On 20.11.2009 18:08, Christopher Schultz wrote: > Rainer, > > On 11/20/2009 11:51 AM, Rainer Jung wrote: >> On 20.11.2009 17:20, Christopher Schultz wrote: >>> If you continue reading, you can see that mod_jk sends at least part of >>> the first certificate. I seem to recall that mod_jk in debug mode only >>> logs part of the request, so it's possible that more information is >>> being sent than is being logged, so I can't tell if everything gets sent. > >> Quick partial answer before I read and understand everything: mod_jk >> will log full packets with JkLogLevel trace. Debug truncates the logged >> data. > > Okay, that sounded familiar. I'll turn on trace and get my eyes ready > for a long day :) > > In the meantime, it does look like mod_jk intends to send the whole > certificate chain over to Tomcat. Am I doing this right?
I would say yes. What I'm not so sure about is the root certificate. The root should be owned by the web server, otherwise the whole validation is useless. So I don't know, whether all certs including the root should be forwarded, or only all except the root. The httpd docs page http://httpd.apache.org/docs/2.2/mod/mod_ssl.html contains a table of env vars at the beginning, and under the table it explains how the vars are named in case of a whole cert chain for clients. You can log those env vars in the access log using the %{xxx}e notation (xxx being the name of the var) to check, whether httpd shows all of the chain, or only all except the root. I can try to dig into httpd code to understand it as well. In case the root isn't provided and forwarded, we can either check how to forward it with tricks, or you would need to provide it independently on Tomcat. Why you do not get a chain and instead only one cert is still open. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
