt help is appreciated. > > > Thanks > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
